Bug#782146: unblock: mailman/1:2.1.18-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package mailman.
The diff is a security fix for CVE-2015-2775.
unblock mailman/1:2.1.18-2
Thanks,
Thijs
diff -Nru mailman-2.1.18/debian/changelog mailman-2.1.18/debian/changelog
--- mailman-2.1.18/debian/changelog 2014-07-10 18:01:59.000000000 +0000
+++ mailman-2.1.18/debian/changelog 2015-04-06 15:37:32.000000000 +0000
@@ -1,3 +1,13 @@
+mailman (1:2.1.18-2) unstable; urgency=high
+
+ * Fix security issue: path traversal through local_part.
+ Affects installations which use an Exim or Postfix transport
+ instead of fixed aliases; attacker needs to be able to place
+ files on the local filesystem.
+ (CVE-2015-2775, Closes: 781626)
+
+ -- Thijs Kinkhorst <thijs@debian.org> Mon, 06 Apr 2015 15:36:15 +0000
+
mailman (1:2.1.18-1) unstable; urgency=medium
* New upstream release.
diff -Nru mailman-2.1.18/debian/config mailman-2.1.18/debian/config
--- mailman-2.1.18/debian/config 2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/config 2015-04-06 15:30:32.000000000 +0000
@@ -1,5 +1,5 @@
#! /bin/sh -e
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/config $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/config $
# $Id: config 693 2011-10-08 15:30:38Z thijs $
. /usr/share/debconf/confmodule
diff -Nru mailman-2.1.18/debian/control mailman-2.1.18/debian/control
--- mailman-2.1.18/debian/control 2014-07-10 18:19:25.000000000 +0000
+++ mailman-2.1.18/debian/control 2015-04-06 15:30:32.000000000 +0000
@@ -4,7 +4,6 @@
Maintainer: Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
Uploaders: Lionel Elie Mamane <lmamane@debian.org>,
Thijs Kinkhorst <thijs@debian.org>,
- Thorsten Glaser <tg@mirbsd.de>,
Hector Garcia <hector@debian.org>
Build-Depends: debhelper (>= 7), autoconf, python-dev (>= 2.6.6-3~), gettext, python-dnspython
Standards-Version: 3.9.5
diff -Nru mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch
--- mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch 1970-01-01 00:00:00.000000000 +0000
+++ mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch 2015-04-06 15:44:18.000000000 +0000
@@ -0,0 +1,34 @@
+From: Mark Sapiro <mark@msapiro.net>
+Subject: Fix path traversal through local_part (CVE-2015-2775)
+Origin: upstream, https://launchpadlibrarian.net/201407944/p
+Bug: https://bugs.launchpad.net/mailman/+bug/1437145
+Bug-Debian: http://bugs.debian.org/781626
+
+diff -ur mailman-2.1.18.orig/Mailman/Defaults.py.in mailman-2.1.18/Mailman/Defaults.py.in
+--- mailman-2.1.18.orig/Mailman/Defaults.py.in 2014-05-03 17:37:22.000000000 +0000
++++ mailman-2.1.18/Mailman/Defaults.py.in 2015-04-06 15:43:20.000000000 +0000
+@@ -138,7 +138,7 @@
+
+ # A Python regular expression character class which defines the characters
+ # allowed in list names. Lists cannot be created with names containing any
+-# character that doesn't match this class.
++# character that doesn't match this class. Do not include '/' in this list.
+ ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
+
+
+diff -ur mailman-2.1.18.orig/Mailman/Utils.py mailman-2.1.18/Mailman/Utils.py
+--- mailman-2.1.18.orig/Mailman/Utils.py 2014-05-03 17:37:22.000000000 +0000
++++ mailman-2.1.18/Mailman/Utils.py 2015-04-06 15:43:20.000000000 +0000
+@@ -99,6 +99,12 @@
+ #
+ # The former two are for 2.1alpha3 and beyond, while the latter two are
+ # for all earlier versions.
++ #
++ # But first ensure the list name doesn't contain a path traversal
++ # attack.
++ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
++ syslog('mischief', 'Hostile listname: %s', listname)
++ return False
+ basepath = Site.get_listpath(listname)
+ for ext in ('.pck', '.pck.last', '.db', '.db.last'):
+ dbfile = os.path.join(basepath, 'config' + ext)
diff -Nru mailman-2.1.18/debian/patches/series mailman-2.1.18/debian/patches/series
--- mailman-2.1.18/debian/patches/series 2014-07-10 17:59:41.000000000 +0000
+++ mailman-2.1.18/debian/patches/series 2015-04-06 15:36:11.000000000 +0000
@@ -10,3 +10,4 @@
79_archiver_slash.patch
90_gettext_errors.patch
91_utf8.patch
+92_CVE-2015-2775.patch
diff -Nru mailman-2.1.18/debian/postinst mailman-2.1.18/debian/postinst
--- mailman-2.1.18/debian/postinst 2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/postinst 2015-04-06 15:30:32.000000000 +0000
@@ -7,7 +7,7 @@
# Other modifications 2004-2007 by other maintainers of the Debian package:
# Lionel Elie Mamane, Thijs Kinkhorst, Riccardo Setti, Matej Vela, Hector Garcia, László Böszörményi, Bernd S. Brentrup, ...
#
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/postinst $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/postinst $
# $Id: postinst 693 2011-10-08 15:30:38Z thijs $
#
. /usr/share/debconf/confmodule
diff -Nru mailman-2.1.18/debian/postrm mailman-2.1.18/debian/postrm
--- mailman-2.1.18/debian/postrm 2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/postrm 2015-04-06 15:30:32.000000000 +0000
@@ -1,5 +1,5 @@
#! /bin/sh -e
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/postrm $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/postrm $
# $Id: postrm 600 2009-01-08 20:54:48Z thijs $
#DEBHELPER#
diff -Nru mailman-2.1.18/debian/preinst.in mailman-2.1.18/debian/preinst.in
--- mailman-2.1.18/debian/preinst.in 2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/preinst.in 2015-04-06 15:30:32.000000000 +0000
@@ -1,5 +1,5 @@
#!/bin/sh -e
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/preinst.in $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/preinst.in $
# $Id: preinst.in 704 2012-03-18 13:14:40Z thijs $
. /usr/share/debconf/confmodule
diff -Nru mailman-2.1.18/debian/prerm mailman-2.1.18/debian/prerm
--- mailman-2.1.18/debian/prerm 2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/prerm 2015-04-06 15:30:32.000000000 +0000
@@ -3,7 +3,7 @@
# prerm script for Debian python packages.
# Written 1998 by Gregor Hoffleit <flight@debian.org>.
#
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/prerm $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/prerm $
# $Id: prerm 421 2006-10-08 12:50:00Z giskard-guest $
if [ "$1" = "failed-upgrade" ] ; then
diff -Nru mailman-2.1.18/debian/templates mailman-2.1.18/debian/templates
--- mailman-2.1.18/debian/templates 2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/templates 2015-04-06 15:30:33.000000000 +0000
@@ -1,4 +1,4 @@
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/templates $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/templates $
# $Id: templates 693 2011-10-08 15:30:38Z thijs $
Template: mailman/site_languages
Type: multiselect
Reply to: