Bug#782146: marked as done (unblock: mailman/1:2.1.18-2)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#782146: marked as done (unblock: mailman/1:2.1.18-2)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 08 Apr 2015 15:00:09 +0000
Message-id: <[🔎] handler.782146.D782146.142850510712147.ackdone@bugs.debian.org>
References: <55254209.6030701@thykier.net> <[🔎] 20150408130231.25398.97575.reportbug@tetraquark.soleus.nu>

Your message dated Wed, 08 Apr 2015 16:58:17 +0200
with message-id <55254209.6030701@thykier.net>
and subject line Re: Bug#782146: unblock: mailman/1:2.1.18-2
has caused the Debian Bug report #782146,
regarding unblock: mailman/1:2.1.18-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
782146: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782146
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: mailman/1:2.1.18-2
From: Thijs Kinkhorst <thijs@debian.org>
Date: Wed, 08 Apr 2015 15:02:31 +0200
Message-id: <[🔎] 20150408130231.25398.97575.reportbug@tetraquark.soleus.nu>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package mailman.

The diff is a security fix for CVE-2015-2775.

unblock mailman/1:2.1.18-2


Thanks,
Thijs

diff -Nru mailman-2.1.18/debian/changelog mailman-2.1.18/debian/changelog
--- mailman-2.1.18/debian/changelog	2014-07-10 18:01:59.000000000 +0000
+++ mailman-2.1.18/debian/changelog	2015-04-06 15:37:32.000000000 +0000
@@ -1,3 +1,13 @@
+mailman (1:2.1.18-2) unstable; urgency=high
+
+  * Fix security issue: path traversal through local_part.
+    Affects installations which use an Exim or Postfix transport
+    instead of fixed aliases; attacker needs to be able to place
+    files on the local filesystem.
+    (CVE-2015-2775, Closes: 781626)
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Mon, 06 Apr 2015 15:36:15 +0000
+
 mailman (1:2.1.18-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru mailman-2.1.18/debian/config mailman-2.1.18/debian/config
--- mailman-2.1.18/debian/config	2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/config	2015-04-06 15:30:32.000000000 +0000
@@ -1,5 +1,5 @@
 #! /bin/sh -e
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/config $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/config $
 # $Id: config 693 2011-10-08 15:30:38Z thijs $
 
 . /usr/share/debconf/confmodule
diff -Nru mailman-2.1.18/debian/control mailman-2.1.18/debian/control
--- mailman-2.1.18/debian/control	2014-07-10 18:19:25.000000000 +0000
+++ mailman-2.1.18/debian/control	2015-04-06 15:30:32.000000000 +0000
@@ -4,7 +4,6 @@
 Maintainer: Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
 Uploaders: Lionel Elie Mamane <lmamane@debian.org>,
  Thijs Kinkhorst <thijs@debian.org>,
- Thorsten Glaser <tg@mirbsd.de>,
  Hector Garcia <hector@debian.org>
 Build-Depends: debhelper (>= 7), autoconf, python-dev (>= 2.6.6-3~), gettext, python-dnspython
 Standards-Version: 3.9.5
diff -Nru mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch
--- mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch	1970-01-01 00:00:00.000000000 +0000
+++ mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch	2015-04-06 15:44:18.000000000 +0000
@@ -0,0 +1,34 @@
+From: Mark Sapiro <mark@msapiro.net>
+Subject: Fix path traversal through local_part (CVE-2015-2775)
+Origin: upstream, https://launchpadlibrarian.net/201407944/p
+Bug: https://bugs.launchpad.net/mailman/+bug/1437145
+Bug-Debian: http://bugs.debian.org/781626
+
+diff -ur mailman-2.1.18.orig/Mailman/Defaults.py.in mailman-2.1.18/Mailman/Defaults.py.in
+--- mailman-2.1.18.orig/Mailman/Defaults.py.in	2014-05-03 17:37:22.000000000 +0000
++++ mailman-2.1.18/Mailman/Defaults.py.in	2015-04-06 15:43:20.000000000 +0000
+@@ -138,7 +138,7 @@
+ 
+ # A Python regular expression character class which defines the characters
+ # allowed in list names.  Lists cannot be created with names containing any
+-# character that doesn't match this class.
++# character that doesn't match this class.  Do not include '/' in this list.
+ ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
+ 
+ 
+diff -ur mailman-2.1.18.orig/Mailman/Utils.py mailman-2.1.18/Mailman/Utils.py
+--- mailman-2.1.18.orig/Mailman/Utils.py	2014-05-03 17:37:22.000000000 +0000
++++ mailman-2.1.18/Mailman/Utils.py	2015-04-06 15:43:20.000000000 +0000
+@@ -99,6 +99,12 @@
+     #
+     # The former two are for 2.1alpha3 and beyond, while the latter two are
+     # for all earlier versions.
++    #
++    # But first ensure the list name doesn't contain a path traversal
++    # attack.
++    if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
++        syslog('mischief', 'Hostile listname: %s', listname)
++        return False
+     basepath = Site.get_listpath(listname)
+     for ext in ('.pck', '.pck.last', '.db', '.db.last'):
+         dbfile = os.path.join(basepath, 'config' + ext)
diff -Nru mailman-2.1.18/debian/patches/series mailman-2.1.18/debian/patches/series
--- mailman-2.1.18/debian/patches/series	2014-07-10 17:59:41.000000000 +0000
+++ mailman-2.1.18/debian/patches/series	2015-04-06 15:36:11.000000000 +0000
@@ -10,3 +10,4 @@
 79_archiver_slash.patch
 90_gettext_errors.patch
 91_utf8.patch
+92_CVE-2015-2775.patch
diff -Nru mailman-2.1.18/debian/postinst mailman-2.1.18/debian/postinst
--- mailman-2.1.18/debian/postinst	2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/postinst	2015-04-06 15:30:32.000000000 +0000
@@ -7,7 +7,7 @@
 # Other modifications 2004-2007 by other maintainers of the Debian package:
 #      Lionel Elie Mamane, Thijs Kinkhorst, Riccardo Setti, Matej Vela, Hector Garcia, László Böszörményi, Bernd S. Brentrup, ...
 #
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/postinst $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/postinst $
 # $Id: postinst 693 2011-10-08 15:30:38Z thijs $
 #
 . /usr/share/debconf/confmodule
diff -Nru mailman-2.1.18/debian/postrm mailman-2.1.18/debian/postrm
--- mailman-2.1.18/debian/postrm	2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/postrm	2015-04-06 15:30:32.000000000 +0000
@@ -1,5 +1,5 @@
 #! /bin/sh -e
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/postrm $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/postrm $
 # $Id: postrm 600 2009-01-08 20:54:48Z thijs $
 
 #DEBHELPER#
diff -Nru mailman-2.1.18/debian/preinst.in mailman-2.1.18/debian/preinst.in
--- mailman-2.1.18/debian/preinst.in	2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/preinst.in	2015-04-06 15:30:32.000000000 +0000
@@ -1,5 +1,5 @@
 #!/bin/sh -e
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/preinst.in $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/preinst.in $
 # $Id: preinst.in 704 2012-03-18 13:14:40Z thijs $
 
 . /usr/share/debconf/confmodule
diff -Nru mailman-2.1.18/debian/prerm mailman-2.1.18/debian/prerm
--- mailman-2.1.18/debian/prerm	2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/prerm	2015-04-06 15:30:32.000000000 +0000
@@ -3,7 +3,7 @@
 # prerm script for Debian python packages.
 # Written 1998 by Gregor Hoffleit <flight@debian.org>.
 #
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/prerm $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/prerm $
 # $Id: prerm 421 2006-10-08 12:50:00Z giskard-guest $
 
 if [ "$1" = "failed-upgrade" ] ; then
diff -Nru mailman-2.1.18/debian/templates mailman-2.1.18/debian/templates
--- mailman-2.1.18/debian/templates	2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/templates	2015-04-06 15:30:33.000000000 +0000
@@ -1,4 +1,4 @@
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/templates $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/templates $
 # $Id: templates 693 2011-10-08 15:30:38Z thijs $
 Template: mailman/site_languages
 Type: multiselect

--- End Message ---

--- Begin Message ---

To: Thijs Kinkhorst <thijs@debian.org>, 782146-done@bugs.debian.org

Subject: Re: Bug#782146: unblock: mailman/1:2.1.18-2

From: Niels Thykier <niels@thykier.net>

Date: Wed, 08 Apr 2015 16:58:17 +0200

Message-id: <55254209.6030701@thykier.net>

In-reply-to: <[🔎] 20150408130231.25398.97575.reportbug@tetraquark.soleus.nu>

References: <[🔎] 20150408130231.25398.97575.reportbug@tetraquark.soleus.nu>
On 2015-04-08 15:02, Thijs Kinkhorst wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package mailman.
> 
> The diff is a security fix for CVE-2015-2775.
> 
> unblock mailman/1:2.1.18-2
> 
> 
> Thanks,
> Thijs
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#782146: unblock: mailman/1:2.1.18-2
  - From: Thijs Kinkhorst <thijs@debian.org>

Prev by Date: Bug#781249: marked as done (unblock (pre-approval): openconnect/6.00-2)
Next by Date: Bug#782128: marked as done (unblock: ruby-kramdown/1.4.2-2)
Previous by thread: Bug#782146: unblock: mailman/1:2.1.18-2
Next by thread: Bug#782147: unblock: mediawiki/1:1.19.20+dfsg-2.3
Index(es):
- Date
- Thread