Bug#907899: stretch-pu: package mailman/1:2.1.23-1+deb9u4
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
Mailman in stretch is affected by the minor issue CVE-2018-13796,
allowing to inject text in the "No such list" error response. See
https://bugs.launchpad.net/mailman/+bug/1780874 . This won't warrant a
DSA.
debian/changelog entry:
> mailman (1:2.1.23-1+deb9u4) stretch; urgency=medium
>
> * Non-maintainer upload.
> * Arbitrary text injection vulnerability in Mailman CGIs (CVE-2018-13796)
> (Closes: #903674)
>
> -- Salvatore Bonaccorso <carnil@debian.org> Mon, 03 Sep 2018 22:00:38 +0200
and full debdiff attached against the 1:2.1.23-1+deb9u3 version.
The issue has been tested in a container instance with the hint given by
https://bugs.launchpad.net/mailman/+bug/1780874 .
Regards,
Salvatore
diff -Nru mailman-2.1.23/debian/changelog mailman-2.1.23/debian/changelog
--- mailman-2.1.23/debian/changelog 2018-07-14 23:26:09.000000000 +0200
+++ mailman-2.1.23/debian/changelog 2018-09-03 22:00:38.000000000 +0200
@@ -1,3 +1,11 @@
+mailman (1:2.1.23-1+deb9u4) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Arbitrary text injection vulnerability in Mailman CGIs (CVE-2018-13796)
+ (Closes: #903674)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Mon, 03 Sep 2018 22:00:38 +0200
+
mailman (1:2.1.23-1+deb9u3) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch
--- mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch 1970-01-01 01:00:00.000000000 +0100
+++ mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch 2018-09-03 22:00:38.000000000 +0200
@@ -0,0 +1,49 @@
+Description: Arbitrary text injection vulnerability in Mailman CGIs
+Origin: upstream, https://bugs.launchpad.net/mailman/+bug/1780874/+attachment/5167324/+files/patch.txt
+Bug: https://bugs.launchpad.net/mailman/+bug/1780874
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-13796
+Bug-Debian: https://bugs.debian.org/903674
+Forwarded: not-needed
+Author: Mark Sapiro <mark@msapiro.net>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2018-07-25
+Applied-Upstream: 2.1.29
+
+=== modified file 'Mailman/Utils.py'
+--- a/Mailman/Utils.py 2018-07-11 06:52:22 +0000
++++ b/Mailman/Utils.py 2018-07-24 21:48:54 +0000
+@@ -280,17 +280,28 @@
+ def GetPathPieces(envar='PATH_INFO'):
+ path = os.environ.get(envar)
+ if path:
++ remote = os.environ.get('HTTP_FORWARDED_FOR',
++ os.environ.get('HTTP_X_FORWARDED_FOR',
++ os.environ.get('REMOTE_ADDR',
++ 'unidentified origin')))
+ if CRNLpat.search(path):
+ path = CRNLpat.split(path)[0]
+- remote = os.environ.get('HTTP_FORWARDED_FOR',
+- os.environ.get('HTTP_X_FORWARDED_FOR',
+- os.environ.get('REMOTE_ADDR',
+- 'unidentified origin')))
+ syslog('error',
+ 'Warning: Possible malformed path attack domain=%s remote=%s',
+ get_domain(),
+ remote)
+- return [p for p in path.split('/') if p]
++ # Check for listname injections that won't be websafed.
++ pieces = [p for p in path.split('/') if p]
++ # Get the longest listname or 20 if none.
++ if list_names():
++ longest = max([len(x) for x in list_names()])
++ else:
++ longest = 20
++ if pieces and len(pieces[0]) > longest:
++ syslog('mischief',
++ 'Hostile listname: listname=%s: remote=%s', pieces[0], remote)
++ pieces[0] = pieces[0][:longest] + '...'
++ return pieces
+ return None
+
+
+
diff -Nru mailman-2.1.23/debian/patches/series mailman-2.1.23/debian/patches/series
--- mailman-2.1.23/debian/patches/series 2018-07-14 23:26:09.000000000 +0200
+++ mailman-2.1.23/debian/patches/series 2018-09-03 22:00:38.000000000 +0200
@@ -12,3 +12,4 @@
91_utf8.patch
92_CVE-2018-5950.patch
93_CVE-2018-0618.patch
+94_CVE-2018-13796.patch
Reply to: