Bug#989199: unblock: hyperkitty/1.3.4-4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#989199: unblock: hyperkitty/1.3.4-4
From: Jonas Meurer <jonas@freesources.org>
Date: Fri, 28 May 2021 11:23:44 +0200
Message-id: <[🔎] E1lmYiY-0008Es-RX@mx3.freesources.org>
Reply-to: Jonas Meurer <jonas@freesources.org>, 989199@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package hyperkitty

[ Reason ]
hyperkitty 1.3.4-4 ships a fix for the security bug CVE-2021-33038 (ensure
private archives stay private during import). The patch is really simple and
straight-forward.

I'd suggest to unblock hyperkitty 1.3.4-4 right away and not wait for the 20
days period until it auto-migrates (due to autopkgtests).

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock hyperkitty/1.3.4-4

Here's the full changelog for hyperkitty 1.3.4-4:

> hyperkitty (1.3.4-4) unstable; urgency=high
> 
>   * d/p/0005_ensure_private_archives_during_import.patch: Ensure private
>     archives stay private during import (CVE-2021-33038). (Closes: #989183)
> 
>  -- Jonas Meurer <jonas@freesources.org>  Fri, 28 May 2021 11:00:26 +0200

Kind regards
 jonas

diff -Nru hyperkitty-1.3.4/debian/changelog hyperkitty-1.3.4/debian/changelog
--- hyperkitty-1.3.4/debian/changelog	2021-04-29 11:55:45.000000000 +0200
+++ hyperkitty-1.3.4/debian/changelog	2021-05-28 11:00:26.000000000 +0200
@@ -1,3 +1,10 @@
+hyperkitty (1.3.4-4) unstable; urgency=high
+
+  * d/p/0005_ensure_private_archives_during_import.patch: Ensure private
+    archives stay private during import (CVE-2021-33038). (Closes: #989183)
+
+ -- Jonas Meurer <jonas@freesources.org>  Fri, 28 May 2021 11:00:26 +0200
+
 hyperkitty (1.3.4-3) unstable; urgency=high
 
   * d/p/0004_remove_link_to_google_fonts.patch: Don't load remote Google
diff -Nru hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch
--- hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch	1970-01-01 01:00:00.000000000 +0100
+++ hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch	2021-05-28 11:00:26.000000000 +0200
@@ -0,0 +1,47 @@
+From: Kunal Mehta <legoktm@debian.org>
+Date: Thu, 6 May 2021 14:15:03 -0700
+Subject: Ensure private archives stay private during import (CVE-2021-33038)
+
+hyperkitty keeps state of whether a mailing list's archives should be
+public or private in the hyperkitty_mailinglist table. However during
+the import process, it would create a row using the default settings
+(archive_policy="public") instead of getting the correct values from
+Mailman. It would only sync with Mailman at the end of the import
+process.
+
+This patch explicitly creates the hyperkitty_mailinglist row/object at
+the beginning of the import process, so the visiblity will be correctly
+obtained from Mailman, before any messages can be accidentally leaked.
+
+Origin: upstream, https://gitlab.com/mailman/hyperkitty/-/merge_requests/351
+Bug: https://gitlab.com/mailman/hyperkitty/-/issues/380
+Bug-Debian: http://bugs.debian.org/989183
+---
+ hyperkitty/management/commands/hyperkitty_import.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/hyperkitty/management/commands/hyperkitty_import.py b/hyperkitty/management/commands/hyperkitty_import.py
+index 7764fa8..f9532e4 100644
+--- a/hyperkitty/management/commands/hyperkitty_import.py
++++ b/hyperkitty/management/commands/hyperkitty_import.py
+@@ -48,7 +48,7 @@ from hyperkitty.lib.incoming import DuplicateMessage, add_to_list
+ from hyperkitty.lib.mailman import sync_with_mailman
+ from hyperkitty.lib.utils import get_message_id
+ from hyperkitty.management.utils import setup_logging
+-from hyperkitty.models import Email, Thread
++from hyperkitty.models import Email, MailingList, Thread
+ 
+ 
+ # Allow all wierd line endings.
+@@ -319,6 +319,11 @@ class Command(BaseCommand):
+         # if (settings.DATABASES["default"]["ENGINE"]
+         #     != "django.db.backends.sqlite3":
+         #     transaction.set_autocommit(False)
++        # Sync list settings with Mailman before importing messages:
++        if not options["no_sync_mailman"]:
++            mlist = MailingList.objects.get_or_create(name=list_address)[0]
++            mlist.update_from_mailman()
++            mlist.save()
+         settings.HYPERKITTY_BATCH_MODE = True
+         # Only import emails newer than the latest email in the DB
+         latest_email_date = Email.objects.filter(
diff -Nru hyperkitty-1.3.4/debian/patches/series hyperkitty-1.3.4/debian/patches/series
--- hyperkitty-1.3.4/debian/patches/series	2021-04-29 11:55:45.000000000 +0200
+++ hyperkitty-1.3.4/debian/patches/series	2021-05-28 11:00:26.000000000 +0200
@@ -2,3 +2,4 @@
 0002_Use_python3_by_default.patch
 0003-run-sassc-at-build-time.patch
 0004_remove_link_to_google_fonts.patch
+0005_ensure_private_archives_during_import.patch

Reply to:

Follow-Ups:
- Bug#989199: marked as done (unblock: hyperkitty/1.3.4-4)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#989198: unblock: webkit2gtk/2.32.1-1
Next by Date: Uploading linux (5.10.40-1)
Previous by thread: Bug#989198: marked as done (unblock: webkit2gtk/2.32.1-1)
Next by thread: Bug#989199: marked as done (unblock: hyperkitty/1.3.4-4)
Index(es):
- Date
- Thread