Bug#989199: unblock: hyperkitty/1.3.4-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package hyperkitty
[ Reason ]
hyperkitty 1.3.4-4 ships a fix for the security bug CVE-2021-33038 (ensure
private archives stay private during import). The patch is really simple and
straight-forward.
I'd suggest to unblock hyperkitty 1.3.4-4 right away and not wait for the 20
days period until it auto-migrates (due to autopkgtests).
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock hyperkitty/1.3.4-4
Here's the full changelog for hyperkitty 1.3.4-4:
> hyperkitty (1.3.4-4) unstable; urgency=high
>
> * d/p/0005_ensure_private_archives_during_import.patch: Ensure private
> archives stay private during import (CVE-2021-33038). (Closes: #989183)
>
> -- Jonas Meurer <jonas@freesources.org> Fri, 28 May 2021 11:00:26 +0200
Kind regards
jonas
diff -Nru hyperkitty-1.3.4/debian/changelog hyperkitty-1.3.4/debian/changelog
--- hyperkitty-1.3.4/debian/changelog 2021-04-29 11:55:45.000000000 +0200
+++ hyperkitty-1.3.4/debian/changelog 2021-05-28 11:00:26.000000000 +0200
@@ -1,3 +1,10 @@
+hyperkitty (1.3.4-4) unstable; urgency=high
+
+ * d/p/0005_ensure_private_archives_during_import.patch: Ensure private
+ archives stay private during import (CVE-2021-33038). (Closes: #989183)
+
+ -- Jonas Meurer <jonas@freesources.org> Fri, 28 May 2021 11:00:26 +0200
+
hyperkitty (1.3.4-3) unstable; urgency=high
* d/p/0004_remove_link_to_google_fonts.patch: Don't load remote Google
diff -Nru hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch
--- hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch 1970-01-01 01:00:00.000000000 +0100
+++ hyperkitty-1.3.4/debian/patches/0005_ensure_private_archives_during_import.patch 2021-05-28 11:00:26.000000000 +0200
@@ -0,0 +1,47 @@
+From: Kunal Mehta <legoktm@debian.org>
+Date: Thu, 6 May 2021 14:15:03 -0700
+Subject: Ensure private archives stay private during import (CVE-2021-33038)
+
+hyperkitty keeps state of whether a mailing list's archives should be
+public or private in the hyperkitty_mailinglist table. However during
+the import process, it would create a row using the default settings
+(archive_policy="public") instead of getting the correct values from
+Mailman. It would only sync with Mailman at the end of the import
+process.
+
+This patch explicitly creates the hyperkitty_mailinglist row/object at
+the beginning of the import process, so the visiblity will be correctly
+obtained from Mailman, before any messages can be accidentally leaked.
+
+Origin: upstream, https://gitlab.com/mailman/hyperkitty/-/merge_requests/351
+Bug: https://gitlab.com/mailman/hyperkitty/-/issues/380
+Bug-Debian: http://bugs.debian.org/989183
+---
+ hyperkitty/management/commands/hyperkitty_import.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/hyperkitty/management/commands/hyperkitty_import.py b/hyperkitty/management/commands/hyperkitty_import.py
+index 7764fa8..f9532e4 100644
+--- a/hyperkitty/management/commands/hyperkitty_import.py
++++ b/hyperkitty/management/commands/hyperkitty_import.py
+@@ -48,7 +48,7 @@ from hyperkitty.lib.incoming import DuplicateMessage, add_to_list
+ from hyperkitty.lib.mailman import sync_with_mailman
+ from hyperkitty.lib.utils import get_message_id
+ from hyperkitty.management.utils import setup_logging
+-from hyperkitty.models import Email, Thread
++from hyperkitty.models import Email, MailingList, Thread
+
+
+ # Allow all wierd line endings.
+@@ -319,6 +319,11 @@ class Command(BaseCommand):
+ # if (settings.DATABASES["default"]["ENGINE"]
+ # != "django.db.backends.sqlite3":
+ # transaction.set_autocommit(False)
++ # Sync list settings with Mailman before importing messages:
++ if not options["no_sync_mailman"]:
++ mlist = MailingList.objects.get_or_create(name=list_address)[0]
++ mlist.update_from_mailman()
++ mlist.save()
+ settings.HYPERKITTY_BATCH_MODE = True
+ # Only import emails newer than the latest email in the DB
+ latest_email_date = Email.objects.filter(
diff -Nru hyperkitty-1.3.4/debian/patches/series hyperkitty-1.3.4/debian/patches/series
--- hyperkitty-1.3.4/debian/patches/series 2021-04-29 11:55:45.000000000 +0200
+++ hyperkitty-1.3.4/debian/patches/series 2021-05-28 11:00:26.000000000 +0200
@@ -2,3 +2,4 @@
0002_Use_python3_by_default.patch
0003-run-sassc-at-build-time.patch
0004_remove_link_to_google_fonts.patch
+0005_ensure_private_archives_during_import.patch
Reply to: