Re: Mailman DoS CVE-2005-3573, debbug #339095
On Wed, Dec 14, 2005 at 12:25:50PM +0100, Lionel Elie Mamane wrote:
> I've noticed that an issue I have fixed in Mailman in sid has been
> issued a CVE and that Mandrake has issued a security advisory over
> it.
The Mandrake security advisory also covers another DoS that's - again
- already fixed in unstable (in 1.2.5-10). Debian bug #326024 . The
problem is when the year in the date of the message gives an integer
overflow.
Cumulative patch for both issues attached.
-- 
Lionel
diff --recursive -uN mailman-2.1.5.pristine/debian/changelog mailman-2.1.5.security/debian/changelog
--- mailman-2.1.5.pristine/debian/changelog	2005-12-14 12:09:41.944679989 +0100
+++ mailman-2.1.5.security/debian/changelog	2005-12-14 15:24:12.252763977 +0100
@@ -1,3 +1,13 @@
+mailman (2.1.5-8sarge1) stable-security; urgency=high
+
+  * Don't fall apart if the filename of an attachment is an invalid UTF-8
+    string, which leads to a DoS attack (closes: #339095)
+    This is CVE-2005-3573
+  * Don't die on overflow in date handling, which could lead to a DoS
+    attack (closes: #326024)
+
+ -- Lionel Elie Mamane <lmamane@debian.org>  Wed, 14 Dec 2005 15:24:12 +0100
+
 mailman (2.1.5-8) unstable; urgency=low
 
   * Add Italian debconf translation (closes: #278562)
diff --recursive -uN mailman-2.1.5.pristine/debian/patches/00list mailman-2.1.5.security/debian/patches/00list
--- mailman-2.1.5.pristine/debian/patches/00list	2005-12-14 12:09:41.717711648 +0100
+++ mailman-2.1.5.security/debian/patches/00list	2005-12-14 15:21:24.139901102 +0100
@@ -32,4 +32,6 @@
 65_donot_add_empty_cc
 66_donot_let_cache_html_pages
 67_update_handle_old_versions
+70_invalid_utf8_dos
+71_date_overflows.dpatch
 99_js_templates
diff --recursive -uN mailman-2.1.5.pristine/debian/patches/70_invalid_utf8_dos.dpatch mailman-2.1.5.security/debian/patches/70_invalid_utf8_dos.dpatch
--- mailman-2.1.5.pristine/debian/patches/70_invalid_utf8_dos.dpatch	1970-01-01 01:00:00.000000000 +0100
+++ mailman-2.1.5.security/debian/patches/70_invalid_utf8_dos.dpatch	2005-12-14 12:18:27.017561090 +0100
@@ -0,0 +1,46 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 70_invalid_utf8_dos.dpatch by  <lionel@mamane.lu>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Avoid DOS if attachement filename is invalid Unicode string
+
+@DPATCH@
+diff -urNad mailman-2.1.5~/Mailman/Handlers/Scrubber.py mailman-2.1.5/Mailman/Handlers/Scrubber.py
+--- mailman-2.1.5~/Mailman/Handlers/Scrubber.py	2003-12-01 02:43:18.000000000 +0100
++++ mailman-2.1.5/Mailman/Handlers/Scrubber.py	2005-11-13 15:29:26.585952860 +0100
+@@ -266,7 +266,10 @@
+             finally:
+                 os.umask(omask)
+             desc = part.get('content-description', _('not available'))
+-            filename = part.get_filename(_('not available'))
++            try:
++                filename = part.get_filename(_('not available'))
++            except UnicodeDecodeError:
++                filename = _('not available')
+             del part['content-type']
+             del part['content-transfer-encoding']
+             part.set_payload(_("""\
+@@ -356,7 +359,10 @@
+     # e.g. image/jpg (should be image/jpeg).  For now we just store such
+     # things as application/octet-streams since that seems the safest.
+     ctype = msg.get_content_type()
+-    fnext = os.path.splitext(msg.get_filename(''))[1]
++    try:
++        fnext = os.path.splitext(msg.get_filename(''))[1]
++    except UnicodeDecodeError:
++        fnext = ''
+     ext = guess_extension(ctype, fnext)
+     if not ext:
+         # We don't know what it is, so assume it's just a shapeless
+@@ -375,7 +381,10 @@
+     try:
+         # Now base the filename on what's in the attachment, uniquifying it if
+         # necessary.
+-        filename = msg.get_filename()
++        try:
++            filename = msg.get_filename()
++        except UnicodeDecodeError:
++            filename = None
+         if not filename:
+             filebase = 'attachment'
+         else:
diff --recursive -uN mailman-2.1.5.pristine/debian/patches/71_date_overflows.dpatch mailman-2.1.5.security/debian/patches/71_date_overflows.dpatch
--- mailman-2.1.5.pristine/debian/patches/71_date_overflows.dpatch	1970-01-01 01:00:00.000000000 +0100
+++ mailman-2.1.5.security/debian/patches/71_date_overflows.dpatch	2005-12-14 15:19:51.722090951 +0100
@@ -0,0 +1,40 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 71_date_overflows.dpatch by  <lionel@mamane.lu>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: React sensibly on integer overflow in date handling
+
+@DPATCH@
+diff -urNad mailman-2.1.5~/Mailman/Handlers/Scrubber.py mailman-2.1.5/Mailman/Handlers/Scrubber.py
+--- mailman-2.1.5~/Mailman/Handlers/Scrubber.py	2005-11-13 17:14:04.000000000 +0100
++++ mailman-2.1.5/Mailman/Handlers/Scrubber.py	2005-11-13 17:44:31.308551771 +0100
+@@ -113,7 +113,7 @@
+ def safe_strftime(fmt, floatsecs):
+     try:
+         return time.strftime(fmt, floatsecs)
+-    except (TypeError, ValueError):
++    except (OverflowError, TypeError, ValueError):
+         return None
+ 
+ 
+@@ -142,7 +142,7 @@
+                      }.get(parts[3], 0)
+             day = int(parts[4])
+             year = int(parts[6])
+-        except (IndexError, ValueError):
++        except (OverflowError, IndexError, ValueError):
+             # Best we can do I think
+             month = day = year = 0
+         datedir = '%04d%02d%02d' % (year, month, day)
+diff -urNad mailman-2.1.5~/Mailman/Queue/ArchRunner.py mailman-2.1.5/Mailman/Queue/ArchRunner.py
+--- mailman-2.1.5~/Mailman/Queue/ArchRunner.py	2003-12-01 02:50:40.000000000 +0100
++++ mailman-2.1.5/Mailman/Queue/ArchRunner.py	2005-11-13 17:43:38.642854438 +0100
+@@ -49,7 +49,7 @@
+                 elif abs(now - mktime_tz(tup)) > \
+                          mm_cfg.ARCHIVER_ALLOWABLE_SANE_DATE_SKEW:
+                     clobber = 1
+-            except ValueError:
++            except (OverflowError, ValueError):
+                 # The likely cause of this is that the year in the Date: field
+                 # is horribly incorrect, e.g. (from SF bug # 571634):
+                 # Date: Tue, 18 Jun 0102 05:12:09 +0500
Reply to: