[Pkg-mailman-hackers] Re: [mm-deb] Bug#244181: CAN-2004-0182: DoSsable through message with an empty subject field

Siggy Brentrup 244181@bugs.debian.org, pkg-mailman-hackers@lists.alioth.debian.org
Sat, 17 Apr 2004 14:11:51 +0200 

--ZGiS0Q5IWpPtfppv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Apr 17, 2004 at 01:14:43PM +0200, J.H.M. Dassen (Ray) wrote:
> On Sat, Apr 17, 2004 at 10:48:51 +0200, GCS wrote:
> >  Mea culpa, I was too fast on responding this. Isn't it a duplicate of
> > #232079?
>=20
> I'm fairly sure it isn't.
>=20
> > See the changelog entry for 2.0.11-1woody8:
> > -- cut --
> >   * Non-maintainer upload by the Security Team
> >   * Fix a bug introduced in 2.0.11-1woody7
>=20
> Although it isn't mentioned explicitly, the phrasing suggest that this wa=
s a
> bug in how CAN-2003-0038, CAN-2003-0965 and/or CAN-2003-0991 were fixed in
> the Debian mailman package (as opposed to a bug in how these were address=
ed
> upstream).
>=20
> The issue I filed this bug for has a different CVE id (CAN-2004-0182) and
> has been addressed by a different distribution (Red Hat) already, which
> implies it isn't Debian-specific.
>=20
> >     which caused a crash on messages with no Subject header at all
> >     (Closes: #232079)
>=20
> Notice the "no Subject header at all" as opposed to the "empty subject
> field" in CAN-2004-0182 for which I filed this bug.

IMHO the proper solution is to upgrade to MM 2.0.14. Quoting its NEWS file:

| Here is a history of user visible changes to Mailman.
|=20
| 2.0.14 (08-Feb-2004)
|=20
|     - Fixed CAN-2003-0991, a denial-of-service vulnerability in the mail
|       command handler.
|=20
|     - Fixed a small bug in the mail->news gateway.
|=20
| 2.0.13 (29-Jul-2002)
|=20
|     - Fixed some Python 1.5.2 compatibility problems that crept into
|       Mailman 2.0.12.
|=20
|     - Fixed some configure script incompatibilities on certain
|       platforms.
|=20
| 2.0.12 (02-Jul-2002)
|=20
|     - Implemented a guard against some reply loops and 'bot
|       subscription attacks.  Specifically, if a message to -request
|       has a Precedence: bulk (or list, or junk) header, the command is
|       ignored.  Well-behaved 'bots should always include such a
|       header.
|=20
|     - Changes to the configure script so that you can pass in the mail
|       host and web host by setting the environment variables MAILHOST
|       and WWWHOST respectively.  configure will also exit if it can't
|       figure out these values (usually due to broken dns).
|=20
|     - Closed another minor cross-site scripting vulnerability.
|

I'll build mailman-2.0.14-1woody1 as soon as I get an OK from the security =
team.

Thanks
 . Siggy

--ZGiS0Q5IWpPtfppv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAgR8H94B/SGO8KQcRAq+LAKDRbi9dGV8l5lGTTnZrnHToZiniIQCeIdV2
mRLCJfsC8XcXDzxL7xyfpeU=
=UHnC
-----END PGP SIGNATURE-----

--ZGiS0Q5IWpPtfppv--