Bug#358892: [Pkg-mailman-hackers] Bug#358892: Uncaught runner exception: len() of unsized object

Lionel Elie Mamane lionel at mamane.lu
Tue Mar 28 21:17:58 UTC 2006 

tags 358892 +security sarge
fixed 358892 2.1.6
reopen 358892
thanks

On Sat, Mar 25, 2006 at 01:27:33AM +0100, Sven Hartge wrote:

> Mailman 2.1.5 contains a subtle bug inside its Scrubber.py, which
> can cause some messages with badly formed mime multiparts and
> sometimes all messaged received after the defective one to be
> shunted, thus rendering the specific list to be unusable.

This thus leads to a DoS attack vector, and makes it a security
vulnerability.

I wasn't able to find a CVE number for this; none of
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mailman looks
relevant. Should we get one? If yes, will the security team take care
of this?

> See also http://mail.python.org/pipermail/mailman-users/2005-June/045107.html

> The patch (attached for your convenience) is also in 2.1.6, see 
> https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1099138&group_id=103

> diff -ur mailman-2.1.5.orig/Mailman/Handlers/Scrubber.py mailman-2.1.5/Mailman/Handlers/Scrubber.py
> --- mailman-2.1.5.orig/Mailman/Handlers/Scrubber.py	2003-12-01 02:43:18.000000000 +0100
> +++ mailman-2.1.5/Mailman/Handlers/Scrubber.py	2006-03-25 01:25:57.000000000 +0100
> @@ -259,6 +259,14 @@
>          elif not part.is_multipart():
>              payload = part.get_payload(decode=True)
>              ctype = part.get_type()
> +            # XXX Under email 2.5, it is possible that payload will be None.
> +            # This can happen when you have a Content-Type: multipart/* with
> +            # only one part and that part has two blank lines between the
> +            # first boundary and the end boundary.  In email 3.0 you end up
> +            # with a string in the payload.  I think in this case it's safe to
> +            # ignore the part.
> +            if payload is None:
> +                continue
>              size = len(payload)
>              omask = os.umask(002)
>              try:

As maintainer of the Debian package of Mailman, I approve this
patch. Please issue a DSA with this update.

Thanks,

-- 
Lionel

More information about the Pkg-mailman-hackers mailing list