[Pkg-mailman-hackers] Re: CVE-2006-2941: Mailman: DoS caused by standards-breaking RFC 2231 formatted headers.

Lionel Elie Mamane lionel at mamane.lu
Wed Sep 20 13:35:14 UTC 2006


On Tue, Sep 12, 2006 at 10:25:15AM +0200, Lionel Elie Mamane wrote:

> I tried to prepare an update for CVE-2006-2941 in Mailman. This was
> fixed upstream by updating the included python "email" package. But in
> Mailman-in-sarge, the included email package is not used at all. I
> believe it then uses the "email" package from python? This security
> issue then needs to be solved in python? Is not present at all in
> python's email package? I'm not sure. I'm confused.

I've taken a closer look to this. I'm now sure that:

 - mailman as packaged in sarge uses the "email" python package
   provided by python itself.

 - the email package provided by python is version 2.5.5

 - the fix in the email package that fixes CVE-2006-2941 for Mailman
   is between email 2.5.7 and email 2.5.8.

I hence conclude:

 - the python email package bug that leads to CVE-2006-2941 in Mailman
   is present in python in sarge.

 - it hence needs to be fixed in python.

Something based on the patch I sent in my previous mail should
do. That patch creates a file
"mailman-2.1.5/misc/CVE-2006-2941.patch"; that's the patch that should
(partially?) be applied to the email python package.

-- 
Lionel



More information about the Pkg-mailman-hackers mailing list