[Pkg-mailman-hackers] Pkg-mailman commit - rev 771 - in branches/wheezy/debian: . patches
Thijs Kinkhorst
thijs at moszumanska.debian.org
Mon Apr 6 16:28:01 UTC 2015
Author: thijs
Date: 2015-04-06 16:28:01 +0000 (Mon, 06 Apr 2015)
New Revision: 771
Added:
branches/wheezy/debian/patches/92_CVE-2015-2775.patch
Modified:
branches/wheezy/debian/changelog
branches/wheezy/debian/patches/series
Log:
Fix path traversal issue via stable-security
Modified: branches/wheezy/debian/changelog
===================================================================
--- branches/wheezy/debian/changelog 2015-04-06 16:12:27 UTC (rev 770)
+++ branches/wheezy/debian/changelog 2015-04-06 16:28:01 UTC (rev 771)
@@ -1,3 +1,13 @@
+mailman (1:2.1.15-1+deb7u1) wheezy-security; urgency=high
+
+ * Fix security issue: path traversal through local_part.
+ Affects installations which use an Exim or Postfix transport
+ instead of fixed aliases; attacker needs to be able to place
+ files on the local filesystem.
+ (CVE-2015-2775, Closes: 781626)
+
+ -- Thijs Kinkhorst <thijs at debian.org> Mon, 06 Apr 2015 18:17:34 +0200
+
mailman (1:2.1.15-1) unstable; urgency=low
* New upstream release.
Added: branches/wheezy/debian/patches/92_CVE-2015-2775.patch
===================================================================
--- branches/wheezy/debian/patches/92_CVE-2015-2775.patch (rev 0)
+++ branches/wheezy/debian/patches/92_CVE-2015-2775.patch 2015-04-06 16:28:01 UTC (rev 771)
@@ -0,0 +1,34 @@
+From: Mark Sapiro <mark at msapiro.net>
+Subject: Fix path traversal through local_part (CVE-2015-2775)
+Origin: upstream, https://launchpadlibrarian.net/201407944/p
+Bug: https://bugs.launchpad.net/mailman/+bug/1437145
+Bug-Debian: http://bugs.debian.org/781626
+
+diff -ur mailman-2.1.18.orig/Mailman/Defaults.py.in mailman-2.1.18/Mailman/Defaults.py.in
+--- mailman-2.1.18.orig/Mailman/Defaults.py.in 2014-05-03 17:37:22.000000000 +0000
++++ mailman-2.1.18/Mailman/Defaults.py.in 2015-04-06 15:43:20.000000000 +0000
+@@ -138,7 +138,7 @@
+
+ # A Python regular expression character class which defines the characters
+ # allowed in list names. Lists cannot be created with names containing any
+-# character that doesn't match this class.
++# character that doesn't match this class. Do not include '/' in this list.
+ ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
+
+
+diff -ur mailman-2.1.18.orig/Mailman/Utils.py mailman-2.1.18/Mailman/Utils.py
+--- mailman-2.1.18.orig/Mailman/Utils.py 2014-05-03 17:37:22.000000000 +0000
++++ mailman-2.1.18/Mailman/Utils.py 2015-04-06 15:43:20.000000000 +0000
+@@ -99,6 +99,12 @@
+ #
+ # The former two are for 2.1alpha3 and beyond, while the latter two are
+ # for all earlier versions.
++ #
++ # But first ensure the list name doesn't contain a path traversal
++ # attack.
++ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
++ syslog('mischief', 'Hostile listname: %s', listname)
++ return False
+ basepath = Site.get_listpath(listname)
+ for ext in ('.pck', '.pck.last', '.db', '.db.last'):
+ dbfile = os.path.join(basepath, 'config' + ext)
Modified: branches/wheezy/debian/patches/series
===================================================================
--- branches/wheezy/debian/patches/series 2015-04-06 16:12:27 UTC (rev 770)
+++ branches/wheezy/debian/patches/series 2015-04-06 16:28:01 UTC (rev 771)
@@ -10,3 +10,4 @@
63_update_default_server_language.patch
66_donot_let_cache_html_pages.patch
79_archiver_slash.patch
+92_CVE-2015-2775.patch
More information about the Pkg-mailman-hackers
mailing list