[Pkg-mailman-hackers] Pkg-mailman commit - rev 796 - in branches/wheezy/debian: . patches
Thijs Kinkhorst
thijs at moszumanska.debian.org
Thu Sep 15 05:37:33 UTC 2016
Author: thijs
Date: 2016-09-15 05:37:27 +0000 (Thu, 15 Sep 2016)
New Revision: 796
Added:
branches/wheezy/debian/patches/93_CVE-2016-6893.patch
Modified:
branches/wheezy/debian/changelog
branches/wheezy/debian/patches/series
Log:
changes by Chris Lamb for CVE-2016-6893
Modified: branches/wheezy/debian/changelog
===================================================================
--- branches/wheezy/debian/changelog 2016-09-15 05:35:36 UTC (rev 795)
+++ branches/wheezy/debian/changelog 2016-09-15 05:37:27 UTC (rev 796)
@@ -1,3 +1,10 @@
+mailman (1:2.1.15-1+deb7u2) wheezy-security; urgency=high
+
+ * CVE-2016-6893: Fix CSRF vulnerability associated in the user options page
+ which could allow an attacker to obtain a user's password. (Closes: #835970)
+
+ -- Chris Lamb <lamby at debian.org> Thu, 01 Sep 2016 19:51:15 +0100
+
mailman (1:2.1.15-1+deb7u1) wheezy-security; urgency=high
* Fix security issue: path traversal through local_part.
Added: branches/wheezy/debian/patches/93_CVE-2016-6893.patch
===================================================================
--- branches/wheezy/debian/patches/93_CVE-2016-6893.patch (rev 0)
+++ branches/wheezy/debian/patches/93_CVE-2016-6893.patch 2016-09-15 05:37:27 UTC (rev 796)
@@ -0,0 +1,115 @@
+Description: CVE-2016-6893: CSRF protection needs to be extended to the user options page
+Author: Mark Sapiro <mark at msapiro.net>
+Last-Update: 2016-09-01
+
+--- mailman-2.1.15.orig/Mailman/HTMLFormatter.py
++++ mailman-2.1.15/Mailman/HTMLFormatter.py
+@@ -28,6 +28,8 @@ from Mailman.htmlformat import *
+
+ from Mailman.i18n import _
+
++from Mailman.CSRFcheck import csrf_token
++
+
+ EMPTYSTRING = ''
+ BR = '<br>'
+@@ -314,12 +316,17 @@ class HTMLFormatter:
+ container.AddItem("</center>")
+ return container
+
+- def FormatFormStart(self, name, extra=''):
++ def FormatFormStart(self, name, extra='',
++ mlist=None, contexts=None, user=None):
+ base_url = self.GetScriptURL(name)
+ if extra:
+ full_url = "%s/%s" % (base_url, extra)
+ else:
+ full_url = base_url
++ if mlist:
++ return ("""<form method="POST" action="%s">
++<input type="hidden" name="csrf_token" value="%s">"""
++ % (full_url, csrf_token(mlist, contexts, user)))
+ return ('<FORM Method=POST ACTION="%s">' % full_url)
+
+ def FormatArchiveAnchor(self):
+--- mailman-2.1.15.orig/Mailman/htmlformat.py
++++ mailman-2.1.15/Mailman/htmlformat.py
+@@ -406,13 +406,14 @@ class Center(StdContainer):
+
+ class Form(Container):
+ def __init__(self, action='', method='POST', encoding=None,
+- mlist=None, contexts=None, *items):
++ mlist=None, contexts=None, user=None, *items):
+ apply(Container.__init__, (self,) + items)
+ self.action = action
+ self.method = method
+ self.encoding = encoding
+ self.mlist = mlist
+ self.contexts = contexts
++ self.user = user
+
+ def set_action(self, action):
+ self.action = action
+@@ -427,7 +428,7 @@ class Form(Container):
+ if self.mlist:
+ output = output + \
+ '<input type="hidden" name="csrf_token" value="%s">\n' \
+- % csrf_token(self.mlist, self.contexts)
++ % csrf_token(self.mlist, self.contexts, self.user)
+ output = output + Container.Format(self, indent+2)
+ output = '%s\n%s</FORM>\n' % (output, spaces)
+ return output
+--- mailman-2.1.15.orig/Mailman/Cgi/admindb.py
++++ mailman-2.1.15/Mailman/Cgi/admindb.py
+@@ -39,6 +39,7 @@ from Mailman.ListAdmin import readMessag
+ from Mailman.Cgi import Auth
+ from Mailman.htmlformat import *
+ from Mailman.Logging.Syslog import syslog
++from Mailman.CSRFcheck import csrf_check
+
+ EMPTYSTRING = ''
+ NL = '\n'
+@@ -61,6 +62,9 @@ def helds_by_sender(mlist):
+ bysender.setdefault(sender, []).append(id)
+ return bysender
+
++AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
++ mm_cfg.AuthListModerator)
++
+
+ def hacky_radio_buttons(btnname, labels, values, defaults, spacing=3):
+ # We can't use a RadioButtonArray here because horizontal placement can be
+--- mailman-2.1.15.orig/Mailman/Cgi/edithtml.py
++++ mailman-2.1.15/Mailman/Cgi/edithtml.py
+@@ -30,9 +30,12 @@ from Mailman import Errors
+ from Mailman.Cgi import Auth
+ from Mailman.Logging.Syslog import syslog
+ from Mailman import i18n
++from Mailman.CSRFcheck import csrf_check
+
+ _ = i18n._
+
++AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin)
++
+
+
+ def main():
+--- mailman-2.1.15.orig/Mailman/Cgi/options.py
++++ mailman-2.1.15/Mailman/Cgi/options.py
+@@ -32,6 +32,7 @@ from Mailman import MemberAdaptor
+ from Mailman import i18n
+ from Mailman.htmlformat import *
+ from Mailman.Logging.Syslog import syslog
++from Mailman.CSRFcheck import csrf_check
+
+ SLASH = '/'
+ SETLANGUAGE = -1
+@@ -46,6 +47,8 @@ except NameError:
+ True = 1
+ False = 0
+
++AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
++ mm_cfg.AuthListModerator, mm_cfg.AuthUser)
+
+
+ def main():
Modified: branches/wheezy/debian/patches/series
===================================================================
--- branches/wheezy/debian/patches/series 2016-09-15 05:35:36 UTC (rev 795)
+++ branches/wheezy/debian/patches/series 2016-09-15 05:37:27 UTC (rev 796)
@@ -11,3 +11,4 @@
66_donot_let_cache_html_pages.patch
79_archiver_slash.patch
92_CVE-2015-2775.patch
+93_CVE-2016-6893.patch
More information about the Pkg-mailman-hackers
mailing list