[Pkg-mailman-hackers] Pkg-mailman commit - rev 796 - in branches/wheezy/debian: . patches

Thijs Kinkhorst thijs at moszumanska.debian.org
Thu Sep 15 05:37:33 UTC 2016 

Author: thijs
Date: 2016-09-15 05:37:27 +0000 (Thu, 15 Sep 2016)
New Revision: 796

Added:
   branches/wheezy/debian/patches/93_CVE-2016-6893.patch
Modified:
   branches/wheezy/debian/changelog
   branches/wheezy/debian/patches/series
Log:
changes by Chris Lamb for CVE-2016-6893


Modified: branches/wheezy/debian/changelog
===================================================================
--- branches/wheezy/debian/changelog	2016-09-15 05:35:36 UTC (rev 795)
+++ branches/wheezy/debian/changelog	2016-09-15 05:37:27 UTC (rev 796)
@@ -1,3 +1,10 @@
+mailman (1:2.1.15-1+deb7u2) wheezy-security; urgency=high
+
+  * CVE-2016-6893: Fix CSRF vulnerability associated in the user options page
+    which could allow an attacker to obtain a user's password. (Closes: #835970)
+
+ -- Chris Lamb <lamby at debian.org>  Thu, 01 Sep 2016 19:51:15 +0100
+
 mailman (1:2.1.15-1+deb7u1) wheezy-security; urgency=high
 
   * Fix security issue: path traversal through local_part.

Added: branches/wheezy/debian/patches/93_CVE-2016-6893.patch
===================================================================
--- branches/wheezy/debian/patches/93_CVE-2016-6893.patch	                        (rev 0)
+++ branches/wheezy/debian/patches/93_CVE-2016-6893.patch	2016-09-15 05:37:27 UTC (rev 796)
@@ -0,0 +1,115 @@
+Description: CVE-2016-6893: CSRF protection needs to be extended to the user options page
+Author: Mark Sapiro <mark at msapiro.net>
+Last-Update: 2016-09-01
+
+--- mailman-2.1.15.orig/Mailman/HTMLFormatter.py
++++ mailman-2.1.15/Mailman/HTMLFormatter.py
+@@ -28,6 +28,8 @@ from Mailman.htmlformat import *
+ 
+ from Mailman.i18n import _
+ 
++from Mailman.CSRFcheck import csrf_token
++
+ 
+ EMPTYSTRING = ''
+ BR = '<br>'
+@@ -314,12 +316,17 @@ class HTMLFormatter:
+             container.AddItem("</center>")
+         return container
+ 
+-    def FormatFormStart(self, name, extra=''):
++    def FormatFormStart(self, name, extra='',
++                        mlist=None, contexts=None, user=None):
+         base_url = self.GetScriptURL(name)
+         if extra:
+             full_url = "%s/%s" % (base_url, extra)
+         else:
+             full_url = base_url
++        if mlist:
++            return ("""<form method="POST" action="%s">
++<input type="hidden" name="csrf_token" value="%s">""" 
++                % (full_url, csrf_token(mlist, contexts, user)))
+         return ('<FORM Method=POST ACTION="%s">' % full_url)
+ 
+     def FormatArchiveAnchor(self):
+--- mailman-2.1.15.orig/Mailman/htmlformat.py
++++ mailman-2.1.15/Mailman/htmlformat.py
+@@ -406,13 +406,14 @@ class Center(StdContainer):
+ 
+ class Form(Container):
+     def __init__(self, action='', method='POST', encoding=None, 
+-                       mlist=None, contexts=None, *items):
++                       mlist=None, contexts=None, user=None, *items):
+         apply(Container.__init__, (self,) +  items)
+         self.action = action
+         self.method = method
+         self.encoding = encoding
+         self.mlist = mlist
+         self.contexts = contexts
++        self.user = user
+ 
+     def set_action(self, action):
+         self.action = action
+@@ -427,7 +428,7 @@ class Form(Container):
+         if self.mlist:
+             output = output + \
+                 '<input type="hidden" name="csrf_token" value="%s">\n' \
+-                % csrf_token(self.mlist, self.contexts)
++                % csrf_token(self.mlist, self.contexts, self.user)
+         output = output + Container.Format(self, indent+2)
+         output = '%s\n%s</FORM>\n' % (output, spaces)
+         return output
+--- mailman-2.1.15.orig/Mailman/Cgi/admindb.py
++++ mailman-2.1.15/Mailman/Cgi/admindb.py
+@@ -39,6 +39,7 @@ from Mailman.ListAdmin import readMessag
+ from Mailman.Cgi import Auth
+ from Mailman.htmlformat import *
+ from Mailman.Logging.Syslog import syslog
++from Mailman.CSRFcheck import csrf_check
+ 
+ EMPTYSTRING = ''
+ NL = '\n'
+@@ -61,6 +62,9 @@ def helds_by_sender(mlist):
+         bysender.setdefault(sender, []).append(id)
+     return bysender
+ 
++AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
++                 mm_cfg.AuthListModerator)
++
+ 
+ def hacky_radio_buttons(btnname, labels, values, defaults, spacing=3):
+     # We can't use a RadioButtonArray here because horizontal placement can be
+--- mailman-2.1.15.orig/Mailman/Cgi/edithtml.py
++++ mailman-2.1.15/Mailman/Cgi/edithtml.py
+@@ -30,9 +30,12 @@ from Mailman import Errors
+ from Mailman.Cgi import Auth
+ from Mailman.Logging.Syslog import syslog
+ from Mailman import i18n
++from Mailman.CSRFcheck import csrf_check
+ 
+ _ = i18n._
+ 
++AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin)
++
+ 
+ 

+ def main():
+--- mailman-2.1.15.orig/Mailman/Cgi/options.py
++++ mailman-2.1.15/Mailman/Cgi/options.py
+@@ -32,6 +32,7 @@ from Mailman import MemberAdaptor
+ from Mailman import i18n
+ from Mailman.htmlformat import *
+ from Mailman.Logging.Syslog import syslog
++from Mailman.CSRFcheck import csrf_check
+ 
+ SLASH = '/'
+ SETLANGUAGE = -1
+@@ -46,6 +47,8 @@ except NameError:
+     True = 1
+     False = 0
+ 
++AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
++                 mm_cfg.AuthListModerator, mm_cfg.AuthUser)
+ 
+ 

+ def main():

Modified: branches/wheezy/debian/patches/series
===================================================================
--- branches/wheezy/debian/patches/series	2016-09-15 05:35:36 UTC (rev 795)
+++ branches/wheezy/debian/patches/series	2016-09-15 05:37:27 UTC (rev 796)
@@ -11,3 +11,4 @@
 66_donot_let_cache_html_pages.patch
 79_archiver_slash.patch
 92_CVE-2015-2775.patch
+93_CVE-2016-6893.patch

More information about the Pkg-mailman-hackers mailing list