[Mailman-Announce] Security patch and Mailman 2.1.20 to be released on 31 March

Mark Sapiro mark at msapiro.net
Tue Mar 31 16:27:35 CEST 2015


On 03/27/2015 02:42 PM, Mark Sapiro wrote:
> A security vulnerability in Mailman has been found and fixed. It has
> been assigned CVE-2015-2775. The details of this vulnerability and fix
> will be announced next Tuesday, 31 March 2015, at which time both a
> patch for this specific vulnerability and Mailman 2.1.20 will be released.


Here is more information. The report at
<https://launchpad.net/bugs/1437145> is now public.

Your installation is only vulnerable if both of the following are true.

1) Delivery of list mail to mailman from the MTA uses some kind of
programmatic method as opposed to fixed aliases. This includes Exim with
the recommended transport, Postfix with the postfix_to_mailman.py
transport and qmail with the qmail-to-mailman.py transport.

2) Untrusted users are able to create files on the Mailman server that
are accessible to Mailman. These can be in a user's home directory or
/tmp or anywhere that can be accessed via a path like
/path/to/mailman/lists/../../../../../../../../path/to/directory.

Installations most at risk likely include hosting services using cPanel
with untrusted users. Outside of those, the majority of sites are
probably not vulnerable.

This vulnerability is fixed by the patch in the attached file. This
patch will apply with at most a line number offset to the Utils.py
module in any Mailman 2.1.x version that doesn't already have it. If
your Mailman version is 2.1.11 or later, just apply the patch to
Mailman/Utils.py and restart Mailman. For versions older than 2.1.11,
the setting mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS referenced in the
patch doesn't exist, so you also need to add

ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'

to Defaults.py or mm_cfg.py before restarting Mailman.


-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

-------------- next part --------------
=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py	2015-01-23 23:50:47 +0000
+++ Mailman/Utils.py	2015-03-27 18:14:06 +0000
@@ -100,6 +100,12 @@
     #
     # The former two are for 2.1alpha3 and beyond, while the latter two are
     # for all earlier versions.
+    #
+    # But first ensure the list name doesn't contain a path traversal
+    # attack.
+    if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
+        syslog('mischief', 'Hostile listname: %s', listname)
+        return False
     basepath = Site.get_listpath(listname)
     for ext in ('.pck', '.pck.last', '.db', '.db.last'):
         dbfile = os.path.join(basepath, 'config' + ext)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/mailman-announce/attachments/20150331/f2c26a85/attachment.sig>


More information about the Mailman-announce mailing list