[Mailman-Developers] Mailman 2.1.26 Security release Feb 4, 2018

Mark Sapiro mark at msapiro.net
Wed Feb 7 18:22:24 EST 2018 

On 02/07/2018 01:38 PM, Sebastian Hagedorn wrote:
> 
> Hm, part of that was an artifact of running configure manually instead
> of using the SPEC file I usually use to build Mailman. With the latter
> and my "fix" I get the following:
> 
> $ mailman-config
> Configuration and build information for Mailman
> 
> Mailman version: 2.1.26
> Build Date:      Wed Feb  7 13:23:45 CET 2018
> 
> prefix:          /usr/lib/mailman
> var_prefix:      /var/lib/mailman
> mailman_user:    mailman
> mailman_group:   mailman
> mail_group:      mail postfix mailman nobody daemon
> cgi_group:       apache
> 
> configure_opts: "--prefix=/usr/lib/mailman
> --with-var-prefix=/var/lib/mailman --with-config-dir=/etc/mailman
> --with-lock-dir=/var/lock/mailman --with-log-dir=/var/log/mailman
> --with-pid-dir=/var/run/mailman --with-queue-dir=/var/spool/mailman
> --with-python=/usr/bin/python2.7 --with-mail-gid=mail postfix mailman
> nobody daemon --with-cgi-id=apache --with-cgi-gid=apache
> --with-mailhost=localhost.localdomain
> --with-urlhost=localhost.localdomain --without-permcheck"
> 
> So it's still using --without-permcheck, but the other options are there.


When I run that command without having made any changes in the unpacked
tarball on a machine without a 'mailman' user, but with a 'mail' group,
I get this from configure

configure: WARNING: unrecognized options: --with-config-dir,
--with-lock-dir, --with-log-dir, --with-pid-dir, --with-queue-dir,
--with-cgi-id

This is expected because those options to configure were added by RedHat
as part of their FHS compliance patch. See
<https://wiki.list.org/x/8486953> and
<https://mail.python.org/pipermail/mailman-developers/2004-October/017343.html>

I get this from the bin/mailman-config command

Configuration and build information for Mailman

Mailman version: 2.1.26
Build Date:      Wed Feb  7 14:19:11 PST 2018

prefix:          /usr/lib/mailman
var_prefix:      /var/lib/mailman
mailman_user:
mailman_group:
mail_group:      mail
cgi_group:       apache

configure_opts: "--prefix=/usr/lib/mailman
--with-var-prefix=/var/lib/mailman --with-config-dir=/etc/mailman
--with-lock-dir=/var/lock/mailman --with-log-dir=/var/log/mailman
--with-pid-dir=/var/run/mailman --with-queue-dir=/var/spool/mailman
--with-python=/usr/bin/python2.7 --with-mail-gid=mail postfix mailman
nobody daemon --with-cgi-id=apache --with-cgi-gid=apache
--with-mailhost=localhost.localdomain
--with-urlhost=localhost.localdomain --without-permcheck"

The empty mailman_user and mailman_group is because there is no
'mailman' user/group on the system I ran it on and the fact that I get
mail_group = 'mail' rather than 'mail postfix mailman nobody daemon' is
because there is a 'mail' group (it picks the first group that exists
from that list and only yields the whole list as the result if none exist.

I suspect that your actual configure command options rather than the
ones reported by your bin/mailman-config are something like

--prefix=/usr/lib/mailman --with-var-prefix=/var/lib/mailman
--with-config-dir=/etc/mailman --with-lock-dir=/var/lock/mailman
--with-log-dir=/var/log/mailman --with-pid-dir=/var/run/mailman
--with-queue-dir=/var/spool/mailman --with-python=/usr/bin/python2.7
--with-mail-gid='"mail postfix mailman nobody daemon"'
--with-cgi-id=apache --with-cgi-gid=\"apache\"
--with-mailhost=localhost.localdomain
--with-urlhost=localhost.localdomain --without-permcheck

and that's where the extraneous quotes are coming from. I think the
passing of a list to --with-mail-gid relies on another RedHat
modification to the mail wrapper to be able to dynamically configure the
mail group and not build it in to the RPM.

The question is what are you trying to do.

If you just want to build a working Mailman 2.1.26 installation, I
suggest removing the --with-config-dir, --with-lock-dir, --with-log-dir,
--with-pid-dir, --with-queue-dir, --with-cgi-id options and setting
--with-mail-gid and --with-cgi-gid to the appropriate single groups
without any quotes.

If you are trying to build a RHEL FHS compliant Mailman, start by
porting the patch in the attachment to
<https://mail.python.org/pipermail/mailman-developers/2004-October/017343.html>
and applying it, running autoconf to regenerate configure from
configure.in and take any resultant issues to RedHat. Note, the last I
knew, John Dennis was still at RedHat, but was no longer working with
Mailman, but that was a long time ago. In case it isn't obvious, I
recommend the first approach.

If you're just trying to fix CVE-2018-5950, just apply the patch
attached to <https://bugs.launchpad.net/mailman/+bug/1747209>.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Developers mailing list