Package: mailman / 1:2.1.18-2+deb8u2

92_CVE-2015-2775.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
From: Mark Sapiro <mark@msapiro.net>
Subject: Fix path traversal through local_part (CVE-2015-2775)
Origin: upstream, https://launchpadlibrarian.net/201407944/p
Bug: https://bugs.launchpad.net/mailman/+bug/1437145
Bug-Debian: http://bugs.debian.org/781626

diff -ur mailman-2.1.18.orig/Mailman/Defaults.py.in mailman-2.1.18/Mailman/Defaults.py.in
--- mailman-2.1.18.orig/Mailman/Defaults.py.in	2014-05-03 17:37:22.000000000 +0000
+++ mailman-2.1.18/Mailman/Defaults.py.in	2015-04-06 15:43:20.000000000 +0000
@@ -138,7 +138,7 @@
 
 # A Python regular expression character class which defines the characters
 # allowed in list names.  Lists cannot be created with names containing any
-# character that doesn't match this class.
+# character that doesn't match this class.  Do not include '/' in this list.
 ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
 
 
diff -ur mailman-2.1.18.orig/Mailman/Utils.py mailman-2.1.18/Mailman/Utils.py
--- mailman-2.1.18.orig/Mailman/Utils.py	2014-05-03 17:37:22.000000000 +0000
+++ mailman-2.1.18/Mailman/Utils.py	2015-04-06 15:43:20.000000000 +0000
@@ -99,6 +99,12 @@
     #
     # The former two are for 2.1alpha3 and beyond, while the latter two are
     # for all earlier versions.
+    #
+    # But first ensure the list name doesn't contain a path traversal
+    # attack.
+    if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
+        syslog('mischief', 'Hostile listname: %s', listname)
+        return False
     basepath = Site.get_listpath(listname)
     for ext in ('.pck', '.pck.last', '.db', '.db.last'):
         dbfile = os.path.join(basepath, 'config' + ext)