Package: mailman / 1:2.1.18-2+deb8u2

93_CVE-2016-6893.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
Description: CVE-2016-6893: CSRF protection needs to be extended to the user options page
Author: Mark Sapiro <mark@msapiro.net>
Last-Update: 2016-09-15

diff -Nur mailman-2.1.18.orig/Mailman/Cgi/admindb.py mailman-2.1.18/Mailman/Cgi/admindb.py
--- mailman-2.1.18.orig/Mailman/Cgi/admindb.py	2014-05-03 19:37:22.000000000 +0200
+++ mailman-2.1.18/Mailman/Cgi/admindb.py	2016-09-15 07:55:04.308506251 +0200
@@ -39,6 +39,7 @@
 from Mailman.Cgi import Auth
 from Mailman.htmlformat import *
 from Mailman.Logging.Syslog import syslog
+from Mailman.CSRFcheck import csrf_check
 
 EMPTYSTRING = ''
 NL = '\n'
@@ -58,6 +59,9 @@
 else:
     ssort = SSENDER
 
+AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
+                 mm_cfg.AuthListModerator)
+
 
 
 def helds_by_skey(mlist, ssort=SSENDER):
diff -Nur mailman-2.1.18.orig/Mailman/Cgi/edithtml.py mailman-2.1.18/Mailman/Cgi/edithtml.py
--- mailman-2.1.18.orig/Mailman/Cgi/edithtml.py	2014-05-03 19:37:22.000000000 +0200
+++ mailman-2.1.18/Mailman/Cgi/edithtml.py	2016-09-15 07:55:04.308506251 +0200
@@ -30,9 +30,12 @@
 from Mailman.Cgi import Auth
 from Mailman.Logging.Syslog import syslog
 from Mailman import i18n
+from Mailman.CSRFcheck import csrf_check
 
 _ = i18n._
 
+AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin)
+
 
 
 def main():
diff -Nur mailman-2.1.18.orig/Mailman/Cgi/options.py mailman-2.1.18/Mailman/Cgi/options.py
--- mailman-2.1.18.orig/Mailman/Cgi/options.py	2014-05-03 19:37:22.000000000 +0200
+++ mailman-2.1.18/Mailman/Cgi/options.py	2016-09-15 07:55:04.308506251 +0200
@@ -32,6 +32,7 @@
 from Mailman import i18n
 from Mailman.htmlformat import *
 from Mailman.Logging.Syslog import syslog
+from Mailman.CSRFcheck import csrf_check
 
 SLASH = '/'
 SETLANGUAGE = -1
@@ -46,6 +47,8 @@
     True = 1
     False = 0
 
+AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
+                 mm_cfg.AuthListModerator, mm_cfg.AuthUser)
 
 
 def main():
diff -Nur mailman-2.1.18.orig/Mailman/htmlformat.py mailman-2.1.18/Mailman/htmlformat.py
--- mailman-2.1.18.orig/Mailman/htmlformat.py	2016-09-15 07:54:30.000000000 +0200
+++ mailman-2.1.18/Mailman/htmlformat.py	2016-09-15 07:55:04.308506251 +0200
@@ -406,13 +406,14 @@
 
 class Form(Container):
     def __init__(self, action='', method='POST', encoding=None, 
-                       mlist=None, contexts=None, *items):
+                       mlist=None, contexts=None, user=None, *items):
         apply(Container.__init__, (self,) +  items)
         self.action = action
         self.method = method
         self.encoding = encoding
         self.mlist = mlist
         self.contexts = contexts
+        self.user = user
 
     def set_action(self, action):
         self.action = action
@@ -427,7 +428,7 @@
         if self.mlist:
             output = output + \
                 '<input type="hidden" name="csrf_token" value="%s">\n' \
-                % csrf_token(self.mlist, self.contexts)
+                % csrf_token(self.mlist, self.contexts, self.user)
         output = output + Container.Format(self, indent+2)
         output = '%s\n%s</FORM>\n' % (output, spaces)
         return output
diff -Nur mailman-2.1.18.orig/Mailman/HTMLFormatter.py mailman-2.1.18/Mailman/HTMLFormatter.py
--- mailman-2.1.18.orig/Mailman/HTMLFormatter.py	2014-05-03 19:37:22.000000000 +0200
+++ mailman-2.1.18/Mailman/HTMLFormatter.py	2016-09-15 07:55:04.308506251 +0200
@@ -28,6 +28,8 @@
 
 from Mailman.i18n import _
 
+from Mailman.CSRFcheck import csrf_token
+
 
 EMPTYSTRING = ''
 BR = '<br>'
@@ -314,12 +316,17 @@
             container.AddItem("</center>")
         return container
 
-    def FormatFormStart(self, name, extra=''):
+    def FormatFormStart(self, name, extra='',
+                        mlist=None, contexts=None, user=None):
         base_url = self.GetScriptURL(name)
         if extra:
             full_url = "%s/%s" % (base_url, extra)
         else:
             full_url = base_url
+        if mlist:
+            return ("""<form method="POST" action="%s">
+<input type="hidden" name="csrf_token" value="%s">""" 
+                % (full_url, csrf_token(mlist, contexts, user)))
         return ('<FORM Method=POST ACTION="%s">' % full_url)
 
     def FormatArchiveAnchor(self):