*** This bug is a security vulnerability *** Private security bug reported:
The recommended Mailman Transport for Exim invokes the Mailman mail wrapper with an unedited listname derived from the $local_part of the email address less any known suffix. The problem with this configuration is that $local_part is not guaranteed to be safe for use as a filesystem directory name. This allows a local attacker to create a directory with a config.pck file in a location that the mailman user can access, send an email to an address with the directory traversal in it (../../../../../tmp/[email protected]), and then wait for the queue runner to execute arbitrary code as the mailman user either via the pickle file itself or through an extend.py file in the fake list directory. Neither exim nor mailman has code that protects against this attack. The recommended Exim configiration does check that the lists/${lc::$local_part}/config.pck file does exist, put this check is also vulnerable to the path traversal attack. ** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: In Progress ** Patch added: "Patch to fix this bug" https://bugs.launchpad.net/bugs/1437145/+attachment/4357559/+files/p -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1437145 Title: Path traversal vulnerability exists in Mailman and can be exploited if Mailman's MTA is Exim. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1437145/+subscriptions _______________________________________________ Mailman-coders mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-coders
