Hello community,
here is the log from the commit of package mailman for openSUSE:Leap:15.2
checked in at 2020-05-18 10:58:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/mailman (Old)
and /work/SRC/openSUSE:Leap:15.2/.mailman.new.2738 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mailman"
Mon May 18 10:58:56 2020 rev:19 rq:805859 version:2.1.29
Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/mailman/mailman.changes 2020-05-06
20:42:03.124851630 +0200
+++ /work/SRC/openSUSE:Leap:15.2/.mailman.new.2738/mailman.changes
2020-05-18 10:58:58.206583783 +0200
@@ -1,0 +2,21 @@
+Tue May 12 12:31:04 UTC 2020 - Matej Cepl <[email protected]>
+
+- Add CVE-2020-12108_injection_options.patch fixing bsc#1171363
+ (CVE-2020-12108)
+- Make two remaining patches -p1 as well:
+ - mailman-2.1.26-list_lists.patch
+ - mailman-wrapper.patch
+
+-------------------------------------------------------------------
+Mon May 11 20:36:45 UTC 2020 - Matej Cepl <[email protected]>
+
+- Don't default to invalid hosts for DEFAULT_EMAIL_HOST
+ (bsc#682920), adjust mailman-2.1.14-python.dif.
+- Reapply and adjust remaining patches:
+ - mailman-2.1.14-editarch.patch
+ - mailman-2.1.4-dirmode.patch
+ - mailman-2.1.4-notavaliduser.patch
+ - mailman-2.1.5-no_extra_asian.dif
+ - mailman-weak-password.diff
+
+-------------------------------------------------------------------
New:
----
CVE-2020-12108_injection_options.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mailman.spec ++++++
--- /var/tmp/diff_new_pack.oCGOhl/_old 2020-05-18 10:58:58.758584925 +0200
+++ /var/tmp/diff_new_pack.oCGOhl/_new 2020-05-18 10:58:58.766584942 +0200
@@ -59,6 +59,9 @@
Patch11: mailman-2.1.4-notavaliduser.patch
Patch17: mailman-weak-password.diff
Patch18: mailman-2.1.5-no_extra_asian.dif
+# PATCH-FIX-UPSTREAM CVE-2020-12108_injection_options.patch bsc#1171363
[email protected]
+# arbitrary content injection in options.py
+Patch19: CVE-2020-12108_injection_options.patch
BuildRequires: krb5
BuildRequires: pcre-devel
BuildRequires: postfix
@@ -88,15 +91,8 @@
%prep
%setup -q
-%patch1
-%patch3
-%patch5 -p1
-%patch6 -p1
-%patch7
-%patch10 -p1
-%patch11 -p1
-%patch17 -p1
-%patch18
+%autopatch -p1
+
cp -av %{SOURCE1} .
%build
++++++ CVE-2020-12108_injection_options.patch ++++++
=== modified file 'Mailman/Cgi/options.py'
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -172,7 +172,7 @@ def main():
try:
Utils.ValidateEmail(user)
except Errors.EmailAddressError:
- doc.addError(_('Illegal Email Address: %(safeuser)s'))
+ doc.addError(_('Illegal Email Address'))
loginpage(mlist, doc, None, language)
print doc.Format()
return
++++++ mailman-2.1.14-editarch.patch ++++++
--- /var/tmp/diff_new_pack.oCGOhl/_old 2020-05-18 10:58:58.842585100 +0200
+++ /var/tmp/diff_new_pack.oCGOhl/_new 2020-05-18 10:58:58.842585100 +0200
@@ -1,8 +1,6 @@
-Index: mailman-2.1.14/Mailman/Cgi/admin.py
-===================================================================
---- mailman-2.1.14.orig/Mailman/Cgi/admin.py
-+++ mailman-2.1.14/Mailman/Cgi/admin.py
-@@ -416,6 +416,8 @@ def show_results(mlist, doc, category, s
+--- a/Mailman/Cgi/admin.py
++++ b/Mailman/Cgi/admin.py
+@@ -471,6 +471,8 @@ def show_results(mlist, doc, category, s
_('Go to the general list information page')))
otherlinks.AddItem(Link(mlist.GetScriptURL('edithtml'),
_('Edit the public HTML pages and text files')))
@@ -11,10 +9,8 @@
otherlinks.AddItem(Link(mlist.GetBaseArchiveURL(),
_('Go to list archives')).Format() +
'<br> <br>')
-Index: mailman-2.1.14/Mailman/Cgi/editarch.py
-===================================================================
--- /dev/null
-+++ mailman-2.1.14/Mailman/Cgi/editarch.py
++++ b/Mailman/Cgi/editarch.py
@@ -0,0 +1,509 @@
+# Copyright (C) 1998,1999,2000,2001,2002 by the Free Software Foundation, Inc.
+# Copyright (C) 1998,1999,2000,2001,2002 by the Free Software Foundation, Inc.
@@ -525,11 +521,9 @@
+ for thing, repl in repls:
+ s = s.replace(thing, repl)
+ return Utils.uncanonstr(s, lang)
-Index: mailman-2.1.14/Mailman/Defaults.py.in
-===================================================================
---- mailman-2.1.14.orig/Mailman/Defaults.py.in
-+++ mailman-2.1.14/Mailman/Defaults.py.in
-@@ -1390,6 +1390,10 @@ PIDFILE = os.path.join(DATA_DIR, 'master
+--- a/Mailman/Defaults.py.in
++++ b/Mailman/Defaults.py.in
+@@ -1733,6 +1733,10 @@ PIDFILE = os.path.join(DATA_DIR, 'master
SITE_PW_FILE = os.path.join(DATA_DIR, 'adm.pw')
LISTCREATOR_PW_FILE = os.path.join(DATA_DIR, 'creator.pw')
@@ -540,11 +534,9 @@
# Import a bunch of version numbers
from Version import *
-Index: mailman-2.1.14/configure
-===================================================================
---- mailman-2.1.14.orig/configure
-+++ mailman-2.1.14/configure
-@@ -5029,6 +5029,7 @@ build/cron/cull_bad_shunt:cron/cull_bad_
+--- a/configure
++++ b/configure
+@@ -4585,6 +4585,7 @@ build/cron/cull_bad_shunt:cron/cull_bad_
build/cron/disabled:cron/disabled \
build/cron/gate_news:cron/gate_news \
build/cron/mailpasswds:cron/mailpasswds \
@@ -552,11 +544,9 @@
build/cron/nightly_gzip:cron/nightly_gzip \
build/cron/senddigests:cron/senddigests \
"
-Index: mailman-2.1.14/configure.in
-===================================================================
---- mailman-2.1.14.orig/configure.in
-+++ mailman-2.1.14/configure.in
-@@ -688,6 +688,7 @@ cron/cull_bad_shunt \
+--- a/configure.in
++++ b/configure.in
+@@ -733,6 +733,7 @@ cron/cull_bad_shunt \
cron/disabled \
cron/gate_news \
cron/mailpasswds \
@@ -564,10 +554,8 @@
cron/nightly_gzip \
cron/senddigests \
])
-Index: mailman-2.1.14/cron/Makefile.in
-===================================================================
---- mailman-2.1.14.orig/cron/Makefile.in
-+++ mailman-2.1.14/cron/Makefile.in
+--- a/cron/Makefile.in
++++ b/cron/Makefile.in
@@ -42,7 +42,7 @@ CRONDIR= $(prefix)/cron
SHELL= /bin/sh
@@ -577,10 +565,8 @@
FILES= crontab.in
BUILDDIR= ../build/cron
-Index: mailman-2.1.14/cron/crontab.in.in
-===================================================================
---- mailman-2.1.14.orig/cron/crontab.in.in
-+++ mailman-2.1.14/cron/crontab.in.in
+--- a/cron/crontab.in.in
++++ b/cron/crontab.in.in
@@ -25,3 +25,7 @@
#
# At 4:30AM daily, cull old entries from the 'bad' and 'shunt' queues.
@@ -589,10 +575,8 @@
+# At 3:57am every night, reprocess archives that have been edited.
+57 3 * * * @PYTHON@ -S @prefix@/cron/nightly_archives
+
-Index: mailman-2.1.14/cron/nightly_archives
-===================================================================
--- /dev/null
-+++ mailman-2.1.14/cron/nightly_archives
++++ b/cron/nightly_archives
@@ -0,0 +1,126 @@
+#! @PYTHON@
+#
@@ -720,11 +704,9 @@
+
+if __name__ == '__main__':
+ main()
-Index: mailman-2.1.14/src/Makefile.in
-===================================================================
---- mailman-2.1.14.orig/src/Makefile.in
-+++ mailman-2.1.14/src/Makefile.in
-@@ -70,7 +70,7 @@ DIRSETGID= chmod g+s
+--- a/src/Makefile.in
++++ b/src/Makefile.in
+@@ -72,7 +72,7 @@ DIRSETGID= chmod g+s
# Fixed definitions
++++++ mailman-2.1.14-python.dif ++++++
--- /var/tmp/diff_new_pack.oCGOhl/_old 2020-05-18 10:58:58.854585124 +0200
+++ /var/tmp/diff_new_pack.oCGOhl/_new 2020-05-18 10:58:58.858585132 +0200
@@ -1,19 +1,17 @@
-Index: Mailman/Defaults.py.in
-===================================================================
---- Mailman/Defaults.py.in.orig 2014-02-14 18:26:31.045186987 +0100
-+++ Mailman/Defaults.py.in 2014-02-14 18:26:32.847196660 +0100
-@@ -83,8 +83,8 @@
+--- a/Mailman/Defaults.py.in
++++ b/Mailman/Defaults.py.in
+@@ -83,8 +83,8 @@ MAILMAN_URL = 'http://www.gnu.org/softwa
# add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
#
# because otherwise the default mappings won't be correct.
-DEFAULT_EMAIL_HOST = '@MAILHOST@'
-DEFAULT_URL_HOST = '@URLHOST@'
-+DEFAULT_EMAIL_HOST = '(unused)'
-+DEFAULT_URL_HOST = '(unused)'
++DEFAULT_EMAIL_HOST = 'unused'
++DEFAULT_URL_HOST = 'unused'
DEFAULT_URL_PATTERN = 'http://%s/mailman/'
# DEFAULT_HOST_NAME has been replaced with DEFAULT_EMAIL_HOST, however some
-@@ -1408,8 +1408,8 @@
+@@ -1604,8 +1604,8 @@ if EXEC_PREFIX == '${prefix}':
CGIEXT = '@CGIEXT@'
# Group id that group-owns the Mailman installation
@@ -24,11 +22,9 @@
# Enumeration for Mailman cgi widget types
Toggle = 1
-Index: misc/Makefile.in
-===================================================================
---- misc/Makefile.in.orig 2014-02-14 18:26:31.045186987 +0100
-+++ misc/Makefile.in 2014-02-14 18:26:32.848196665 +0100
-@@ -47,9 +47,9 @@
+--- a/misc/Makefile.in
++++ b/misc/Makefile.in
+@@ -47,9 +47,9 @@ SCRIPTSDIR= $(prefix)/scripts
SHELL= /bin/sh
PYTHONLIBDIR= $(prefix)/pythonlib
++++++ mailman-2.1.26-list_lists.patch ++++++
--- /var/tmp/diff_new_pack.oCGOhl/_old 2020-05-18 10:58:58.866585149 +0200
+++ /var/tmp/diff_new_pack.oCGOhl/_new 2020-05-18 10:58:58.866585149 +0200
@@ -1,6 +1,6 @@
---- bin/list_lists 2018-02-04 18:04:39.000000000 +0100
-+++ bin/list_lists 2018-03-15 17:00:17.090758128 +0100
-@@ -37,6 +37,13 @@
+--- a/bin/list_lists
++++ b/bin/list_lists
+@@ -37,6 +37,13 @@ Where:
-b / --bare
Displays only the list name, with no description.
@@ -14,7 +14,7 @@
-h / --help
Print this text and exit.
-@@ -69,8 +76,10 @@
+@@ -69,8 +76,10 @@ def usage(code, msg=''):
�
def main():
try:
@@ -26,7 +26,7 @@
'virtual-host-overview=',
'help'])
except getopt.error, msg:
-@@ -80,17 +89,20 @@
+@@ -80,17 +89,20 @@ def main():
public = 0
vhost = None
bare = 0
@@ -48,7 +48,7 @@
names = Utils.list_names()
names.sort()
-@@ -107,6 +119,8 @@
+@@ -107,6 +119,8 @@ def main():
continue
if public and mlist.archive_private:
continue
++++++ mailman-2.1.4-dirmode.patch ++++++
--- /var/tmp/diff_new_pack.oCGOhl/_old 2020-05-18 10:58:58.886585191 +0200
+++ /var/tmp/diff_new_pack.oCGOhl/_new 2020-05-18 10:58:58.886585191 +0200
@@ -1,6 +1,6 @@
---- mailman-2.1.6/Makefile.in
-+++ mailman-2.1.6/Makefile.in
-@@ -103,7 +103,7 @@
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -103,7 +103,7 @@ doinstall: $(SUBDIRS)
if test ! -d $$dir; then \
echo "Creating directory hierarchy $$dir"; \
$(srcdir)/mkinstalldirs $$dir; \
@@ -9,7 +9,7 @@
$(DIRSETGID) $$dir; \
else true; \
fi; \
-@@ -115,7 +115,7 @@
+@@ -115,7 +115,7 @@ doinstall: $(SUBDIRS)
if test ! -d $$dir; then \
echo "Creating directory hierarchy $$dir"; \
$(srcdir)/mkinstalldirs $$dir; \
@@ -18,9 +18,9 @@
$(DIRSETGID) $$dir; \
else true; \
fi; \
---- mailman-2.1.6/bin/check_perms
-+++ mailman-2.1.6/bin/check_perms
-@@ -70,6 +70,7 @@
+--- a/bin/check_perms
++++ b/bin/check_perms
+@@ -71,6 +71,7 @@ class State:
STATE = State()
DIRPERMS = S_ISGID | S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH
@@ -28,7 +28,7 @@
QFILEPERMS = S_ISGID | S_IRWXU | S_IRWXG
PYFILEPERMS = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH
ARTICLEFILEPERMS = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP
-@@ -174,8 +175,7 @@
+@@ -182,8 +183,7 @@ def checkall():
prefix = mm_cfg.PREFIX
print C_('checking mode for %(prefix)s')
dirs = {}
@@ -38,7 +38,7 @@
dirs[d] = True
for d in dirs.keys():
try:
-@@ -184,14 +184,24 @@
+@@ -192,14 +192,24 @@ def checkall():
if e.errno <> errno.ENOENT: raise
print C_('WARNING: directory does not exist: %(d)s')
continue
++++++ mailman-2.1.4-notavaliduser.patch ++++++
--- /var/tmp/diff_new_pack.oCGOhl/_old 2020-05-18 10:58:58.894585207 +0200
+++ /var/tmp/diff_new_pack.oCGOhl/_new 2020-05-18 10:58:58.894585207 +0200
@@ -1,6 +1,6 @@
---- mailman-2.1.4/Mailman/Cgi/options.py
-+++ mailman-2.1.4/Mailman/Cgi/options.py
-@@ -626,6 +626,10 @@
+--- a/Mailman/Cgi/options.py
++++ b/Mailman/Cgi/options.py
+@@ -789,6 +789,10 @@ address. Upon confirmation, any other m
msg += _('You may get one last digest.')
options_page(mlist, doc, user, cpuser, userlang, msg)
++++++ mailman-2.1.5-no_extra_asian.dif ++++++
--- /var/tmp/diff_new_pack.oCGOhl/_old 2020-05-18 10:58:58.902585223 +0200
+++ /var/tmp/diff_new_pack.oCGOhl/_new 2020-05-18 10:58:58.906585232 +0200
@@ -1,6 +1,6 @@
---- misc/paths.py.in
-+++ misc/paths.py.in
-@@ -70,14 +70,14 @@
+--- a/misc/paths.py.in
++++ b/misc/paths.py.in
+@@ -71,14 +71,14 @@ sys.path.append(distdir)
# In a normal interactive Python environment, the japanese.pth and korean.pth
# files would be imported automatically. But because we inhibit the importing
# of the site module, we need to be explicit about importing these codecs.
++++++ mailman-weak-password.diff ++++++
--- /var/tmp/diff_new_pack.oCGOhl/_old 2020-05-18 10:58:58.934585290 +0200
+++ /var/tmp/diff_new_pack.oCGOhl/_new 2020-05-18 10:58:58.934585290 +0200
@@ -1,6 +1,6 @@
---- mailman-2.1.6/Mailman/Defaults.py.in.orig 2005-07-03 01:06:10.377504831
+0200
-+++ mailman-2.1.6/Mailman/Defaults.py.in 2005-07-03 01:06:20.566725790
+0200
-@@ -797,7 +797,7 @@
+--- a/Mailman/Defaults.py.in
++++ b/Mailman/Defaults.py.in
+@@ -1069,7 +1069,7 @@ DEFAULT_NEW_MEMBER_OPTIONS = 256
# Set this value to No to use more cryptographically secure, but harder to
# remember, passwords -- if your operating system and Python version support
# the necessary feature (specifically that /dev/urandom be available).
++++++ mailman-wrapper.patch ++++++
--- /var/tmp/diff_new_pack.oCGOhl/_old 2020-05-18 10:58:58.946585314 +0200
+++ /var/tmp/diff_new_pack.oCGOhl/_new 2020-05-18 10:58:58.950585323 +0200
@@ -1,5 +1,5 @@
---- src/cgi-wrapper.c
-+++ src/cgi-wrapper.c
+--- a/src/cgi-wrapper.c
++++ b/src/cgi-wrapper.c
@@ -33,7 +33,7 @@
const char* logident = LOG_IDENT;
char* script = SCRIPTNAME;
@@ -9,7 +9,7 @@
int
main(int argc, char** argv, char** env)
-@@ -42,7 +42,7 @@
+@@ -42,7 +42,7 @@ main(int argc, char** argv, char** env)
char* fake_argv[3];
running_as_cgi = 1;
@@ -18,9 +18,9 @@
/* For these CGI programs, we can ignore argc and argv since they
* don't contain anything useful. `script' will always be the driver
---- src/common.c
-+++ src/common.c
-@@ -117,47 +117,27 @@
+--- a/src/common.c
++++ b/src/common.c
+@@ -117,47 +117,27 @@ fatal(const char* ident, int exitcode, c
/* Is the parent process allowed to call us?
*/
void
@@ -32,7 +32,10 @@
- char* option;
- char* server;
- char* wrapper;
--
++ FILE *gidfile_h;
++ GID_T parentgid;
++ GID_T mygid = getgid();
+
- if (running_as_cgi) {
- option = "--with-cgi-gid";
- server = "web";
@@ -43,10 +46,6 @@
- server = "mail";
- wrapper = "mail";
- }
-+ FILE *gidfile_h;
-+ GID_T parentgid;
-+ GID_T mygid = getgid();
-+
+ if ((gidfile_h = fopen(gidfile, "r")) == NULL)
+ fatal(ident, GROUP_NAME_NOT_FOUND,
+ "Cannot open wrapper configuration file: %s",
@@ -55,12 +54,6 @@
+ fatal(ident, GROUP_NAME_NOT_FOUND,
+ "Cannot read wrapper configuration file.");
+ fclose(gidfile_h);
-+
-+ if (parentgid != mygid) {
-+ fatal(ident, GROUP_MISMATCH,
-+ "Failure to exec script. WANTED gid %ld, GOT gid %ld.",
-+ parentgid, mygid);
-+ }
- if (!mygroup)
- fatal(ident, GROUP_NAME_NOT_FOUND,
@@ -73,7 +66,12 @@
- "\"%s\".",
- mygid, wrapper, parentgroup, server, mygid, mygid,
- parentgroup, server, parentgroup);
--
++ if (parentgid != mygid) {
++ fatal(ident, GROUP_MISMATCH,
++ "Failure to exec script. WANTED gid %ld, GOT gid %ld.",
++ parentgid, mygid);
++ }
+
- if (strcmp(parentgroup, mygroup->gr_name))
- fatal(ident, GROUP_MISMATCH,
- "Group mismatch error. Mailman expected the %s\n"
@@ -87,8 +85,8 @@
}
---- src/mail-wrapper.c
-+++ src/mail-wrapper.c
+--- a/src/mail-wrapper.c
++++ b/src/mail-wrapper.c
@@ -27,6 +27,7 @@
const char* parentgroup = LEGAL_PARENT_GROUP;
@@ -97,7 +95,7 @@
�
-@@ -74,7 +75,7 @@
+@@ -74,7 +75,7 @@ main(int argc, char** argv, char** env)
fatal(logident, MAIL_ILLEGAL_COMMAND,
"Illegal command: %s", argv[1]);
