Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi Mailman in stretch is affected by the minor issue CVE-2018-13796, allowing to inject text in the "No such list" error response. See https://bugs.launchpad.net/mailman/+bug/1780874 . This won't warrant a DSA. debian/changelog entry: > mailman (1:2.1.23-1+deb9u4) stretch; urgency=medium > > * Non-maintainer upload. > * Arbitrary text injection vulnerability in Mailman CGIs (CVE-2018-13796) > (Closes: #903674) > > -- Salvatore Bonaccorso <car...@debian.org> Mon, 03 Sep 2018 22:00:38 +0200 and full debdiff attached against the 1:2.1.23-1+deb9u3 version. The issue has been tested in a container instance with the hint given by https://bugs.launchpad.net/mailman/+bug/1780874 . Regards, Salvatore
diff -Nru mailman-2.1.23/debian/changelog mailman-2.1.23/debian/changelog --- mailman-2.1.23/debian/changelog 2018-07-14 23:26:09.000000000 +0200 +++ mailman-2.1.23/debian/changelog 2018-09-03 22:00:38.000000000 +0200 @@ -1,3 +1,11 @@ +mailman (1:2.1.23-1+deb9u4) stretch; urgency=medium + + * Non-maintainer upload. + * Arbitrary text injection vulnerability in Mailman CGIs (CVE-2018-13796) + (Closes: #903674) + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 03 Sep 2018 22:00:38 +0200 + mailman (1:2.1.23-1+deb9u3) stretch-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch --- mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch 2018-09-03 22:00:38.000000000 +0200 @@ -0,0 +1,49 @@ +Description: Arbitrary text injection vulnerability in Mailman CGIs +Origin: upstream, https://bugs.launchpad.net/mailman/+bug/1780874/+attachment/5167324/+files/patch.txt +Bug: https://bugs.launchpad.net/mailman/+bug/1780874 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-13796 +Bug-Debian: https://bugs.debian.org/903674 +Forwarded: not-needed +Author: Mark Sapiro <m...@msapiro.net> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2018-07-25 +Applied-Upstream: 2.1.29 + +=== modified file 'Mailman/Utils.py' +--- a/Mailman/Utils.py 2018-07-11 06:52:22 +0000 ++++ b/Mailman/Utils.py 2018-07-24 21:48:54 +0000 +@@ -280,17 +280,28 @@ + def GetPathPieces(envar='PATH_INFO'): + path = os.environ.get(envar) + if path: ++ remote = os.environ.get('HTTP_FORWARDED_FOR', ++ os.environ.get('HTTP_X_FORWARDED_FOR', ++ os.environ.get('REMOTE_ADDR', ++ 'unidentified origin'))) + if CRNLpat.search(path): + path = CRNLpat.split(path)[0] +- remote = os.environ.get('HTTP_FORWARDED_FOR', +- os.environ.get('HTTP_X_FORWARDED_FOR', +- os.environ.get('REMOTE_ADDR', +- 'unidentified origin'))) + syslog('error', + 'Warning: Possible malformed path attack domain=%s remote=%s', + get_domain(), + remote) +- return [p for p in path.split('/') if p] ++ # Check for listname injections that won't be websafed. ++ pieces = [p for p in path.split('/') if p] ++ # Get the longest listname or 20 if none. ++ if list_names(): ++ longest = max([len(x) for x in list_names()]) ++ else: ++ longest = 20 ++ if pieces and len(pieces[0]) > longest: ++ syslog('mischief', ++ 'Hostile listname: listname=%s: remote=%s', pieces[0], remote) ++ pieces[0] = pieces[0][:longest] + '...' ++ return pieces + return None + + + diff -Nru mailman-2.1.23/debian/patches/series mailman-2.1.23/debian/patches/series --- mailman-2.1.23/debian/patches/series 2018-07-14 23:26:09.000000000 +0200 +++ mailman-2.1.23/debian/patches/series 2018-09-03 22:00:38.000000000 +0200 @@ -12,3 +12,4 @@ 91_utf8.patch 92_CVE-2018-5950.patch 93_CVE-2018-0618.patch +94_CVE-2018-13796.patch