Control: tags 903674 + patch Control: tags 903674 + pending
Dear maintainer, I've prepared an NMU for mailman (versioned as 1:2.1.27-1.1) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru mailman-2.1.27/debian/changelog mailman-2.1.27/debian/changelog --- mailman-2.1.27/debian/changelog 2018-06-23 15:23:17.000000000 +0200 +++ mailman-2.1.27/debian/changelog 2018-09-02 22:23:45.000000000 +0200 @@ -1,3 +1,11 @@ +mailman (1:2.1.27-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Arbitrary text injection vulnerability in Mailman CGIs (CVE-2018-13796) + (Closes: #903674) + + -- Salvatore Bonaccorso <[email protected]> Sun, 02 Sep 2018 22:23:45 +0200 + mailman (1:2.1.27-1) unstable; urgency=medium * New upstream release. diff -Nru mailman-2.1.27/debian/patches/93_CVE-2018-13796.patch mailman-2.1.27/debian/patches/93_CVE-2018-13796.patch --- mailman-2.1.27/debian/patches/93_CVE-2018-13796.patch 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.27/debian/patches/93_CVE-2018-13796.patch 2018-09-02 22:23:45.000000000 +0200 @@ -0,0 +1,49 @@ +Description: Arbitrary text injection vulnerability in Mailman CGIs +Origin: upstream, https://bugs.launchpad.net/mailman/+bug/1780874/+attachment/5167324/+files/patch.txt +Bug: https://bugs.launchpad.net/mailman/+bug/1780874 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-13796 +Bug-Debian: https://bugs.debian.org/903674 +Forwarded: not-needed +Author: Mark Sapiro <[email protected]> +Reviewed-by: Salvatore Bonaccorso <[email protected]> +Last-Update: 2018-07-25 +Applied-Upstream: 2.1.29 + +=== modified file 'Mailman/Utils.py' +--- a/Mailman/Utils.py 2018-07-11 06:52:22 +0000 ++++ b/Mailman/Utils.py 2018-07-24 21:48:54 +0000 +@@ -280,17 +280,28 @@ + def GetPathPieces(envar='PATH_INFO'): + path = os.environ.get(envar) + if path: ++ remote = os.environ.get('HTTP_FORWARDED_FOR', ++ os.environ.get('HTTP_X_FORWARDED_FOR', ++ os.environ.get('REMOTE_ADDR', ++ 'unidentified origin'))) + if CRNLpat.search(path): + path = CRNLpat.split(path)[0] +- remote = os.environ.get('HTTP_FORWARDED_FOR', +- os.environ.get('HTTP_X_FORWARDED_FOR', +- os.environ.get('REMOTE_ADDR', +- 'unidentified origin'))) + syslog('error', + 'Warning: Possible malformed path attack domain=%s remote=%s', + get_domain(), + remote) +- return [p for p in path.split('/') if p] ++ # Check for listname injections that won't be websafed. ++ pieces = [p for p in path.split('/') if p] ++ # Get the longest listname or 20 if none. ++ if list_names(): ++ longest = max([len(x) for x in list_names()]) ++ else: ++ longest = 20 ++ if pieces and len(pieces[0]) > longest: ++ syslog('mischief', ++ 'Hostile listname: listname=%s: remote=%s', pieces[0], remote) ++ pieces[0] = pieces[0][:longest] + '...' ++ return pieces + return None + + + diff -Nru mailman-2.1.27/debian/patches/series mailman-2.1.27/debian/patches/series --- mailman-2.1.27/debian/patches/series 2018-06-23 15:21:41.000000000 +0200 +++ mailman-2.1.27/debian/patches/series 2018-09-02 22:23:45.000000000 +0200 @@ -9,3 +9,4 @@ 66_donot_let_cache_html_pages.patch 79_archiver_slash.patch 92_reproducible_build.patch +93_CVE-2018-13796.patch
