svn commit: r534284 - in branches/2020Q2/mail/mailman: . files

Matthias Andree mandree at FreeBSD.org
Thu May 7 19:56:39 UTC 2020 

Author: mandree
Date: Thu May  7 19:56:38 2020
New Revision: 534284
URL: https://svnweb.freebsd.org/changeset/ports/534284

Log:
  mail/mailman: fix another content injection vuln via private archive login
  
  This led up to mailman 2.1.33 today.
  https://bugs.launchpad.net/mailman/+bug/1877379
  https://launchpadlibrarian.net/478684932/private.diff
  https://mail.python.org/archives/list/mailman-developers@python.org/thread/SYBIZ3MNSQZLKN6PVKO7ZKR7QMOBMS45/
  
  Approved by:    ports-secteam@ (blanket for security fixes)
  Security:       88760f4d-8ef7-11ea-a66d-4b2ef158be83

Added:
  branches/2020Q2/mail/mailman/files/patch-1-security-88760f4d-8ef7-11ea-a66d-4b2ef158be83   (contents, props changed)
Modified:
  branches/2020Q2/mail/mailman/Makefile

Modified: branches/2020Q2/mail/mailman/Makefile
==============================================================================
--- branches/2020Q2/mail/mailman/Makefile	Thu May  7 19:56:00 2020	(r534283)
+++ branches/2020Q2/mail/mailman/Makefile	Thu May  7 19:56:38 2020	(r534284)
@@ -3,7 +3,7 @@
 
 PORTNAME=	mailman
 DISTVERSION=	2.1.30
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	mail
 MASTER_SITES=	GNU \
 		SF/${PORTNAME}/Mailman%202.1%20%28stable%29/${PORTVERSION} \

Added: branches/2020Q2/mail/mailman/files/patch-1-security-88760f4d-8ef7-11ea-a66d-4b2ef158be83
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2020Q2/mail/mailman/files/patch-1-security-88760f4d-8ef7-11ea-a66d-4b2ef158be83	Thu May  7 19:56:38 2020	(r534284)
@@ -0,0 +1,29 @@
+This is essentially the same as https://bugs.launchpad.net/mailman/+bug/1873722
+except the vector is the private archive login page and the attack only
+succeeds if the list's roster visibility (private_roster) setting is 'Anyone'.
+
+This is fixed by the attached patch.
+
+Source: https://bugs.launchpad.net/mailman/+bug/1877379
+Deep:   https://launchpadlibrarian.net/478684932/private.diff
+
+--- Mailman/Cgi/private.py	2019-03-06 17:48:32 +0000
++++ Mailman/Cgi/private.py	2020-05-07 13:42:03 +0000
+@@ -162,13 +162,9 @@
+             if mlist.isMember(username):
+                 mlist.MailUserPassword(username)
+             elif username:
+-                # Not a member
+-                if mlist.private_roster == 0:
+-                    # Public rosters
+-                    safeuser = Utils.websafe(username)
+-                    message = Bold(FontSize('+1',
+-                                  _('No such member: %(safeuser)s.'))).Format()
+-                else:
++                # Not a member. Don't report address in any case. It leads to
++                # Content injection. Just log if roster is not public.
++                if mlist.private_roster != 0:
+                     syslog('mischief',
+                        'Reminder attempt of non-member w/ private rosters: %s',
+                        username)
+

More information about the svn-ports-branches mailing list