139976 2006-07-11 02:56 0000 net-mail/mailman DoS, XSS, log spoofing (CVE-2006-2941|3636) 2007-11-16 09:25:31 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B3 [glsa] jaervosz P2 minor --- 1 jaervosz@gentoo.org security@gentoo.org hanno@gentoo.org hncaldwell@gentoo.org net-mail@gentoo.org tcort@gentoo.org jaervosz@gentoo.org 2006-07-11 02:56:36 0000 Hi Barry, hi vendor-sec, recently we got a report about a mailman DoS. This has not been published anywhere so far, so I would like to embargo this until this has been discussed with upstream and we agree on a solution. This is very similar to CVE-2006-0052; it's debatable whether the actual bug is in python's email module, but fixing this in mailman cannot hurt IMHO. Barry, please do not post information about this to any public place (including cvs commits) until we collectively decide to lift the embargo. This will give us time to prepare and test security updates without having to rush. The attached patch was created as a hotfix by one of our employees. Barry, I would appreciate if you can have a thorough look at it. Can someone please assign a CVE number? Thank you! Martin --------- snip ---------- Today, the launchpad development list, hosted on the Canonical server lists.canonical.com, stopped sending out email. Mail was accepted, but not sent on. New messages were "shunted" by Mailman. Here's a relevant part of the traceback. File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 361, in save_attachment fnext = os.path.splitext(msg.get_filename(''))[1] File "/usr/lib/python2.4/email/Message.py", line 707, in get_filename filename = self.get_param('filename', missing, 'content-disposition') File "/usr/lib/python2.4/email/Message.py", line 590, in get_param for k, v in self._get_params_preserve(failobj, header): File "/usr/lib/python2.4/email/Message.py", line 537, in _get_params_preserve params = Utils.decode_params(params) File "/usr/lib/python2.4/email/Utils.py", line 275, in decode_params charset, language, value = decode_rfc2231(EMPTYSTRING.join(value)) File "/usr/lib/python2.4/email/Utils.py", line 222, in decode_rfc2231 charset, language, s = parts ValueError: need more than 2 values to unpack The bug is actually in the email package of the python standard library. It is failing to properly handle the contents of the Content- Disposition: header when it contains a single quote character in the filename. This is called when the code msg.get_filename() or msg.get_filename('') in Mailman's Scrubber.py is run. If this problem is hacked around, you get another traceback of the same issue in a different place. File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 240, in process url = save_attachment(mlist, part, dir) File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 388, in save_attachment filename = msg.get_filename() File "/usr/lib/python2.4/email/Message.py", line 707, in get_filename filename = self.get_param('filename', missing, 'content-disposition') File "/usr/lib/python2.4/email/Message.py", line 590, in get_param for k, v in self._get_params_preserve(failobj, header): File "/usr/lib/python2.4/email/Message.py", line 537, in _get_params_preserve params = Utils.decode_params(params) File "/usr/lib/python2.4/email/Utils.py", line 275, in decode_params charset, language, value = decode_rfc2231(EMPTYSTRING.join(value)) File "/usr/lib/python2.4/email/Utils.py", line 222, in decode_rfc2231 charset, language, s = parts ValueError: need more than 2 values to unpack Hacking around this one fixed the issue on the Canonical servers. However, the call to get_filename() is also present in other code paths, apparently when the atachment is not multi-part MIME. I'll attach a patch that works around all three cases. --------- snip ---------- -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates? jaervosz@gentoo.org 2006-07-11 02:58:34 0000 Created an attachment (id=91439) mailman-scrubber.patch jaervosz@gentoo.org 2006-07-11 03:01:28 0000 hanno please advise and attach an updated ebuild to this bug if you want stable testing before the disclosure date. hanno@gentoo.org 2006-07-21 10:33:27 0000 Hi, this doesn't apply to the latest 2.1.8-mailman. For which version is this patch? dercorny@gentoo.org 2006-07-21 15:09:40 0000 forget the patch. python is also involved, the embargo date has been extended. it seems like there will be new python/email module version and mailman 2.9.1, which also fixes some XSS issues. I'll try to keep you updated, altough I cant promise. falco@gentoo.org 2006-09-04 05:11:19 0000 Public now, from Secunia : http://secunia.com/advisories/21732/ "SOLUTION: The vulnerabilities have been fixed in version 2.1.9rc1 and will also be fixed in the upcoming 2.1.9 version soon." Hanno, you should be able to find mailman-2.1.9rc1 on the mailman websites, e.g.: http://sourceforge.net/project/showfiles.php?group_id=103 cheers jaervosz@gentoo.org 2006-09-06 23:23:26 0000 Pulling in herd. Please provide an updated ebuild. hanno@gentoo.org 2006-09-07 08:10:42 0000 Bumped to 2.1.9_rc1, pretty much the same as 2.1.8_rc1. Archs please stabilize dertobi123@gentoo.org 2006-09-07 09:41:01 0000 ppc stable If there's a glsa you might want to add a note about the changed SLOT. falco@gentoo.org 2006-09-07 10:58:07 0000 > If there's a glsa you might want to add a note about the changed SLOT. > i don't know but i'll vote for a GLSA and i'll try to remember of your comment if necessary. maekke@gentoo.org 2006-09-07 11:44:27 0000 1.) compiles on x86 dodoc: contrib/mm-handler.readme does not exist 2.) passes collision-test (didn't do any further testing) emerge --info Portage 2.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18-rc6 i686) ================================================================= System uname: 2.6.18-rc6 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.4 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.3.5-r2, 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r5 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-Os -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 X acpi alsa asf avi berkdb bitmap-fonts cairo cdr cdrom cli crypt cups dbus divx dlloader dri dts dvd dvdr eds emboss encode fam ffmpeg firefox fortran gdbm gif gnome gpm gstreamer gtk hal ipv6 isdnlog java jpeg kde ldap libg++ mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre pdflib perl png ppds pppd python qt3 qt4 quicktime readline reflection samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd tetex threads truetype truetype-fonts type1-fonts udev unicode vcd vorbis win32codecs xine xml xorg xprint xv xvid zlib elibc_glibc input_devices_keyboard input_devices_mouse kernel_linux linguas_en linguas_de linguas_en_GB linguas_de_CH userland_GNU video_cards_i810 video_cards_fbdev video_cards_vesa" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY tsunam@gentoo.org 2006-09-07 21:28:49 0000 x86 stable ^_^ weeve@gentoo.org 2006-09-10 16:55:51 0000 SPARC stable tcort@gentoo.org 2006-09-11 07:25:27 0000 amd64 stable. jaervosz@gentoo.org 2006-09-13 23:08:57 0000 Sorry this one slipped under my radar. This one is ready for GLSA vote. I vote YES. frilled@gentoo.org 2006-09-13 23:26:41 0000 yes++ jaervosz@gentoo.org 2006-09-14 03:22:09 0000 Then let's have a GLSA on this one. jaervosz@gentoo.org 2006-09-19 06:38:17 0000 Thx everyone. GLSA 200609-12 rbu@gentoo.org 2007-11-16 09:25:31 0000 *** Bug 199306 has been marked as a duplicate of this bug. *** 91439 2006-07-11 02:58 0000 mailman-scrubber.patch mailman-scrubber.patch text/plain LS0tIFNjcnViYmVyLnB5Lm9yaWcJMjAwNi0wNi0xMyAyMjowNTo1My4wMDAwMDAwMDAgKzAzMDAK KysrIFNjcnViYmVyLnB5CTIwMDYtMDYtMTMgMjI6MDQ6MjQuMDAwMDAwMDAwICswMzAwCkBAIC0y NjYsNyArMjY2LDExIEBACiAgICAgICAgICAgICBmaW5hbGx5OgogICAgICAgICAgICAgICAgIG9z LnVtYXNrKG9tYXNrKQogICAgICAgICAgICAgZGVzYyA9IHBhcnQuZ2V0KCdjb250ZW50LWRlc2Ny aXB0aW9uJywgXygnbm90IGF2YWlsYWJsZScpKQotICAgICAgICAgICAgZmlsZW5hbWUgPSBwYXJ0 LmdldF9maWxlbmFtZShfKCdub3QgYXZhaWxhYmxlJykpCisgICAgICAgICAgICB0cnk6CisgICAg ICAgICAgICAgICAgZmlsZW5hbWUgPSBwYXJ0LmdldF9maWxlbmFtZShfKCdub3QgYXZhaWxhYmxl JykpCisgICAgICAgICAgICBleGNlcHQgVmFsdWVFcnJvcjoKKyAgICAgICAgICAgICAgICAjIEhh Y2sgdG8gZGVhbCB3aXRoIGZpbGVuYW1lIGNvbnRhaW5pbmcgJyBjaGFyYWN0ZXIuCisgICAgICAg ICAgICAgICAgZmlsZW5hbWUgPSBfKCdub3QgYXZhaWxhYmxlJykKICAgICAgICAgICAgIGRlbCBw YXJ0Wydjb250ZW50LXR5cGUnXQogICAgICAgICAgICAgZGVsIHBhcnRbJ2NvbnRlbnQtdHJhbnNm ZXItZW5jb2RpbmcnXQogICAgICAgICAgICAgcGFydC5zZXRfcGF5bG9hZChfKCIiIlwKQEAgLTM1 OCw4ICszNjIsMTYgQEAKICAgICAjIGUuZy4gaW1hZ2UvanBnIChzaG91bGQgYmUgaW1hZ2UvanBl ZykuICBGb3Igbm93IHdlIGp1c3Qgc3RvcmUgc3VjaAogICAgICMgdGhpbmdzIGFzIGFwcGxpY2F0 aW9uL29jdGV0LXN0cmVhbXMgc2luY2UgdGhhdCBzZWVtcyB0aGUgc2FmZXN0LgogICAgIGN0eXBl ID0gbXNnLmdldF9jb250ZW50X3R5cGUoKQotICAgIGZuZXh0ID0gb3MucGF0aC5zcGxpdGV4dCht c2cuZ2V0X2ZpbGVuYW1lKCcnKSlbMV0KLSAgICBleHQgPSBndWVzc19leHRlbnNpb24oY3R5cGUs IGZuZXh0KQorICAgIHRyeToKKyAgICAgICAgZm5leHQgPSBvcy5wYXRoLnNwbGl0ZXh0KG1zZy5n ZXRfZmlsZW5hbWUoJycpKVsxXQorICAgIGV4Y2VwdCBWYWx1ZUVycm9yOgorICAgICAgICAjIENh dGNoIHRoZSBjYXNlIHdoZW4gbXNnLmdldF9maWxlbmFtZSgnJykgZmFpbHMgd2l0aCBhCisgICAg ICAgICMgVmFsdWVFcnJvcjogbmVlZCBtb3JlIHRoYW4gMiB2YWx1ZXMgdG8gdW5wYWNrCisgICAg ICAgICMgRmlsZSAiL3Vzci9saWIvcHl0aG9uMi40L2VtYWlsL1V0aWxzLnB5IiwgbGluZSAyMjIs IGluIGRlY29kZV9yZmMyMjMxCisgICAgICAgICMgICBjaGFyc2V0LCBsYW5ndWFnZSwgcyA9IHBh cnRzCisgICAgICAgIGV4dCA9ICcnCisgICAgZWxzZToKKyAgICAgICAgZXh0ID0gZ3Vlc3NfZXh0 ZW5zaW9uKGN0eXBlLCBmbmV4dCkKICAgICBpZiBub3QgZXh0OgogICAgICAgICAjIFdlIGRvbid0 IGtub3cgd2hhdCBpdCBpcywgc28gYXNzdW1lIGl0J3MganVzdCBhIHNoYXBlbGVzcwogICAgICAg ICAjIGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbSwgdW5sZXNzIHRoZSBDb250ZW50LVR5cGU6IGlz CkBAIC0zNzcsNyArMzg5LDExIEBACiAgICAgdHJ5OgogICAgICAgICAjIE5vdyBiYXNlIHRoZSBm aWxlbmFtZSBvbiB3aGF0J3MgaW4gdGhlIGF0dGFjaG1lbnQsIHVuaXF1aWZ5aW5nIGl0IGlmCiAg ICAgICAgICMgbmVjZXNzYXJ5LgotICAgICAgICBmaWxlbmFtZSA9IG1zZy5nZXRfZmlsZW5hbWUo KQorICAgICAgICB0cnk6CisgICAgICAgICAgICBmaWxlbmFtZSA9IG1zZy5nZXRfZmlsZW5hbWUo KQorICAgICAgICBleGNlcHQgVmFsdWVFcnJvcjoKKyAgICAgICAgICAgICMgQW5vdGhlciBjYXNl IG9mIGNhdGNoaW5nIGZpbGVuYW1lcyB0aGF0IGNvbnRhaW4gYSAnIGNoYXJhY3Rlci4KKyAgICAg ICAgICAgIGZpbGVuYW1lID0gJycKICAgICAgICAgaWYgbm90IGZpbGVuYW1lOgogICAgICAgICAg ICAgZmlsZWJhc2UgPSAnYXR0YWNobWVudCcKICAgICAgICAgZWxzZToK