Bug 139976 - net-mail/mailman DoS, XSS, log spoofing (CVE-2006-2941|3636)
|
Bug#:
139976
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: jaervosz@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
|
|
Summary: net-mail/mailman DoS, XSS, log spoofing (CVE-2006-2941|3636)
|
|
Keywords:
|
|
Status Whiteboard: B3 [glsa] jaervosz
|
|
Opened: 2006-07-11 02:56 0000
|
Hi Barry, hi vendor-sec,
recently we got a report about a mailman DoS. This has not been
published anywhere so far, so I would like to embargo this until this
has been discussed with upstream and we agree on a solution.
This is very similar to CVE-2006-0052; it's debatable whether the
actual bug is in python's email module, but fixing this in mailman
cannot hurt IMHO.
Barry, please do not post information about this to any public place
(including cvs commits) until we collectively decide to lift the
embargo. This will give us time to prepare and test security updates
without having to rush.
The attached patch was created as a hotfix by one of our employees.
Barry, I would appreciate if you can have a thorough look at it.
Can someone please assign a CVE number?
Thank you!
Martin
--------- snip ----------
Today, the launchpad development list, hosted on the Canonical server
lists.canonical.com, stopped sending out email. Mail was accepted, but
not sent on.
New messages were "shunted" by Mailman.
Here's a relevant part of the traceback.
File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 361, in
save_attachment
fnext = os.path.splitext(msg.get_filename(''))[1]
File "/usr/lib/python2.4/email/Message.py", line 707, in get_filename
filename = self.get_param('filename', missing, 'content-disposition')
File "/usr/lib/python2.4/email/Message.py", line 590, in get_param
for k, v in self._get_params_preserve(failobj, header):
File "/usr/lib/python2.4/email/Message.py", line 537, in _get_params_preserve
params = Utils.decode_params(params)
File "/usr/lib/python2.4/email/Utils.py", line 275, in decode_params
charset, language, value = decode_rfc2231(EMPTYSTRING.join(value))
File "/usr/lib/python2.4/email/Utils.py", line 222, in decode_rfc2231
charset, language, s = parts
ValueError: need more than 2 values to unpack
The bug is actually in the email package of the python standard library.
It is failing to properly handle the contents of the Content-
Disposition: header when it contains a single quote character in the
filename. This is called when the code msg.get_filename() or
msg.get_filename('') in Mailman's Scrubber.py is run.
If this problem is hacked around, you get another traceback of the same
issue in a different place.
File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 240, in process
url = save_attachment(mlist, part, dir)
File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 388, in
save_attachment
filename = msg.get_filename()
File "/usr/lib/python2.4/email/Message.py", line 707, in get_filename
filename = self.get_param('filename', missing, 'content-disposition')
File "/usr/lib/python2.4/email/Message.py", line 590, in get_param
for k, v in self._get_params_preserve(failobj, header):
File "/usr/lib/python2.4/email/Message.py", line 537, in _get_params_preserve
params = Utils.decode_params(params)
File "/usr/lib/python2.4/email/Utils.py", line 275, in decode_params
charset, language, value = decode_rfc2231(EMPTYSTRING.join(value))
File "/usr/lib/python2.4/email/Utils.py", line 222, in decode_rfc2231
charset, language, s = parts
ValueError: need more than 2 values to unpack
Hacking around this one fixed the issue on the Canonical servers.
However, the call to get_filename() is also present in other code paths,
apparently when the atachment is not multi-part MIME.
I'll attach a patch that works around all three cases.
--------- snip ----------
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
hanno please advise and attach an updated ebuild to this bug if you want stable
testing before the disclosure date.
Hi, this doesn't apply to the latest 2.1.8-mailman. For which version is this
patch?
forget the patch. python is also involved, the embargo date has been extended.
it seems like there will be new python/email module version and mailman 2.9.1,
which also fixes some XSS issues. I'll try to keep you updated, altough I cant
promise.
Pulling in herd. Please provide an updated ebuild.
Bumped to 2.1.9_rc1, pretty much the same as 2.1.8_rc1. Archs please stabilize
ppc stable
If there's a glsa you might want to add a note about the changed SLOT.
> If there's a glsa you might want to add a note about the changed SLOT.
>
i don't know but i'll vote for a GLSA and i'll try to remember of your comment
if necessary.
1.) compiles on x86
dodoc: contrib/mm-handler.readme does not exist
2.) passes collision-test
(didn't do any further testing)
emerge --info
Portage 2.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3,
2.6.18-rc6 i686)
=================================================================
System uname: 2.6.18-rc6 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz
Gentoo Base System version 1.12.4
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-lang/python: 2.3.5-r2, 2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache: 2.3
dev-util/confcache: [Not Present]
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.59-r7
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils: 2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.11-r5
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-Os -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config
/usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/
/usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/
/usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-Os -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer
parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://192.168.2.1/gentoo-portage"
USE="x86 X acpi alsa asf avi berkdb bitmap-fonts cairo cdr cdrom cli crypt cups
dbus divx dlloader dri dts dvd dvdr eds emboss encode fam ffmpeg firefox
fortran gdbm gif gnome gpm gstreamer gtk hal ipv6 isdnlog java jpeg kde ldap
libg++ mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss
pam pcre pdflib perl png ppds pppd python qt3 qt4 quicktime readline reflection
samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd tetex threads
truetype truetype-fonts type1-fonts udev unicode vcd vorbis win32codecs xine
xml xorg xprint xv xvid zlib elibc_glibc input_devices_keyboard
input_devices_mouse kernel_linux linguas_en linguas_de linguas_en_GB
linguas_de_CH userland_GNU video_cards_i810 video_cards_fbdev video_cards_vesa"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Sorry this one slipped under my radar.
This one is ready for GLSA vote. I vote YES.
Then let's have a GLSA on this one.
Thx everyone.
GLSA 200609-12
*** Bug 199306 has been marked as a duplicate of this bug. ***
