Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 77524

Summary: net-mail/mailman: [CAN-2004-1177] cross-site scripting in scripts/driver
Product: Gentoo Security Reporter: Jean-Fran├žois Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-mail
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: https://bugzilla.ubuntu.com/show_bug.cgi?id=5057
Whiteboard: B4 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Jean-Fran├žois Brunette (RETIRED) gentoo-dev 2005-01-11 07:57:44 UTC
mailman vulnerabilities
CAN-2004-1177, http://bugs.debian.org/285839


Details follow:

Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
craft an URL containing JavaScript (or other content embedded into
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page.


Important note:

There is currently another known vulnerability: when an user
subscribes to a mailing list without choosing a password, mailman
automatically generates one. However, there are only about 5 million
different possible passwords which allows brute force attacks.

A different password generation algorithm already exists, but is
currently too immature to be put into a stable release security
update. Therefore it is advisable to always explicitly choose a
password for subscriptions
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-01-11 07:58:46 UTC
*** Bug 74459 has been marked as a duplicate of this bug. ***
Comment 2 Tuan Van (RETIRED) gentoo-dev 2005-01-11 09:25:13 UTC
our mailman doesn't have 55_options_traceback.dpatch apply.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-13 09:56:19 UTC
The mentioned 55_options_traceback.dpatch in the debian bug report appears unrelated to the reported issue. Updated URI with Ubuntu bug report.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-13 22:15:51 UTC
Upstream fix is located here:

http://cvs.sourceforge.net/viewcvs.py/mailman/mailman/scripts/driver?r1=2.6.2.1&r2=2.6.2.2&only_with_tag=Release_2_1-maint

And ChangeLog says:
Close a potential cross-site scripting hole, discovered by Florian Weimer.
Initial patch provided by Florian, modified by Barry.

Also, turn STEALTH_MODE on by default.  Most sites won't change this value
from its default, so we might as well use the more secure option.  Also, if
STEALTH_MODE is turned off, but the websafe() function can't be imported, turn
STEALTH_MODE back on.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-01-15 13:12:07 UTC
net-mail herd: please check and apply patch from comment #4.
Comment 6 Tuan Van (RETIRED) gentoo-dev 2005-01-15 19:22:38 UTC
ebuild with patch commited.
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-16 05:10:30 UTC
Thx Tuan.

Arches please mark mailman-2.1.5-r3 stable.
Comment 8 Jason Wever (RETIRED) gentoo-dev 2005-01-16 13:04:01 UTC
sparc'd
Comment 9 Tuan Van (RETIRED) gentoo-dev 2005-01-16 21:27:55 UTC
x86 done.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-01-19 01:47:27 UTC
I would say this needs a GLSA, because list administration apps are quite accessible and make worthy targets. Furthermore we can do the same as Ubuntu and issue a small warning about the relative autopassword weakness issue (even if it's not worth a vulnerability by itself).
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-19 01:56:56 UTC
I vote for GLSA on this one too, Mailman is pretty widespread.
Comment 12 Karol Wojtaszek (RETIRED) gentoo-dev 2005-01-19 12:57:41 UTC
Stable on amd64
Comment 13 Luke Macken (RETIRED) gentoo-dev 2005-01-21 16:04:36 UTC
GLSA 200501-29