Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 81109

Summary: net-mail/mailman directory traversal (CAN-2005-0202)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: net-mail
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A3 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen gentoo-dev 2005-02-07 06:30:25 UTC
Vulnerable code:

def true_path(path):
     "Ensure that the path is safe by removing .."
     path = string.replace(path, "../", "")
     path = string.replace(path, "./", "")
     return path[1:]
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-02-09 09:15:42 UTC
This is going public in a few hours.
Suggested fix from Barry Warsaw:

SLASH = '/'

def true_path(path):
    "Ensure that the path is safe by removing .."
    parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
    return SLASH.join(parts)[1:]

langthang: please commit new patched ebuilds. Mailman won't release a new version until Friday.
Comment 2 Tuan Van (RETIRED) gentoo-dev 2005-02-09 10:06:38 UTC
mailman-2.1.5-r4 commited.
Comment 3 Luke Macken (RETIRED) gentoo-dev 2005-02-09 11:12:59 UTC
archs, please mark stable.

  x86   :: tester
  sparc :: gustavoz
  amd64 :: blubb
Comment 4 Olivier Crete (RETIRED) gentoo-dev 2005-02-09 12:02:56 UTC
x86 there
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2005-02-09 12:21:09 UTC
sparc done.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-02-09 12:22:47 UTC
Public @

amd64 : please mark stable
Comment 7 Jan Brinkmann (RETIRED) gentoo-dev 2005-02-10 08:15:56 UTC
stable on amd64
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2005-02-10 10:58:45 UTC
GLSA 200502-11