Hi Barry, hi vendor-sec, recently we got a report about a mailman DoS. This has not been published anywhere so far, so I would like to embargo this until this has been discussed with upstream and we agree on a solution. This is very similar to CVE-2006-0052; it's debatable whether the actual bug is in python's email module, but fixing this in mailman cannot hurt IMHO. Barry, please do not post information about this to any public place (including cvs commits) until we collectively decide to lift the embargo. This will give us time to prepare and test security updates without having to rush. The attached patch was created as a hotfix by one of our employees. Barry, I would appreciate if you can have a thorough look at it. Can someone please assign a CVE number? Thank you! Martin --------- snip ---------- Today, the launchpad development list, hosted on the Canonical server lists.canonical.com, stopped sending out email. Mail was accepted, but not sent on. New messages were "shunted" by Mailman. Here's a relevant part of the traceback. File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 361, in save_attachment fnext = os.path.splitext(msg.get_filename(''))[1] File "/usr/lib/python2.4/email/Message.py", line 707, in get_filename filename = self.get_param('filename', missing, 'content-disposition') File "/usr/lib/python2.4/email/Message.py", line 590, in get_param for k, v in self._get_params_preserve(failobj, header): File "/usr/lib/python2.4/email/Message.py", line 537, in _get_params_preserve params = Utils.decode_params(params) File "/usr/lib/python2.4/email/Utils.py", line 275, in decode_params charset, language, value = decode_rfc2231(EMPTYSTRING.join(value)) File "/usr/lib/python2.4/email/Utils.py", line 222, in decode_rfc2231 charset, language, s = parts ValueError: need more than 2 values to unpack The bug is actually in the email package of the python standard library. It is failing to properly handle the contents of the Content- Disposition: header when it contains a single quote character in the filename. This is called when the code msg.get_filename() or msg.get_filename('') in Mailman's Scrubber.py is run. If this problem is hacked around, you get another traceback of the same issue in a different place. File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 240, in process url = save_attachment(mlist, part, dir) File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 388, in save_attachment filename = msg.get_filename() File "/usr/lib/python2.4/email/Message.py", line 707, in get_filename filename = self.get_param('filename', missing, 'content-disposition') File "/usr/lib/python2.4/email/Message.py", line 590, in get_param for k, v in self._get_params_preserve(failobj, header): File "/usr/lib/python2.4/email/Message.py", line 537, in _get_params_preserve params = Utils.decode_params(params) File "/usr/lib/python2.4/email/Utils.py", line 275, in decode_params charset, language, value = decode_rfc2231(EMPTYSTRING.join(value)) File "/usr/lib/python2.4/email/Utils.py", line 222, in decode_rfc2231 charset, language, s = parts ValueError: need more than 2 values to unpack Hacking around this one fixed the issue on the Canonical servers. However, the call to get_filename() is also present in other code paths, apparently when the atachment is not multi-part MIME. I'll attach a patch that works around all three cases. --------- snip ---------- -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
Created attachment 91439 [details, diff] mailman-scrubber.patch
hanno please advise and attach an updated ebuild to this bug if you want stable testing before the disclosure date.
Hi, this doesn't apply to the latest 2.1.8-mailman. For which version is this patch?
forget the patch. python is also involved, the embargo date has been extended. it seems like there will be new python/email module version and mailman 2.9.1, which also fixes some XSS issues. I'll try to keep you updated, altough I cant promise.
Public now, from Secunia : http://secunia.com/advisories/21732/ "SOLUTION: The vulnerabilities have been fixed in version 2.1.9rc1 and will also be fixed in the upcoming 2.1.9 version soon." Hanno, you should be able to find mailman-2.1.9rc1 on the mailman websites, e.g.: http://sourceforge.net/project/showfiles.php?group_id=103 cheers
Pulling in herd. Please provide an updated ebuild.
Bumped to 2.1.9_rc1, pretty much the same as 2.1.8_rc1. Archs please stabilize
ppc stable If there's a glsa you might want to add a note about the changed SLOT.
> If there's a glsa you might want to add a note about the changed SLOT. > i don't know but i'll vote for a GLSA and i'll try to remember of your comment if necessary.
1.) compiles on x86 dodoc: contrib/mm-handler.readme does not exist 2.) passes collision-test (didn't do any further testing) emerge --info Portage 2.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18-rc6 i686) ================================================================= System uname: 2.6.18-rc6 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.4 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.3.5-r2, 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r5 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-Os -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 X acpi alsa asf avi berkdb bitmap-fonts cairo cdr cdrom cli crypt cups dbus divx dlloader dri dts dvd dvdr eds emboss encode fam ffmpeg firefox fortran gdbm gif gnome gpm gstreamer gtk hal ipv6 isdnlog java jpeg kde ldap libg++ mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre pdflib perl png ppds pppd python qt3 qt4 quicktime readline reflection samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd tetex threads truetype truetype-fonts type1-fonts udev unicode vcd vorbis win32codecs xine xml xorg xprint xv xvid zlib elibc_glibc input_devices_keyboard input_devices_mouse kernel_linux linguas_en linguas_de linguas_en_GB linguas_de_CH userland_GNU video_cards_i810 video_cards_fbdev video_cards_vesa" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
x86 stable ^_^
SPARC stable
amd64 stable.
Sorry this one slipped under my radar. This one is ready for GLSA vote. I vote YES.
yes++
Then let's have a GLSA on this one.
Thx everyone. GLSA 200609-12
*** Bug 199306 has been marked as a duplicate of this bug. ***