Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 81109 - net-mail/mailman directory traversal (CAN-2005-0202)
Summary: net-mail/mailman directory traversal (CAN-2005-0202)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://lists.netsys.com/pipermail/ful...
Whiteboard: A3 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-02-07 06:30 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-02-10 10:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-07 06:30:25 UTC
Vulnerable code:

def true_path(path):
     "Ensure that the path is safe by removing .."
     path = string.replace(path, "../", "")
     path = string.replace(path, "./", "")
     return path[1:]
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-02-09 09:15:42 UTC
This is going public in a few hours.
Suggested fix from Barry Warsaw:

=======================================
SLASH = '/'

def true_path(path):
    "Ensure that the path is safe by removing .."
    parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
    return SLASH.join(parts)[1:]
=============================================

langthang: please commit new patched ebuilds. Mailman won't release a new version until Friday.
Comment 2 Tuan Van (RETIRED) gentoo-dev 2005-02-09 10:06:38 UTC
mailman-2.1.5-r4 commited.
Comment 3 Luke Macken (RETIRED) gentoo-dev 2005-02-09 11:12:59 UTC
archs, please mark stable.

  x86   :: tester
  sparc :: gustavoz
  amd64 :: blubb
Comment 4 Olivier Crete (RETIRED) gentoo-dev 2005-02-09 12:02:56 UTC
x86 there
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2005-02-09 12:21:09 UTC
sparc done.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-02-09 12:22:47 UTC
Public @ http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html

amd64 : please mark stable
Comment 7 Jan Brinkmann (RETIRED) gentoo-dev 2005-02-10 08:15:56 UTC
stable on amd64
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-10 10:58:45 UTC
GLSA 200502-11