Vulnerable code: def true_path(path): "Ensure that the path is safe by removing .." path = string.replace(path, "../", "") path = string.replace(path, "./", "") return path[1:]
This is going public in a few hours. Suggested fix from Barry Warsaw: ======================================= SLASH = '/' def true_path(path): "Ensure that the path is safe by removing .." parts = [x for x in path.split(SLASH) if x not in ('.', '..')] return SLASH.join(parts)[1:] ============================================= langthang: please commit new patched ebuilds. Mailman won't release a new version until Friday.
mailman-2.1.5-r4 commited.
archs, please mark stable. x86 :: tester sparc :: gustavoz amd64 :: blubb
x86 there
sparc done.
Public @ http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html amd64 : please mark stable
stable on amd64
GLSA 200502-11