Debian Bug report logs - #285839
mailman: Membership leakage with private roster due to 55_options_traceback.dpatch

version graph

Package: mailman; Maintainer for mailman is Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>; Source for mailman is src:mailman.

Reported by: Juha-Matti Tapio <jmtapio@verkkotelakka.net>

Date: Wed, 15 Dec 2004 21:48:05 UTC

Severity: important

Tags: patch, security

Found in version 2.1.5-4

Fixed in version mailman/2.1.5-5

Done: Tollef Fog Heen <tfheen@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#285839; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Juha-Matti Tapio <jmtapio@verkkotelakka.net>:
New Bug report received and forwarded. Copy sent to Tollef Fog Heen <tfheen@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Juha-Matti Tapio <jmtapio@verkkotelakka.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mailman: Membership leakage with private roster due to 55_options_traceback.dpatch
Date: Wed, 15 Dec 2004 23:37:43 +0200
[Message part 1 (text/plain, inline)]
Package: mailman
Version: 2.1.5-4
Severity: important
Tags: security patch

Patch 55_options_traceback.dpatch changes the authentication of a
private roster user so that different response is given depending on if
the user is a member of the specified list. Therefore it is possible to
check if a specific email address is on a private list or not.

The patch also seems a bit odd regarding the problem that it claims to
fix. The patch should be either removed totally or rewritten to fix the
original bug if it still exists in the upstream.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.6
Locale: LANG=fi_FI@euro, LC_CTYPE=fi_FI@euro

Versions of packages mailman depends on:
ii  apache2-mpm-perchild [httpd 2.0.50-11    Experimental High speed perchild t
ii  cron                        3.0pl1-86    management of regular background p
ii  debconf                     1.4.30.10    Debian configuration management sy
ii  exim4                       4.34-3       An MTA (Mail Transport Agent)
ii  exim4-daemon-heavy [mail-tr 4.34-3       Exim (v4) with extended features, 
ii  libc6                       2.3.2.ds1-16 GNU C Library: Shared libraries an
ii  logrotate                   3.6.5-2      Log rotation utility
ii  pwgen                       2.03-1       Automatic Password generation
ii  python                      2.3.4-1      An interactive high-level object-o
ii  ucf                         1.08         Update Configuration File: preserv

-- debconf information excluded
[mailman-fix.diff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#285839; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to pabs <pabs@zip.to>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>. Full text and rfc822 format available.

Message #10 received at 285839@bugs.debian.org (full text, mbox):

From: pabs <pabs@zip.to>
To: 285839@bugs.debian.org
Subject: sorry...updated patch
Date: Wed, 12 Jan 2005 11:29:52 +0800
[Message part 1 (text/plain, inline)]
I reported and supplied the patch for 233161.
I unapplied the patch, and when I put a non-member's address into the
options form on a private list, I get a traceback - duplicated below:

Traceback (most recent call last):
  File "/var/lib/mailman/scripts/driver", line 96, in run_main
    main()
  File "/var/lib/mailman/Mailman/Cgi/options.py", line 227, in main
    password, user):
  File "/var/lib/mailman/Mailman/SecurityManager.py", line 220, in WebAuthenticate
    ok = self.CheckCookie(ac, user)
  File "/var/lib/mailman/Mailman/SecurityManager.py", line 300, in CheckCookie
    ok = self.__checkone(c, authcontext, user)
  File "/var/lib/mailman/Mailman/SecurityManager.py", line 310, in __checkone
    key, secret = self.AuthContextInfo(authcontext, user)
  File "/var/lib/mailman/Mailman/SecurityManager.py", line 105, in AuthContextInfo
    secret = self.getMemberPassword(user)
  File "/var/lib/mailman/Mailman/OldStyleMemberships.py", line 102, in getMemberPassword
    raise Errors.NotAMemberError, member
NotAMemberError: foo@bar.org

I've updated the dpatch to fix this in a different (better) way -
attached. This has successfully been tested on a 2.1.4-5 mailman box.

-- 
Bye,
Pabs
[55_options_traceback.dpatch (application/x-shellscript, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#285839; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Juha-Matti Tapio <jmtapio@verkkotelakka.net>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>. Full text and rfc822 format available.

Message #15 received at 285839@bugs.debian.org (full text, mbox):

From: Juha-Matti Tapio <jmtapio@verkkotelakka.net>
To: pabs <pabs@zip.to>
Cc: 285839@bugs.debian.org
Subject: Re: sorry...updated patch
Date: Thu, 13 Jan 2005 02:51:39 +0200
On Wed, Jan 12, 2005 at 11:29:52AM +0800, pabs wrote:
> I reported and supplied the patch for 233161.
> I unapplied the patch, and when I put a non-member's address into the
> options form on a private list, I get a traceback - duplicated below:
[...]
>   File "/var/lib/mailman/Mailman/OldStyleMemberships.py", line 102, in getMemberPassword
>     raise Errors.NotAMemberError, member
> NotAMemberError: foo@bar.org
> 
> I've updated the dpatch to fix this in a different (better) way -
> attached. This has successfully been tested on a 2.1.4-5 mailman box.

I'm curious on why I can't reproduce this traceback. One possibility might
be that I have a fresh install and you might have an older install with
membership data from previous versions? That might cause some differences on
how the MemberAdaptor works. Sadly Mailman's code base uses such heavy
interface magic that I can't verify my suspicion (at least not at this time
of the night).

Anyway, to me your patch looks like a correct solution to the problem. I
tested your patch and I can confirm that it works for me (i.e. solves both
the original bug and the membership leakage).



Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#285839; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to pabs <pabs@zip.to>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>. Full text and rfc822 format available.

Message #20 received at 285839@bugs.debian.org (full text, mbox):

From: pabs <pabs@zip.to>
To: Juha-Matti Tapio <jmtapio@verkkotelakka.net>
Cc: 285839@bugs.debian.org
Subject: Re: sorry...updated patch
Date: Thu, 13 Jan 2005 09:57:36 +0800
[Message part 1 (text/plain, inline)]
On Thu, 2005-01-13 at 02:51 +0200, Juha-Matti Tapio wrote:
> On Wed, Jan 12, 2005 at 11:29:52AM +0800, pabs wrote:
> > I reported and supplied the patch for 233161.
> > I unapplied the patch, and when I put a non-member's address into the
> > options form on a private list, I get a traceback - duplicated below:
> [...]
> >   File "/var/lib/mailman/Mailman/OldStyleMemberships.py", line 102, in getMemberPassword
> >     raise Errors.NotAMemberError, member
> > NotAMemberError: foo@bar.org
> > 
> > I've updated the dpatch to fix this in a different (better) way -
> > attached. This has successfully been tested on a 2.1.4-5 mailman box.
> 
> I'm curious on why I can't reproduce this traceback. One possibility might
> be that I have a fresh install and you might have an older install with
> membership data from previous versions? That might cause some differences on
> how the MemberAdaptor works. Sadly Mailman's code base uses such heavy
> interface magic that I can't verify my suspicion (at least not at this time
> of the night).

Yeah, this is a box with data from the 2.0 (and possibly earlier) days.
It isn't running 2.1.5 atm - only 2.1.4-5 - we haven't got around to
installing 2.1.5-4 with all the patches that have recently been updated.
Possibly the stuff behind the scenes of authentication has changed in
2.1.5 - I know there isn't many changes to options.py - only HTTP
Accept-Language stuff really.

It is lists.indymedia.org if you want to have a look.

-- 
Bye,
Pabs
[signature.asc (application/pgp-signature, inline)]

Reply sent to Tollef Fog Heen <tfheen@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Juha-Matti Tapio <jmtapio@verkkotelakka.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 285839-close@bugs.debian.org (full text, mbox):

From: Tollef Fog Heen <tfheen@debian.org>
To: 285839-close@bugs.debian.org
Subject: Bug#285839: fixed in mailman 2.1.5-5
Date: Fri, 14 Jan 2005 04:47:08 -0500
Source: mailman
Source-Version: 2.1.5-5

We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive:

mailman_2.1.5-5.diff.gz
  to pool/main/m/mailman/mailman_2.1.5-5.diff.gz
mailman_2.1.5-5.dsc
  to pool/main/m/mailman/mailman_2.1.5-5.dsc
mailman_2.1.5-5_i386.deb
  to pool/main/m/mailman/mailman_2.1.5-5_i386.deb
mailman_2.1.5.orig.tar.gz
  to pool/main/m/mailman/mailman_2.1.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 285839@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tollef Fog Heen <tfheen@debian.org> (supplier of updated mailman package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 10 Jan 2005 17:12:58 +0100
Source: mailman
Binary: mailman
Architecture: source i386
Version: 2.1.5-5
Distribution: unstable
Urgency: high
Maintainer: Tollef Fog Heen <tfheen@debian.org>
Changed-By: Tollef Fog Heen <tfheen@debian.org>
Description: 
 mailman    - Powerful, web-based mailing list manager
Closes: 280529 284771 285839 286796 287555
Changes: 
 mailman (2.1.5-5) unstable; urgency=high
 .
   * Fix CAN-2004-1143 (weak auto-generated passwords) by pulling the
     appropriate CVS change from upstream.  Thanks to Florian Weimer for
     finding and producing a patch for this bug.  (closes: #286796)
   * Fix CAN-2004-1177 (CSS problem in scripts/driver) by pulling the
     appropriate patch from upstream CVS.  Thanks to Florian Weimer for
     discovering and producing a patch for this bug.  (closes: #287555)
   * Handle the case of upgrading from Mailman 2.0 where we have
     pending subscriptions.  This should hopefully fix #280529.  Thanks to
     Bastian Kleinedam for the patch.  (closes: #280529)
   * Skip directories when updating templates, to make the life easier for
     people who have their configuration in Subversion or Arch.
     (closes: #284771)
   * Remove 55_options_traceback.dpatch as this problem seems to have been
     fixed upstream and it causes other problems.  (closes: #285839)
Files: 
 211e90f80573d909d805e2b9d40dd21e 640 mail optional mailman_2.1.5-5.dsc
 f5f56f04747cd4aff67427e7a45631af 5745912 mail optional mailman_2.1.5.orig.tar.gz
 7c0131c39ae93621120673b94cde9be7 174358 mail optional mailman_2.1.5-5.diff.gz
 997fd482d1a92d751c132a449d150fc9 6607802 mail optional mailman_2.1.5-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB55BlQSseMYF6mWoRAkzVAKDa2oVG7RsLLZ/P2rUFQj2pkporAwCaA+t/
6oqxdXJcck5pDz8V85oMpPw=
=af3J
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 17:12:40 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.