Report forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>: Bug#286796; Package mailman.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Tollef Fog Heen <tfheen@debian.org>.
(full text, mbox, link).
Package: mailman
Severity: grave
Tags: security
Justification: user security hole
Red Had has posted a private vendor-sec posting to a public mailing
list:
<http://mail.python.org/pipermail/mailman-developers/2004-December/017561.html>
Short summary: Mailman only generates about 5 million different
passwords. This means that brute force attacks are possible.
The CVE Project assigned CAN-2004-1143 to this vulnerability.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (800, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-rc3fw
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>: Bug#286796; Package mailman.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>.
(full text, mbox, link).
tag 286796 patch
thanks
Here's a patch. It's been tested on my Mailman installation and it
seems to work. If you release an advisory, you should point site
administrators to the new change_member_pw script which can be used to
reset passwords.
I've only applied the proposed change to the list templates in the
English and German versions. You might want to fix this before a
release.
There are two other minor vulnerabilities in Mailman 2.1. I'm trying
to notify Mailman developers in advance, but if this is not possible,
it would probably make sense to put at least one of the patches in the
same upload.
mailman (2.1.5-4.1) unstable; urgency=high
* Non-maintainer upload
* Fix CAN-2004-1143 (closes: #286796).
-- Florian Weimer <fw@deneb.enyo.de> Wed, 22 Dec 2004 13:30:19 +0100
#! /bin/sh /usr/share/dpatch/dpatch-run
## 40_can-2004-1143.dpatch by Florian Weimer <fw@deneb.enyo.de>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix CAN-2004-1143: weak auto-generated passwords.
@DPATCH@
diff -urNad mailman-2.1.5/bin/change_member_pw /tmp/dpep.WJts1h/mailman-2.1.5/bin/change_member_pw
--- mailman-2.1.5/bin/change_member_pw 1970-01-01 01:00:00.000000000 +0100
+++ /tmp/dpep.WJts1h/mailman-2.1.5/bin/change_member_pw 2004-12-22 13:48:34.000000000 +0100
@@ -0,0 +1,142 @@
+#! @PYTHON@
+#
+# Copyright (C) 2001,2002 by the Free Software Foundation, Inc.
+# Portions Copyright (C) 2004 by Florian Weimer.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+"""Change the passwords of list members.
+
+This script resets all passwords of list members. This is helpful if
+the passwords have been compromised.
+
+Usage: change_pw [options]
+
+Options:
+
+ --all / -a
+ Change the password for all lists.
+
+ --domain=domain
+ -d domain
+ Change the password for all lists in the virtual domain `domain'. It
+ is okay to give multiple -d options.
+
+ --listname=listname
+ -l listname
+ Change the password only for the named list. It is okay to give
+ multiple -l options.
+
+ --help / -h
+ Print this help message and exit.
+"""
+
+import sys
+import sha
+import getopt
+
+import paths
+from Mailman import mm_cfg
+from Mailman import Utils
+from Mailman import MailList
+from Mailman import Errors
+from Mailman import Message
+from Mailman import i18n
+
+_ = i18n._
+
+SPACE = ' '
+
+
+
+def usage(code, msg=''):
+ if code:
+ fd = sys.stderr
+ else:
+ fd = sys.stdout
+ print >> fd, _(__doc__)
+ if msg:
+ print >> fd, msg
+ sys.exit(code)
+
+
+
+_listcache = {}
+
+def openlist(listname):
+ missing = []
+ mlist = _listcache.get(listname, missing)
+ if mlist is missing:
+ try:
+ mlist = MailList.MailList(listname, lock=0)
+ except Errors.MMListError, e:
+ usage(1, _('No such list "%(listname)s"\n%(e)s'))
+ _listcache[listname] = mlist
+ return mlist
+
+
+
+def main():
+ # Parse options
+ try:
+ opts, args = getopt.getopt(
+ sys.argv[1:], 'ad:l:h',
+ ['all', 'domain=', 'listname=', 'help'])
+ except getopt.error, msg:
+ usage(1, msg)
+
+ # defaults
+ listnames = {}
+ domains = {}
+ password = None
+ quiet = 0
+
+ for opt, arg in opts:
+ if opt in ('-h', '--help'):
+ usage(0)
+ elif opt in ('-a', '--all'):
+ for name in Utils.list_names():
+ listnames[name] = 1
+ elif opt in ('-d', '--domain'):
+ domains[arg] = 1
+ elif opt in ('-l', '--listname'):
+ listnames[arg] = 1
+
+ if domains:
+ for name in Utils.list_names():
+ mlist = openlist(name)
+ if domains.has_key(mlist.host_name):
+ listnames[name] = 1
+
+ if not listnames:
+ print >> sys.stderr, _('Nothing to do.')
+ sys.exit(0)
+
+ # Set the member passwords.
+ for listname in listnames.keys():
+ mlist = openlist(listname)
+ mlist.Lock()
+ try:
+ for address in mlist.getMembers():
+ randompw = Utils.MakeRandomPassword()
+ mlist.setMemberPassword(address, randompw)
+
+ mlist.Save()
+ finally:
+ mlist.Unlock()
+
+
+if __name__ == '__main__':
+ main()
diff -urNad mailman-2.1.5/bin/Makefile.in /tmp/dpep.WJts1h/mailman-2.1.5/bin/Makefile.in
--- mailman-2.1.5/bin/Makefile.in 2004-12-22 13:48:33.000000000 +0100
+++ /tmp/dpep.WJts1h/mailman-2.1.5/bin/Makefile.in 2004-12-22 13:48:34.000000000 +0100
@@ -46,7 +46,7 @@
list_members remove_members clone_member update arch \
sync_members check_db withlist check_perms find_member \
version config_list list_lists dumpdb cleanarch \
- list_admins genaliases change_pw mailmanctl qrunner inject \
+ list_admins genaliases change_member_pw change_pw mailmanctl qrunner inject \
unshunt fix_url.py convert.py transcheck b4b5-archfix \
list_owners msgfmt.py show_qfiles discard rb-archfix
diff -urNad mailman-2.1.5/configure.in /tmp/dpep.WJts1h/mailman-2.1.5/configure.in
--- mailman-2.1.5/configure.in 2004-12-22 13:48:33.000000000 +0100
+++ /tmp/dpep.WJts1h/mailman-2.1.5/configure.in 2004-12-22 13:48:34.000000000 +0100
@@ -544,6 +544,7 @@
AC_DEFUN(MM_SCRIPTS, [dnl
bin/add_members \
bin/arch \
+bin/change_member_pw \
bin/change_pw \
bin/check_db \
bin/check_perms \
diff -urNad mailman-2.1.5/Mailman/Utils.py /tmp/dpep.WJts1h/mailman-2.1.5/Mailman/Utils.py
--- mailman-2.1.5/Mailman/Utils.py 2004-12-22 13:48:34.000000000 +0100
+++ /tmp/dpep.WJts1h/mailman-2.1.5/Mailman/Utils.py 2004-12-22 13:48:34.000000000 +0100
@@ -286,22 +286,21 @@
-_vowels = ('a', 'e', 'i', 'o', 'u')
-_consonants = ('b', 'c', 'd', 'f', 'g', 'h', 'k', 'm', 'n',
- 'p', 'r', 's', 't', 'v', 'w', 'x', 'z')
-_syllables = []
-
-for v in _vowels:
- for c in _consonants:
- _syllables.append(c+v)
- _syllables.append(v+c)
-del c, v
+def MakeRandomPassword(length=8):
+ fd = os.open("/dev/urandom", os.O_RDONLY)
+ bytes = ""
+ try:
+ while len(bytes) < length:
+ bytes = bytes + os.read(fd, length - len(bytes))
+ finally:
+ os.close(fd)
-def MakeRandomPassword(length=6):
- syls = []
- while len(syls) * 2 < length:
- syls.append(random.choice(_syllables))
- return EMPTYSTRING.join(syls)[:length]
+ chars = ""
+ for ch in bytes:
+ # We throw away 2 bits per character, but the code is easier
+ # to read this way.
+ chars = chars + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"[ord(ch) % 64]
+ return chars
def GetRandomSeed():
chr1 = int(random.random() * 52)
diff -urNad mailman-2.1.5/templates/de/listinfo.html /tmp/dpep.WJts1h/mailman-2.1.5/templates/de/listinfo.html
--- mailman-2.1.5/templates/de/listinfo.html 2004-12-22 13:48:33.000000000 +0100
+++ /tmp/dpep.WJts1h/mailman-2.1.5/templates/de/listinfo.html 2004-12-22 13:49:52.000000000 +0100
@@ -76,28 +76,6 @@
<td bgcolor="#dddddd" width="55%">Ihr Name (optional):</td>
<td width="33%"><mm-fullname-box></td>
<TD WIDTH="12%"> </TD></TR>
- <TR>
- <TD COLSPAN="3"><FONT SIZE=-1>Sie können weiter unten ein Passwort
- eingeben. Dieses Passwort bietet nur eine geringe Sicherheit,
- sollte aber verhindern, dass andere Ihr Abonnement
- manipulieren. <b>Verwenden Sie kein wertvolles Passwort</b>,
- da es ab und zu im Klartext an Sie geschickt wird!
-
- <p>Wenn Sie kein Passwort eingeben, wird für Sie ein
- Zufallspasswort generiert und Ihnen zugeschickt, sobald Sie Ihr
- Abonnement bestätigt haben. Sie können sich Ihr Passwort
- jederzeit per Email zuschicken lassen, wenn Sie weiter unten
- die Seite zum ändern Ihrer persönlichen Einstellungen aufrufen.
- <MM-Reminder> </TD>
- </TR>
- <TR>
- <TD BGCOLOR="#dddddd">Wählen Sie ein Passwort:</TD>
- <TD><MM-New-Password-Box></TD>
- <TD> </TD></TR>
- <TR>
- <TD BGCOLOR="#dddddd">Erneute Eingabe zur Bestätigung:</TD>
- <TD><MM-Confirm-Password></TD>
- <TD> </TD></TR>
<tr>
<TD BGCOLOR="#dddddd">Welche Sprache bevorzugen Sie zur
Benutzerführung?</TD>
diff -urNad mailman-2.1.5/templates/en/listinfo.html /tmp/dpep.WJts1h/mailman-2.1.5/templates/en/listinfo.html
--- mailman-2.1.5/templates/en/listinfo.html 2004-12-22 13:48:33.000000000 +0100
+++ /tmp/dpep.WJts1h/mailman-2.1.5/templates/en/listinfo.html 2004-12-22 13:49:41.000000000 +0100
@@ -76,29 +76,6 @@
<td bgcolor="#dddddd" width="55%">Your name (optional):</td>
<td width="33%"><mm-fullname-box></td>
<TD WIDTH="12%"> </TD></TR>
- <TR>
- <TD COLSPAN="3"><FONT SIZE=-1>You may enter a
- privacy password below. This provides only mild security,
- but should prevent others from messing with your
- subscription. <b>Do not use a valuable password</b> as
- it will occasionally be emailed back to you in cleartext.
-
- <p>If you choose not to enter a password, one will be
- automatically generated for you, and it will be sent to
- you once you've confirmed your subscription. You can
- always request a mail-back of your password when you edit
- your personal options.
- <MM-Reminder>
- </TD>
- </TR>
- <TR>
- <TD BGCOLOR="#dddddd">Pick a password:</TD>
- <TD><MM-New-Password-Box></TD>
- <TD> </TD></TR>
- <TR>
- <TD BGCOLOR="#dddddd">Reenter password to confirm:</TD>
- <TD><MM-Confirm-Password></TD>
- <TD> </TD></TR>
<tr>
<TD BGCOLOR="#dddddd">Which language do you prefer to display your messages?</TD>
<TD> <MM-list-langs></TD>
Tags added: patch
Request was from Florian Weimer <fw@deneb.enyo.de>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>: Bug#286796; Package mailman.
(full text, mbox, link).
Acknowledgement sent to Roger@eh.org:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>.
(full text, mbox, link).
Doesn't Mailman (in Debian at least) use pwgen for generating passwords?
Roger
Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>: Bug#286796; Package mailman.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>.
(full text, mbox, link).
* Roger Lynn:
> Doesn't Mailman (in Debian at least) use pwgen for generating
> passwords?
No. There's a dependency on pwgen, sure, but I can't see were it is
used in the code.
Reply sent to Tollef Fog Heen <tfheen@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: mailman
Source-Version: 2.1.5-5
We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive:
mailman_2.1.5-5.diff.gz
to pool/main/m/mailman/mailman_2.1.5-5.diff.gz
mailman_2.1.5-5.dsc
to pool/main/m/mailman/mailman_2.1.5-5.dsc
mailman_2.1.5-5_i386.deb
to pool/main/m/mailman/mailman_2.1.5-5_i386.deb
mailman_2.1.5.orig.tar.gz
to pool/main/m/mailman/mailman_2.1.5.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 286796@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tollef Fog Heen <tfheen@debian.org> (supplier of updated mailman package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 10 Jan 2005 17:12:58 +0100
Source: mailman
Binary: mailman
Architecture: source i386
Version: 2.1.5-5
Distribution: unstable
Urgency: high
Maintainer: Tollef Fog Heen <tfheen@debian.org>
Changed-By: Tollef Fog Heen <tfheen@debian.org>
Description:
mailman - Powerful, web-based mailing list manager
Closes: 280529284771285839286796287555
Changes:
mailman (2.1.5-5) unstable; urgency=high
.
* Fix CAN-2004-1143 (weak auto-generated passwords) by pulling the
appropriate CVS change from upstream. Thanks to Florian Weimer for
finding and producing a patch for this bug. (closes: #286796)
* Fix CAN-2004-1177 (CSS problem in scripts/driver) by pulling the
appropriate patch from upstream CVS. Thanks to Florian Weimer for
discovering and producing a patch for this bug. (closes: #287555)
* Handle the case of upgrading from Mailman 2.0 where we have
pending subscriptions. This should hopefully fix #280529. Thanks to
Bastian Kleinedam for the patch. (closes: #280529)
* Skip directories when updating templates, to make the life easier for
people who have their configuration in Subversion or Arch.
(closes: #284771)
* Remove 55_options_traceback.dpatch as this problem seems to have been
fixed upstream and it causes other problems. (closes: #285839)
Files:
211e90f80573d909d805e2b9d40dd21e 640 mail optional mailman_2.1.5-5.dsc
f5f56f04747cd4aff67427e7a45631af 5745912 mail optional mailman_2.1.5.orig.tar.gz
7c0131c39ae93621120673b94cde9be7 174358 mail optional mailman_2.1.5-5.diff.gz
997fd482d1a92d751c132a449d150fc9 6607802 mail optional mailman_2.1.5-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB55BlQSseMYF6mWoRAkzVAKDa2oVG7RsLLZ/P2rUFQj2pkporAwCaA+t/
6oqxdXJcck5pDz8V85oMpPw=
=af3J
-----END PGP SIGNATURE-----
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.