Debian Bug report logs - #339095
Dos attack to a list in mailman using sarge due to impropper handling of exception of utf8

version graph

Package: mailman; Maintainer for mailman is Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>; Source for mailman is src:mailman.

Reported by: Aliet Santiesteban Sifontes <aliet@tesla.cujae.edu.cu>

Date: Sun, 11 Sep 2005 19:03:01 UTC

Severity: grave

Tags: fixed, patch, sarge, security

Found in version mailman/2.1.5-8

Fixed in versions 2.1.5-8sarge1, 2.1.6-1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#327732; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Aliet Santiesteban Sifontes <aliet@tesla.cujae.edu.cu>:
New Bug report received and forwarded. Copy sent to Tollef Fog Heen <tfheen@debian.org>.

Your message specified a Severity: in the pseudo-header, but the severity value |grave| was not recognised. The default severity normal is being used instead. The recognised values are: critical, grave, serious, important, normal, minor, wishlist, fixed.

Full text and rfc822 format available.


Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Aliet Santiesteban Sifontes <aliet@tesla.cujae.edu.cu>
To: submit@bugs.debian.org
Subject: Dos attack to a list in mailman using sarge due to impropper handling of exception of utf8
Date: Sun, 11 Sep 2005 14:50:02 -0400
Package: mailman
Version: 2.1.5-8
Severity: |grave|

Site running several lists, it seems that a specially formed message can Dos a list 
due to impropper handling of a exception, the lists sops working, here the mailman error, all messages then
goes to shunt:


Sep 11 13:34:35 2005 (12535) Uncaught runner exception: 'utf8' codec can't decode bytes in position 1-4: invalid data
Sep 11 13:34:35 2005 (12535) Traceback (most recent call last):
 File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 111, in _oneloop
   self._onefile(msg, msgdata)
 File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 167, in _onefile
   keepqueued = self._dispose(mlist, msg, msgdata)
 File "/usr/lib/mailman/Mailman/Queue/IncomingRunner.py", line 130, in _dispose
   more = self._dopipeline(mlist, msg, msgdata, pipeline)
 File "/usr/lib/mailman/Mailman/Queue/IncomingRunner.py", line 153, in _dopipeline
   sys.modules[modname].process(mlist, msg, msgdata)
 File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 91, in process
   send_digests(mlist, mboxfp)
 File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 132, in send_digests
   send_i18n_digests(mlist, mboxfp)
 File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 306, in send_i18n_digests
   msg = scrubber(mlist, msg)
 File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 265, in process
   url = save_attachment(mlist, part, dir)
 File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 361, in save_attachment
   fnext = os.path.splitext(msg.get_filename(''))[1]
 File "/usr/lib/python2.3/email/Message.py", line 731, in get_filename
   return unicode(newvalue[2], newvalue[0] or 'us-ascii')
UnicodeDecodeError: 'utf8' codec can't decode bytes in position 1-4: invalid data

Sep 11 13:34:35 2005 (12535) SHUNTING: 1126458561.9029009+2ca02ecc54d36f4e0a88a7ab17fc28736bd23635


Any ideas?







Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#327732; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Aliet Santiesteban Sifontes <aliet@tesla.cujae.edu.cu>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>. Full text and rfc822 format available.

Message #10 received at 327732@bugs.debian.org (full text, mbox):

From: Aliet Santiesteban Sifontes <aliet@tesla.cujae.edu.cu>
To: 327732@bugs.debian.org
Subject: Re: Bug#327732: Acknowledgement (Dos attack to a list in mailman using sarge due to impropper handling of exception of utf8)
Date: Mon, 12 Sep 2005 10:34:42 -0400
Found the problematic amil, this can make a Dos to any list:
...more email data
--TB36FDmn/VVEgNH/
Content-Type: application/msword
Content-Disposition: attachment;
       
filename*=utf-8''C%F3mo%20montar%20un%20servidor%20Samba%20PDC%20en%20una%20red%20de%20m%E1quinas%20MS%20Windows%20XP%
Content-Transfer-Encoding: base64

...more email data







Severity set to `grave'. Request was from Maykel Moya <moya@infomed.sld.cu> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#327732; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Joost van Baal <joostvb-debian-bugs-20051024-9@mdcc.cx>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>. Full text and rfc822 format available.

Message #17 received at 327732@bugs.debian.org (full text, mbox):

From: Joost van Baal <joostvb-debian-bugs-20051024-9@mdcc.cx>
To: 327732@bugs.debian.org
Subject: (possible) patch available
Date: Tue, 25 Oct 2005 00:04:34 +0200
[Message part 1 (text/plain, inline)]
Hi,

FWIW: A patch which might fix this problem is available from
http://mail.python.org/pipermail/mailman-users/2005-September/046523.html
.

This bug likely is _not_ fixed in mailman 2.1.6.

Bye,

Joost

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#327732; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>. Full text and rfc822 format available.

Message #22 received at 327732@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lionel@mamane.lu>
To: 327732@bugs.debian.org, 326024@bugs.debian.org, 310451@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Mailman bugs tags galore
Date: Sun, 13 Nov 2005 18:38:38 +0100
tags 327732 +pending security
tags 326024 +pending
tags 310451 +pending
thanks

A patch hopefully fixing this bug has been committed to the SVN
repository of the package. If it survives some yet-to-be-made testing,
it will be part of the next upload.

Yours truly,

-- 
Lionel Mamane



Tags added: pending, security Request was from Lionel Elie Mamane <lionel@mamane.lu> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: security Request was from Lionel Elie Mamane <lionel@mamane.lu> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 327732 cloned as bug 339095. Request was from Lionel Elie Mamane <lionel@mamane.lu> to control@bugs.debian.org. Full text and rfc822 format available.

Tags set to: unreproducible, sarge Request was from Lionel Elie Mamane <lionel@mamane.lu> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#339095; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>. Full text and rfc822 format available.

Message #35 received at 339095@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lionel@mamane.lu>
To: 339095@bugs.debian.org, aliet@tesla.cujae.edu.cu
Cc: joostvb-debian-bugs-20051024-9@mdcc.cx
Subject: Can't reproduce this bug as described
Date: Mon, 14 Nov 2005 23:44:57 +0100
Hi,

I'm writing to you about the bug you reported to Debian about
Mailman. (http://bugs.debian.org/339095)

I can't reproduce the bug as you describe it, at least the DOS
part. In my testing, messages with attachments with an invalid
filename:

 - _do_ get distributed
 - do _not_ get archived
 - generate a traceback much like yours
 - do _not_ DOS the list: subsequent (valid) messages get delivered
   and archived correctly.

The "do not get archived" part is still a bug, one that will
(hopefully) be fixed with the next Debian upload. But if they don't
DOS the list, it is not a security issue and doesn't warrant a
security update to Debian stable.

I used exactly the filename you put in your bug report for my
testing.


If you have a message that DOSes a list, would be so kind as to send
it to mm-test@tofu.mamane.lu and notify us at
pkg-mailman-hackers@lists.alioth.debian.org ? I fear that the DOSing
comes from a different issue than the filename encoding, and in that
case I'd like to investigate it.


Thank you in advance,

-- 
Lionel Mamane, for the Debian Mailman team



Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#339095; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Lionel Elie Mamane <lmamane@debian.org>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #40 received at 339095@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lmamane@debian.org>
To: debian-security@lists.debian.org, team@security.debian.org
Cc: pkg-mailman-hackers@alioth.lists.debian.org, 339095@bugs.debian.org, control@bugs.debian.org
Subject: Mailman DoS CVE-2005-3573, debbug #339095
Date: Wed, 14 Dec 2005 12:25:50 +0100
[Message part 1 (text/plain, inline)]
tags 339095 -unreproducible
tags 339095 +security patch
thanks

Hi,

I've noticed that an issue I have fixed in Mailman in sid has been
issued a CVE and that Mandrake has issued a security advisory over
it. I haven't been able to reproduce the DoS part of the report, so I
didn't treat it as a security issue up to now. It seems the DoS part
happens only on lists that have digest members (this explains why I
would have missed it).

Attached is the same patch applied to the package in unstable; please
issue a DSA as appropriate.

-- 
Lionel
[mailman_339095.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags removed: unreproducible Request was from Lionel Elie Mamane <lmamane@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: security, patch Request was from Lionel Elie Mamane <lmamane@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#339095; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Luciano Bello <luciano@linux.org.ar>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #49 received at 339095@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@linux.org.ar>
To: debian-security@lists.debian.org
Cc: 339095@bugs.debian.org
Subject: Re: Re: Mailman DoS CVE-2005-3573, debbug #339095
Date: Thu, 19 Jan 2006 15:33:21 -0300
Hi everyone!
     I just want to know what happened with the CVE-2005-3573[1],
particularly in stable/sarge.

Thanks for all your help.

Luciano

[1] http://bugs.debian.org/339095




Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#339095; Package mailman. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#339095; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #57 received at 339095@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lionel@mamane.lu>
To: Luciano Bello <luciano@linux.org.ar>, 339095@bugs.debian.org
Cc: debian-security@lists.debian.org
Subject: Re: [Pkg-mailman-hackers] Bug#339095: Re: Mailman DoS CVE-2005-3573, debbug #339095
Date: Fri, 20 Jan 2006 12:30:44 +0100
On Thu, Jan 19, 2006 at 03:33:21PM -0300, Luciano Bello wrote:

>      I just want to know what happened with the CVE-2005-3573[1],
> particularly in stable/sarge.

We (mailman Debian package maintainers) haven't heard back from the
security team.

-- 
Lionel



Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#339095; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Luciano Bello <luciano@linux.org.ar>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #62 received at 339095@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@linux.org.ar>
To: 339095@bugs.debian.org, debian-security@lists.debian.org
Subject: Re: [Pkg-mailman-hackers] Bug#339095: Re: Mailman DoS CVE-2005-3573, debbug #339095
Date: Fri, 20 Jan 2006 11:43:50 -0300
El vie, 20-01-2006 a las 12:30 +0100, Lionel Elie Mamane escribió:
> On Thu, Jan 19, 2006 at 03:33:21PM -0300, Luciano Bello wrote:
> 
> >      I just want to know what happened with the CVE-2005-3573[1],
> > particularly in stable/sarge.
> 
> We (mailman Debian package maintainers) haven't heard back from the
> security team.

AFAIK, the bug is steel there :)

luciano




Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#339095; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Luciano Bello <lbello@arcert.gov.ar>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #67 received at 339095@bugs.debian.org (full text, mbox):

From: Luciano Bello <lbello@arcert.gov.ar>
To: 339095@bugs.debian.org
Subject: Re: [Pkg-mailman-hackers] Bug#339095: Re: Mailman DoS CVE-2005-3573, debbug #339095
Date: Fri, 20 Jan 2006 16:35:19 -0300
El vie, 20-01-2006 a las 11:43 -0300, Luciano Bello escribió:
> AFAIK, the bug is steel there :)

s/steel/still

sorry :)

luciano




Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#339095; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Mihai Maties <mihai@xcyb.org>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #72 received at 339095@bugs.debian.org (full text, mbox):

From: Mihai Maties <mihai@xcyb.org>
To: 339095@bugs.debian.org
Subject: Re: Mailman DoS
Date: Mon, 23 Jan 2006 15:05:22 +0200
It's quite odd that a bug that old (133 days already) is being ignored and the 
_stable_ version of Debian still contains flaws...

Whom do we need to bribe in order for the fix to get into sarge/security ?


Mihai



Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#339095; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #77 received at 339095@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lionel@mamane.lu>
To: Mihai Maties <mihai@xcyb.org>, 339095@bugs.debian.org
Subject: Bug#339095: Mailman DoS
Date: Mon, 23 Jan 2006 23:11:00 +0100
On Mon, Jan 23, 2006 at 03:05:22PM +0200, Mihai Maties wrote:

> It's quite odd that a bug that old (133 days already) is being ignored and the
> _stable_ version of Debian still contains flaws...

Sorry about that. That bug suffered from a combination of
circumstances creating delay: Not very active Mailman maintainers
first, and then this issue "fell through the cracks" of the security
team, and the Mailman maintainers were not very proactive about
pinging the security team again. They have been pinged by me on 19 Jan
2006, as a reaction to Luciano Bello's mail, and have reacted the next
day; that is three days ago (on 20 Jan 2006). I expect something to
happen soonish.

> Whom do we need to bribe in order for the fix to get into
> sarge/security ?

team@security.debian.org, but please don't be aggressive: Most of the
delay is not their fault. The first time they were contacted about
this was 14 Dec 2005; they let this contact slip and we (Mailman
maintainers) didn't recontact them aggressively (enough?). I presume
they are now working on it; if they forget about us again, feel free
to ping them or remind us to ping them. But right now, only two days
have elapsed since our last message to them; being worried they forgot
about us is premature.

-- 
Lionel



Tags added: fixed Request was from Lionel Elie Mamane <lmamane@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Lionel Elie Mamane <lionel@mamane.lu>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Aliet Santiesteban Sifontes <aliet@tesla.cujae.edu.cu>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #84 received at 339095-done@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lionel@mamane.lu>
To: 339095-done@bugs.debian.org
Subject: Mailman UTF8 filename DoS attack solved in Sarge
Date: Wed, 25 Jan 2006 13:41:41 +0100
Version: 2.1.5-8sarge1

The DSA is out and the packages available from
http://security.debian.org/ . Closing bug.



Bug marked as fixed in version 2.1.6-1, send any further explanations to Aliet Santiesteban Sifontes <aliet@tesla.cujae.edu.cu> Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 06:25:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 05:40:52 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.