Debian Bug report logs - #358892
Uncaught runner exception: len() of unsized object

version graph

Package: mailman; Maintainer for mailman is Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>; Source for mailman is src:mailman.

Reported by: Sven Hartge <sven@svenhartge.de>

Date: Sat, 25 Mar 2006 00:33:07 UTC

Severity: important

Tags: fixed, patch, sarge, security

Found in version mailman/2.1.5-8sarge1

Fixed in version 2.1.6-1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#358892; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Sven Hartge <sven@svenhartge.de>:
New Bug report received and forwarded. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sven Hartge <sven@svenhartge.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Uncaught runner exception: len() of unsized object
Date: Sat, 25 Mar 2006 01:27:33 +0100
[Message part 1 (text/plain, inline)]
Package: mailman
Version: 2.1.5-8sarge1
Severity: important
Tags: patch

Hello.

Mailman 2.1.5 contains a subtle bug inside its Scrubber.py, which can
cause some messages with badly formed mime multiparts and sometimes all
messaged received after the defective one to be shunted, thus rendering
the specific list to be unusable. (Thus the slightly increased
severity.)

See also http://mail.python.org/pipermail/mailman-users/2005-June/045107.html

Example for one traceback:

(The date is so old, because I since fixed this problem locally but never
got around to submitting this bug to the BTS.)

Feb 19 08:26:35 2006 (2786) SHUNTING: 1140333994.5416+92548399c95eda0df954edc5b01362c2ddda88bf
Feb 19 09:04:19 2006 (2786) Uncaught runner exception: len() of unsized object
Feb 19 09:04:19 2006 (2786) Traceback (most recent call last):
  File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 111, in _oneloop
    self._onefile(msg, msgdata)
  File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 167, in _onefile
    keepqueued = self._dispose(mlist, msg, msgdata)
  File "/usr/lib/mailman/Mailman/Queue/IncomingRunner.py", line 130, in _dispose
    more = self._dopipeline(mlist, msg, msgdata, pipeline)
  File "/usr/lib/mailman/Mailman/Queue/IncomingRunner.py", line 153, in _dopipeline
    sys.modules[modname].process(mlist, msg, msgdata)
  File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 91, in process
    send_digests(mlist, mboxfp)
  File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 132, in send_digests
    send_i18n_digests(mlist, mboxfp)
  File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 306, in send_i18n_digests
    msg = scrubber(mlist, msg)
  File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 262, in process
    size = len(payload)
TypeError: len() of unsized object

The patch (attached for your convenience) is also in 2.1.6, see 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1099138&group_id=103

Please include this simple fix in the next point release.

Grüße,
Sven Hartge
[mailman-payload-patch.diff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#358892; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 358892@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lionel@mamane.lu>
To: Sven Hartge <sven@svenhartge.de>, 358892@bugs.debian.org, security@debian.org
Cc: control@bugs.debian.org, 358892-subscribe-security=debian.org@bugs.debian.org
Subject: Re: [Pkg-mailman-hackers] Bug#358892: Uncaught runner exception: len() of unsized object
Date: Tue, 28 Mar 2006 23:17:58 +0200
tags 358892 +security sarge
fixed 358892 2.1.6
reopen 358892
thanks

On Sat, Mar 25, 2006 at 01:27:33AM +0100, Sven Hartge wrote:

> Mailman 2.1.5 contains a subtle bug inside its Scrubber.py, which
> can cause some messages with badly formed mime multiparts and
> sometimes all messaged received after the defective one to be
> shunted, thus rendering the specific list to be unusable.

This thus leads to a DoS attack vector, and makes it a security
vulnerability.

I wasn't able to find a CVE number for this; none of
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mailman looks
relevant. Should we get one? If yes, will the security team take care
of this?

> See also http://mail.python.org/pipermail/mailman-users/2005-June/045107.html

> The patch (attached for your convenience) is also in 2.1.6, see 
> https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1099138&group_id=103

> diff -ur mailman-2.1.5.orig/Mailman/Handlers/Scrubber.py mailman-2.1.5/Mailman/Handlers/Scrubber.py
> --- mailman-2.1.5.orig/Mailman/Handlers/Scrubber.py	2003-12-01 02:43:18.000000000 +0100
> +++ mailman-2.1.5/Mailman/Handlers/Scrubber.py	2006-03-25 01:25:57.000000000 +0100
> @@ -259,6 +259,14 @@
>          elif not part.is_multipart():
>              payload = part.get_payload(decode=True)
>              ctype = part.get_type()
> +            # XXX Under email 2.5, it is possible that payload will be None.
> +            # This can happen when you have a Content-Type: multipart/* with
> +            # only one part and that part has two blank lines between the
> +            # first boundary and the end boundary.  In email 3.0 you end up
> +            # with a string in the payload.  I think in this case it's safe to
> +            # ignore the part.
> +            if payload is None:
> +                continue
>              size = len(payload)
>              omask = os.umask(002)
>              try:

As maintainer of the Debian package of Mailman, I approve this
patch. Please issue a DSA with this update.

Thanks,

-- 
Lionel



Tags added: security, sarge Request was from Lionel Elie Mamane <lionel@mamane.lu> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#358892; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Lionel Elie Mamane <lmamane@debian.org>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #17 received at 358892@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lmamane@debian.org>
To: Steve Kemp <skx@debian.org>
Cc: team@security.debian.org, 358892@bugs.debian.org
Subject: Mailman DoS CVE-2006-0052, debbug #358892
Date: Wed, 29 Mar 2006 21:44:35 +0200
(Please don't hijack old threads about different issues, in particular
 not without changing the subject line.)

On Wed, Mar 29, 2006 at 08:15:40PM +0100, Steve Kemp wrote:

>   Package for Sarge at:

>         http://people.debian.org/~skx/updates/mailman/

>   Potential advisory text - need to know which version in sid
>  will fix it.

Sid and etch are not vulnerable; problem was fixed in upstream 2.1.6;
etch contains 2.1.7-1; it was fixed in sid (without even realising it)
with the upload of 2.1.6-1 on Sun, 25 Dec 2005.

Please take this opportunity to retroactively add to the changelog of
2.1.5-8sarge1 that the

 * Don't die on overflow in date handling, which could lead to a DoS
   attack (closes: #326024)

is CVE-2005-4153.

Also add (closes: #358892) to your changelog entry.

> Package        : mailman
> Vulnerability  : denial of service
> Problem-Type   : remote
> Debian-specific: no
> CVE ID         : CVE-2006-0052
Debian Bug     : 358892

> A potential denial of service problem has been discovered in mailman,
> the web-based GNU mailing list manager.  The Common Vulnerabilities and
> Exposures project identifies the following problems:

We should give more details, because there have been two other DoS
vulnerabilities recently, so we don't want people to get confused. I
propose something along the lines of:

 A potential denial of service problem has been discovered in mailman,
 the web-based GNU mailing list manager. The (failing) parsing of
 messages with malformed mime multiparts sometimes caused the whole
 mailing list to become inoperative.

> The old stable distribution (woody) is not vulnerable to this issue.

> For the unstable distribution (sid) this problem will be fixed soon.

-- 
Lionel



Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#358892; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #22 received at 358892@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Lionel Elie Mamane <lmamane@debian.org>
Cc: team@security.debian.org, 358892@bugs.debian.org
Subject: Re: Mailman DoS CVE-2006-0052, debbug #358892
Date: Wed, 29 Mar 2006 20:57:55 +0100
On Wed, Mar 29, 2006 at 09:44:35PM +0200, Lionel Elie Mamane wrote:

> (Please don't hijack old threads about different issues, in particular
>  not without changing the subject line.)

  Sorry, it wasn't intentional.

> Sid and etch are not vulnerable; problem was fixed in upstream 2.1.6;
> etch contains 2.1.7-1; it was fixed in sid (without even realising it)
> with the upload of 2.1.6-1 on Sun, 25 Dec 2005.

  OK.

> Please take this opportunity to retroactively add to the changelog of
> 2.1.5-8sarge1 that the
> 
>  * Don't die on overflow in date handling, which could lead to a DoS
>    attack (closes: #326024)
> 
> is CVE-2005-4153.
> 
> Also add (closes: #358892) to your changelog entry.

  Alright.  I'll update the changelog and upload to the queue now.

  Thanks for the updated advisory text.

Steve
-- 




Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#358892; Package mailman. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #27 received at 358892@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@ubuntu.com>
To: 358892@bugs.debian.org
Subject: CVE number, Ubuntu patch
Date: Mon, 3 Apr 2006 15:12:15 +0200
[Message part 1 (text/plain, inline)]
Hi,

this issue has been assigned CVE-2006-0052. In Ubuntu, we used this
patch:

  http://patches.ubuntu.com/patches/mailman.CVE-2006-0052.diff

It's a bit longer, since I started with fixing with upstream bug
1430236. Now it's a bit redundant, but better safe than sorry. :)

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed Request was from Steve Kemp <skx@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Steve Kemp <skx@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 2.1.6-1, send any further explanations to Sven Hartge <sven@svenhartge.de> Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 04:09:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:08:15 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.