Report forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>: Bug#358892; Package mailman.
(full text, mbox, link).
Acknowledgement sent to Sven Hartge <sven@svenhartge.de>:
New Bug report received and forwarded. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Package: mailman
Version: 2.1.5-8sarge1
Severity: important
Tags: patch
Hello.
Mailman 2.1.5 contains a subtle bug inside its Scrubber.py, which can
cause some messages with badly formed mime multiparts and sometimes all
messaged received after the defective one to be shunted, thus rendering
the specific list to be unusable. (Thus the slightly increased
severity.)
See also http://mail.python.org/pipermail/mailman-users/2005-June/045107.html
Example for one traceback:
(The date is so old, because I since fixed this problem locally but never
got around to submitting this bug to the BTS.)
Feb 19 08:26:35 2006 (2786) SHUNTING: 1140333994.5416+92548399c95eda0df954edc5b01362c2ddda88bf
Feb 19 09:04:19 2006 (2786) Uncaught runner exception: len() of unsized object
Feb 19 09:04:19 2006 (2786) Traceback (most recent call last):
File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 111, in _oneloop
self._onefile(msg, msgdata)
File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 167, in _onefile
keepqueued = self._dispose(mlist, msg, msgdata)
File "/usr/lib/mailman/Mailman/Queue/IncomingRunner.py", line 130, in _dispose
more = self._dopipeline(mlist, msg, msgdata, pipeline)
File "/usr/lib/mailman/Mailman/Queue/IncomingRunner.py", line 153, in _dopipeline
sys.modules[modname].process(mlist, msg, msgdata)
File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 91, in process
send_digests(mlist, mboxfp)
File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 132, in send_digests
send_i18n_digests(mlist, mboxfp)
File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 306, in send_i18n_digests
msg = scrubber(mlist, msg)
File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 262, in process
size = len(payload)
TypeError: len() of unsized object
The patch (attached for your convenience) is also in 2.1.6, see
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1099138&group_id=103
Please include this simple fix in the next point release.
Grüße,
Sven Hartge
Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>: Bug#358892; Package mailman.
(full text, mbox, link).
Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
tags 358892 +security sarge
fixed 358892 2.1.6
reopen 358892
thanks
On Sat, Mar 25, 2006 at 01:27:33AM +0100, Sven Hartge wrote:
> Mailman 2.1.5 contains a subtle bug inside its Scrubber.py, which
> can cause some messages with badly formed mime multiparts and
> sometimes all messaged received after the defective one to be
> shunted, thus rendering the specific list to be unusable.
This thus leads to a DoS attack vector, and makes it a security
vulnerability.
I wasn't able to find a CVE number for this; none of
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mailman looks
relevant. Should we get one? If yes, will the security team take care
of this?
> See also http://mail.python.org/pipermail/mailman-users/2005-June/045107.html
> The patch (attached for your convenience) is also in 2.1.6, see
> https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1099138&group_id=103
> diff -ur mailman-2.1.5.orig/Mailman/Handlers/Scrubber.py mailman-2.1.5/Mailman/Handlers/Scrubber.py
> --- mailman-2.1.5.orig/Mailman/Handlers/Scrubber.py 2003-12-01 02:43:18.000000000 +0100
> +++ mailman-2.1.5/Mailman/Handlers/Scrubber.py 2006-03-25 01:25:57.000000000 +0100
> @@ -259,6 +259,14 @@
> elif not part.is_multipart():
> payload = part.get_payload(decode=True)
> ctype = part.get_type()
> + # XXX Under email 2.5, it is possible that payload will be None.
> + # This can happen when you have a Content-Type: multipart/* with
> + # only one part and that part has two blank lines between the
> + # first boundary and the end boundary. In email 3.0 you end up
> + # with a string in the payload. I think in this case it's safe to
> + # ignore the part.
> + if payload is None:
> + continue
> size = len(payload)
> omask = os.umask(002)
> try:
As maintainer of the Debian package of Mailman, I approve this
patch. Please issue a DSA with this update.
Thanks,
--
Lionel
Tags added: security, sarge
Request was from Lionel Elie Mamane <lionel@mamane.lu>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>: Bug#358892; Package mailman.
(full text, mbox, link).
Acknowledgement sent to Lionel Elie Mamane <lmamane@debian.org>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: Mailman DoS CVE-2006-0052, debbug #358892
Date: Wed, 29 Mar 2006 21:44:35 +0200
(Please don't hijack old threads about different issues, in particular
not without changing the subject line.)
On Wed, Mar 29, 2006 at 08:15:40PM +0100, Steve Kemp wrote:
> Package for Sarge at:
> http://people.debian.org/~skx/updates/mailman/
> Potential advisory text - need to know which version in sid
> will fix it.
Sid and etch are not vulnerable; problem was fixed in upstream 2.1.6;
etch contains 2.1.7-1; it was fixed in sid (without even realising it)
with the upload of 2.1.6-1 on Sun, 25 Dec 2005.
Please take this opportunity to retroactively add to the changelog of
2.1.5-8sarge1 that the
* Don't die on overflow in date handling, which could lead to a DoS
attack (closes: #326024)
is CVE-2005-4153.
Also add (closes: #358892) to your changelog entry.
> Package : mailman
> Vulnerability : denial of service
> Problem-Type : remote
> Debian-specific: no
> CVE ID : CVE-2006-0052
Debian Bug : 358892
> A potential denial of service problem has been discovered in mailman,
> the web-based GNU mailing list manager. The Common Vulnerabilities and
> Exposures project identifies the following problems:
We should give more details, because there have been two other DoS
vulnerabilities recently, so we don't want people to get confused. I
propose something along the lines of:
A potential denial of service problem has been discovered in mailman,
the web-based GNU mailing list manager. The (failing) parsing of
messages with malformed mime multiparts sometimes caused the whole
mailing list to become inoperative.
> The old stable distribution (woody) is not vulnerable to this issue.
> For the unstable distribution (sid) this problem will be fixed soon.
--
Lionel
Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>: Bug#358892; Package mailman.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: Re: Mailman DoS CVE-2006-0052, debbug #358892
Date: Wed, 29 Mar 2006 20:57:55 +0100
On Wed, Mar 29, 2006 at 09:44:35PM +0200, Lionel Elie Mamane wrote:
> (Please don't hijack old threads about different issues, in particular
> not without changing the subject line.)
Sorry, it wasn't intentional.
> Sid and etch are not vulnerable; problem was fixed in upstream 2.1.6;
> etch contains 2.1.7-1; it was fixed in sid (without even realising it)
> with the upload of 2.1.6-1 on Sun, 25 Dec 2005.
OK.
> Please take this opportunity to retroactively add to the changelog of
> 2.1.5-8sarge1 that the
>
> * Don't die on overflow in date handling, which could lead to a DoS
> attack (closes: #326024)
>
> is CVE-2005-4153.
>
> Also add (closes: #358892) to your changelog entry.
Alright. I'll update the changelog and upload to the queue now.
Thanks for the updated advisory text.
Steve
--
Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>: Bug#358892; Package mailman.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>.
(full text, mbox, link).
Tags added: fixed
Request was from Steve Kemp <skx@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: fixed
Request was from Steve Kemp <skx@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 2.1.6-1, send any further explanations to Sven Hartge <sven@svenhartge.de>
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 27 Jun 2007 04:09:40 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.