tags 358892 +security sarge fixed 358892 2.1.6 reopen 358892 thanks On Sat, Mar 25, 2006 at 01:27:33AM +0100, Sven Hartge wrote:
> Mailman 2.1.5 contains a subtle bug inside its Scrubber.py, which > can cause some messages with badly formed mime multiparts and > sometimes all messaged received after the defective one to be > shunted, thus rendering the specific list to be unusable. This thus leads to a DoS attack vector, and makes it a security vulnerability. I wasn't able to find a CVE number for this; none of http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mailman looks relevant. Should we get one? If yes, will the security team take care of this? > See also http://mail.python.org/pipermail/mailman-users/2005-June/045107.html > The patch (attached for your convenience) is also in 2.1.6, see > https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1099138&group_id=103 > diff -ur mailman-2.1.5.orig/Mailman/Handlers/Scrubber.py > mailman-2.1.5/Mailman/Handlers/Scrubber.py > --- mailman-2.1.5.orig/Mailman/Handlers/Scrubber.py 2003-12-01 > 02:43:18.000000000 +0100 > +++ mailman-2.1.5/Mailman/Handlers/Scrubber.py 2006-03-25 > 01:25:57.000000000 +0100 > @@ -259,6 +259,14 @@ > elif not part.is_multipart(): > payload = part.get_payload(decode=True) > ctype = part.get_type() > + # XXX Under email 2.5, it is possible that payload will be None. > + # This can happen when you have a Content-Type: multipart/* with > + # only one part and that part has two blank lines between the > + # first boundary and the end boundary. In email 3.0 you end up > + # with a string in the payload. I think in this case it's safe > to > + # ignore the part. > + if payload is None: > + continue > size = len(payload) > omask = os.umask(002) > try: As maintainer of the Debian package of Mailman, I approve this patch. Please issue a DSA with this update. Thanks, -- Lionel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
