Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package mailman. The diff is a security fix for CVE-2015-2775. unblock mailman/1:2.1.18-2 Thanks, Thijs
diff -Nru mailman-2.1.18/debian/changelog mailman-2.1.18/debian/changelog --- mailman-2.1.18/debian/changelog 2014-07-10 18:01:59.000000000 +0000 +++ mailman-2.1.18/debian/changelog 2015-04-06 15:37:32.000000000 +0000 @@ -1,3 +1,13 @@ +mailman (1:2.1.18-2) unstable; urgency=high + + * Fix security issue: path traversal through local_part. + Affects installations which use an Exim or Postfix transport + instead of fixed aliases; attacker needs to be able to place + files on the local filesystem. + (CVE-2015-2775, Closes: 781626) + + -- Thijs Kinkhorst <th...@debian.org> Mon, 06 Apr 2015 15:36:15 +0000 + mailman (1:2.1.18-1) unstable; urgency=medium * New upstream release. diff -Nru mailman-2.1.18/debian/config mailman-2.1.18/debian/config --- mailman-2.1.18/debian/config 2012-06-16 09:50:23.000000000 +0000 +++ mailman-2.1.18/debian/config 2015-04-06 15:30:32.000000000 +0000 @@ -1,5 +1,5 @@ #! /bin/sh -e -# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/config $ +# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/config $ # $Id: config 693 2011-10-08 15:30:38Z thijs $ . /usr/share/debconf/confmodule diff -Nru mailman-2.1.18/debian/control mailman-2.1.18/debian/control --- mailman-2.1.18/debian/control 2014-07-10 18:19:25.000000000 +0000 +++ mailman-2.1.18/debian/control 2015-04-06 15:30:32.000000000 +0000 @@ -4,7 +4,6 @@ Maintainer: Mailman for Debian <pkg-mailman-hack...@lists.alioth.debian.org> Uploaders: Lionel Elie Mamane <lmam...@debian.org>, Thijs Kinkhorst <th...@debian.org>, - Thorsten Glaser <t...@mirbsd.de>, Hector Garcia <hec...@debian.org> Build-Depends: debhelper (>= 7), autoconf, python-dev (>= 2.6.6-3~), gettext, python-dnspython Standards-Version: 3.9.5 diff -Nru mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch --- mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch 1970-01-01 00:00:00.000000000 +0000 +++ mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch 2015-04-06 15:44:18.000000000 +0000 @@ -0,0 +1,34 @@ +From: Mark Sapiro <m...@msapiro.net> +Subject: Fix path traversal through local_part (CVE-2015-2775) +Origin: upstream, https://launchpadlibrarian.net/201407944/p +Bug: https://bugs.launchpad.net/mailman/+bug/1437145 +Bug-Debian: http://bugs.debian.org/781626 + +diff -ur mailman-2.1.18.orig/Mailman/Defaults.py.in mailman-2.1.18/Mailman/Defaults.py.in +--- mailman-2.1.18.orig/Mailman/Defaults.py.in 2014-05-03 17:37:22.000000000 +0000 ++++ mailman-2.1.18/Mailman/Defaults.py.in 2015-04-06 15:43:20.000000000 +0000 +@@ -138,7 +138,7 @@ + + # A Python regular expression character class which defines the characters + # allowed in list names. Lists cannot be created with names containing any +-# character that doesn't match this class. ++# character that doesn't match this class. Do not include '/' in this list. + ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]' + + +diff -ur mailman-2.1.18.orig/Mailman/Utils.py mailman-2.1.18/Mailman/Utils.py +--- mailman-2.1.18.orig/Mailman/Utils.py 2014-05-03 17:37:22.000000000 +0000 ++++ mailman-2.1.18/Mailman/Utils.py 2015-04-06 15:43:20.000000000 +0000 +@@ -99,6 +99,12 @@ + # + # The former two are for 2.1alpha3 and beyond, while the latter two are + # for all earlier versions. ++ # ++ # But first ensure the list name doesn't contain a path traversal ++ # attack. ++ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0: ++ syslog('mischief', 'Hostile listname: %s', listname) ++ return False + basepath = Site.get_listpath(listname) + for ext in ('.pck', '.pck.last', '.db', '.db.last'): + dbfile = os.path.join(basepath, 'config' + ext) diff -Nru mailman-2.1.18/debian/patches/series mailman-2.1.18/debian/patches/series --- mailman-2.1.18/debian/patches/series 2014-07-10 17:59:41.000000000 +0000 +++ mailman-2.1.18/debian/patches/series 2015-04-06 15:36:11.000000000 +0000 @@ -10,3 +10,4 @@ 79_archiver_slash.patch 90_gettext_errors.patch 91_utf8.patch +92_CVE-2015-2775.patch diff -Nru mailman-2.1.18/debian/postinst mailman-2.1.18/debian/postinst --- mailman-2.1.18/debian/postinst 2012-06-16 09:50:23.000000000 +0000 +++ mailman-2.1.18/debian/postinst 2015-04-06 15:30:32.000000000 +0000 @@ -7,7 +7,7 @@ # Other modifications 2004-2007 by other maintainers of the Debian package: # Lionel Elie Mamane, Thijs Kinkhorst, Riccardo Setti, Matej Vela, Hector Garcia, László Böszörményi, Bernd S. Brentrup, ... # -# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/postinst $ +# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/postinst $ # $Id: postinst 693 2011-10-08 15:30:38Z thijs $ # . /usr/share/debconf/confmodule diff -Nru mailman-2.1.18/debian/postrm mailman-2.1.18/debian/postrm --- mailman-2.1.18/debian/postrm 2012-06-16 09:50:23.000000000 +0000 +++ mailman-2.1.18/debian/postrm 2015-04-06 15:30:32.000000000 +0000 @@ -1,5 +1,5 @@ #! /bin/sh -e -# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/postrm $ +# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/postrm $ # $Id: postrm 600 2009-01-08 20:54:48Z thijs $ #DEBHELPER# diff -Nru mailman-2.1.18/debian/preinst.in mailman-2.1.18/debian/preinst.in --- mailman-2.1.18/debian/preinst.in 2012-06-16 09:50:23.000000000 +0000 +++ mailman-2.1.18/debian/preinst.in 2015-04-06 15:30:32.000000000 +0000 @@ -1,5 +1,5 @@ #!/bin/sh -e -# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/preinst.in $ +# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/preinst.in $ # $Id: preinst.in 704 2012-03-18 13:14:40Z thijs $ . /usr/share/debconf/confmodule diff -Nru mailman-2.1.18/debian/prerm mailman-2.1.18/debian/prerm --- mailman-2.1.18/debian/prerm 2012-06-16 09:50:23.000000000 +0000 +++ mailman-2.1.18/debian/prerm 2015-04-06 15:30:32.000000000 +0000 @@ -3,7 +3,7 @@ # prerm script for Debian python packages. # Written 1998 by Gregor Hoffleit <fli...@debian.org>. # -# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/prerm $ +# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/prerm $ # $Id: prerm 421 2006-10-08 12:50:00Z giskard-guest $ if [ "$1" = "failed-upgrade" ] ; then diff -Nru mailman-2.1.18/debian/templates mailman-2.1.18/debian/templates --- mailman-2.1.18/debian/templates 2012-06-16 09:50:23.000000000 +0000 +++ mailman-2.1.18/debian/templates 2015-04-06 15:30:33.000000000 +0000 @@ -1,4 +1,4 @@ -# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/templates $ +# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/templates $ # $Id: templates 693 2011-10-08 15:30:38Z thijs $ Template: mailman/site_languages Type: multiselect