Re: [Mailman-Users] Re: Critical security update for Mailman 2.1.5 and earlier

Thu, 10 Feb 2005 08:04:11 -0800 

On Thu, 10 Feb 2005, John Swartzentruber wrote:

On 2/10/2005 9:41 AM Barry Warsaw wrote: 
Until Mailman 2.1.6 is released, the longer term fix is to apply this
patch:

http://www.list.org/CAN-2005-0202.txt

Could an expert please help out a non-expert? I applied this patch to /usr/lib/mailman/Mailman/Cgi, and the private.py file was correctly patched. I'm not sure that this is enough, however, because the private.pyc file wasn't changed, even after I restarted mailman. Should I have patched the private.py file in the source, then gone through the "make" and "make install" process?


Edit $MAILMAN/Mailman/Cgi/private.py   (probably wise to save the orig)
Where you see lines in the diff beginning with "-", remove those lines,
Where you see lines in the diff beginning with "+", add those lines,

Once the edit is complete, stop and restart the qrunner (perhaps its
/etc/init.d/mailman  or $MAILMAN/bin/mailmanctl   depending on how you're
set up.


The pyc will only get remade when needed and since this only affects lists
with archives, try going to some list of yours with an archive.

The original patch I saw on the net seems to work fine but doesn't log the
hack attempts to the $MAILMAN/logs/mischief  file. Here it is:

----------------------------------------------------
i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)


SLASH = '/'

def true_path(path):
    "Ensure that the path is safe by removing .."
    parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
    return SLASH.join(parts)[1:]
-----------------------------------------------------

The one from the diffs looks like this:

----------------------------------------------------
i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)


^L
SLASH = '/'

def true_path(path):
    "Ensure that the path is safe by removing .."
    parts = path.split(SLASH)
    safe = [x for x in parts if x not in ('.', '..')]
    if parts <> safe:
     syslog('mischief', 'Directory traversal attack thwarted')
    return SLASH.join(safe)[1:]

------------------------------------------------------

If I got any of the above wrong, I apology; please lemme know.
We're all in this together


 =-=-=-=-=-=-=-=-=-=-  generated by /dev/dave -=-=-=-=-=-=-=-=-=-=-=-=
 David Stern                                    University of Maryland
           Institute for Advanced Computer Studies
------------------------------------------------------
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Reply via email to