~ubuntu-branches/ubuntu/hardy/mailman/hardy-updates

Viewing changes to debian/patches/security-error_log.dpatch

Committer: Bazaar Package Importer
Author(s): Martin Pitt
Date: 2006-09-12 21:29:14 UTC
Revision ID: james.westby@ubuntu.com-20060912212914-ok3c35nf4izdz9f4

Tags: 1:2.1.8-2ubuntu2

* SECURITY UPDATE: XSS.
* Add debian/patches/security-CVE-2006-3636-XSS.dpatch:
  - Fix various cross-site scripting vulnerabilities.
  - Patch backported from svn head, thanks to Barry Warsaw for preparing it.
  - CVE-2006-3636
* Add debian/patches/security-CVE-2006-2941.dpatch:
  - Scrubber.py: Do not bail out if emails' get_filename() throws a
    ValueError. This has been properly fixed in the next upstream email
    package (in Python core), but the fix is very intrusive. Thanks to Steve
    Alexander for discovering this and for the proposed patch.
  - CVE-2006-2941
  - Closes: LP#49620
* Add debian/patches/security-error_log.dpatch:
  - Check characters in URL to prevent injecting bogus messages into
    error_log.
  - Patch taken from upstream SVN:
    http://svn.sourceforge.net/viewvc/mailman?view=rev&revision=7918

files added:
debian/patches/security-CVE-2006-2941.dpatch

debian/patches/security-CVE-2006-3636-XSS.dpatch

debian/patches/security-error_log.dpatch

files modified:
debian/changelog

debian/patches/00list

Show diffs side-by-side

added added

removed removed

debian/patches/security-error_log.dpatch

#! /bin/sh /usr/share/dpatch/dpatch-run

## security-error_log.dpatch by <martin.pitt@ubuntu.com>

## All lines beginning with `## DP:' are a description of the patch.

## DP: No description.

@DPATCH@

diff -urNad mailman-2.1.8~/Mailman/Handlers/Decorate.py mailman-2.1.8/Mailman/Handlers/Decorate.py

--- mailman-2.1.8~/Mailman/Handlers/Decorate.py 2006-09-12 21:27:45.000000000 +0200

+++ mailman-2.1.8/Mailman/Handlers/Decorate.py 2006-09-12 21:28:44.000000000 +0200

@@ -95,8 +95,8 @@

# TK: Try to keep the message plain by converting the header/

# footer/oldpayload into unicode and encode with mcset/lcset.

# Try to decode qp/base64 also.

- uheader = unicode(header, lcset)

- ufooter = unicode(footer, lcset)

+ uheader = unicode(header, lcset, 'ignore')

+ ufooter = unicode(footer, lcset, 'ignore')

try:

oldpayload = unicode(msg.get_payload(decode=True), mcset)

frontsep = endsep = u''

diff -urNad mailman-2.1.8~/Mailman/Utils.py mailman-2.1.8/Mailman/Utils.py

--- mailman-2.1.8~/Mailman/Utils.py 2006-03-18 18:23:04.000000000 +0100

+++ mailman-2.1.8/Mailman/Utils.py 2006-09-12 21:28:29.000000000 +0200

@@ -53,6 +53,7 @@

from Mailman import Errors

from Mailman import Site

from Mailman.SafeDict import SafeDict

+from Mailman.Logging.Syslog import syslog

try:

True, False

@@ -219,9 +220,16 @@

+# Patterns which may be used to form malicious path to inject a new

+# line in the mailman error log. (TK: advisory by Moritz Naumann)

+CRNLpat = re.compile(r'[^\x21-\x7e]')

def GetPathPieces(envar='PATH_INFO'):

path = os.environ.get(envar)

if path:

+ if CRNLpat.search(path):

+ path = CRNLpat.split(path)[0]

+ syslog('error', 'Warning: Possible malformed path attack.')

return [p for p in path.split('/') if p]

return None

@@ -326,7 +334,6 @@

# We have no available source of cryptographically

# secure random characters. Log an error and fallback

# to the user friendly passwords.

- from Mailman.Logging.Syslog import syslog

syslog('error',

'urandom not available, passwords not secure')

return UserFriendly_MakeRandomPassword(length)

@@ -541,7 +548,6 @@

text = sdict.interpolate(utemplate)

except (TypeError, ValueError), e:

# The template is really screwed up

- from Mailman.Logging.Syslog import syslog

syslog('error', 'broken template: %s\n%s', filename, e)

pass

if raw:

Older »