Date: Thu, 10 Feb 2005 16:56:59 -0500 (EST) From: Vivek Khera <vivek@khera.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/77364: patch Mailman for security vulnerability Message-ID: <20050210215659.92893B833@yertle.kcilink.com> Resent-Message-ID: <200502102200.j1AM0aUR065063@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 77364 >Category: ports >Synopsis: patch Mailman for security vulnerability >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Thu Feb 10 22:00:36 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Vivek Khera >Release: FreeBSD 5.3-STABLE amd64 >Organization: >Environment: System: FreeBSD yertle.int.kciLink.com 5.3-STABLE FreeBSD 5.3-STABLE #0: Fri Jan 7 16:42:37 EST 2005 khera@yertle.int.kciLink.com:/usr/obj/usr/src/sys/YERTLE amd64 >Description: bug in private mailing list archives could allow anyone to read any file on web server. This issue has been assigned CVE number CAN-2005-0202 Also took the opportunity to treat the crontab file as a config file: it is only removed on de-install if not modified. And finally, fixed the warnings from the port building cluster that the mailman directory was created during the configure step. The configure script unfortunately demands it exists, so we have to create it, configure, then delete it. The user and group are still, however, created at configure time. >How-To-Repeat: >Fix: diff -Pru mailman/Makefile mailman.new/Makefile --- mailman/Makefile Fri Sep 3 11:39:41 2004 +++ mailman.new/Makefile Thu Feb 10 12:14:10 2005 @@ -7,7 +7,7 @@ PORTNAME= mailman PORTVERSION= 2.1.5 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES?= mail MASTER_SITES= http://www.list.org/ \ ${MASTER_SITE_GNU} \ @@ -125,6 +125,10 @@ @ ${SED} -e 's#%%MAILMANDIR%%#${MAILMANDIR}#g' \ -e 's#%%DOCSDIR%%#${DOCSDIR}#g' -e 's#%%LOCALBASE%%#${LOCALBASE}#g' \ ${MASTERDIR}/pkg-message > ${PKGMESSAGE} +# port system auditors complain if dir is created prior to install +# but configure demands it be there. we delete it now if empty, +# so it will be re-created. For existing installs, this is ignored + @- rmdir ${MAILMANDIR} 2> /dev/null pre-install: @ ${SH} ${PKGREQ} INSTALL diff -Pru mailman/files/patch-Mailman::Cgi::private.py mailman.new/files/patch-Mailman::Cgi::private.py --- mailman/files/patch-Mailman::Cgi::private.py Wed Dec 31 19:00:00 1969 +++ mailman.new/files/patch-Mailman::Cgi::private.py Thu Feb 10 11:58:24 2005 @@ -0,0 +1,34 @@ +Index: Mailman/Cgi/private.py +=================================================================== +RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/private.py,v +retrieving revision 2.16.2.1 +diff -u -r2.16.2.1 private.py +--- private.py 8 Feb 2003 07:13:50 -0000 2.16.2.1 ++++ private.py 10 Feb 2005 03:34:21 -0000 +@@ -1,4 +1,4 @@ +-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc. ++# Copyright (C) 1998-2005 by the Free Software Foundation, Inc. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of the GNU General Public License +@@ -35,13 +35,17 @@ + _ = i18n._ + i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE) + ++SLASH = '/' ++ + + + def true_path(path): + "Ensure that the path is safe by removing .." +- path = path.replace('../', '') +- path = path.replace('./', '') +- return path[1:] ++ parts = path.split(SLASH) ++ safe = [x for x in parts if x not in ('.', '..')] ++ if parts <> safe: ++ syslog('mischief', 'Directory traversal attack thwarted') ++ return SLASH.join(safe)[1:] + + + diff -Pru mailman/pkg-deinstall mailman.new/pkg-deinstall --- mailman/pkg-deinstall Thu Jan 23 09:45:36 2003 +++ mailman.new/pkg-deinstall Thu Feb 10 16:42:39 2005 @@ -9,9 +9,15 @@ DEINSTALL) echo "---> Starting deinstall script:" - echo "---> Zeroing crontab(5) file belonging to user \"%%USER%%\"" - /usr/bin/crontab -u %%USER%% /dev/null - echo " (The crontab(5) will be deleted completely when user %%USER%% is removed.)" + if /usr/bin/crontab -u "%%USER%%" -l | \ + /usr/bin/diff - %%MAILMANDIR%%/cron/crontab.in >/dev/null 2>&1 ; then + echo "---> Zeroing crontab for \"%%USER%%\"" + /usr/bin/crontab -u "%%USER%%" /dev/null + else + echo "---> Crontab for \"%%USER%%\" not removed: please deinstall" + echo "---> manually if you no-longer wish to use Mailman. eg:" + echo "---> /usr/bin/crontab -u "%%USER%%" -r" + fi echo "---> Stopping Mailman's qrunner daemon" %%PREFIX%%/etc/rc.d/mailman.sh stop >/dev/null 2>&1 @@ -36,19 +42,15 @@ if [ -d %%MAILMANDIR%% ]; then echo '---> %%MAILMANDIR%% is not empty - this installation may have active lists!' - echo '---> - The "%%USER%%" user and "%%GROUP%%" group were therefore not deleted.' - echo '---> - You may delete them with "pw groupdel %%GROUP%%; pw userdel %%USER%%".' - echo "---> Restoring \"last_mailman_version\" file" [ -d %%MAILMANDIR%%/data ] || /bin/mkdir %%MAILMANDIR%%/data /bin/mv -f /var/tmp/last_mailman_version %%MAILMANDIR%%/data/ - - else - echo "---> Removing group \"%%GROUP%%\"" - /usr/sbin/pw groupdel -n %%GROUP%% - echo "---> Removing user \"%%USER%%\"" - echo 'y' | /usr/sbin/pw userdel -n %%USER%% fi + + echo '---> - If you are not using Mailman any more, you should manually delete' + echo '---> - the "%%USER%%" user and "%%GROUP%%" group.' + echo '---> - You may delete them with "pw groupdel %%GROUP%%; pw userdel %%USER%%".' + ;; esac diff -Pru mailman/pkg-install mailman.new/pkg-install --- mailman/pkg-install Thu Jan 23 09:45:36 2003 +++ mailman.new/pkg-install Thu Feb 10 16:17:01 2005 @@ -49,8 +49,22 @@ POST-INSTALL) echo "---> Starting post-install script:" - echo "---> Creating crontab(5) file for user \"%%USER%%\"" - /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1 + echo "---> Checking crontab(5) file for user \"%%USER%%\"" + + if /usr/bin/crontab -u "%%USER%%" -l >/tmp/mmctab$$ 2>&1 ; then + if test -s /tmp/mmctab$$; then + echo "---> \"%%USER%%\" already has a crontab. Not overwriting it" + echo "---> Please merge any changes from the standard crontab file" + echo "---> %%MAILMANDIR%%/cron/crontab.in" + else + echo "---> Installing crontab(5) file for user \"%%USER%%\"" + /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1 + fi + else + echo "---> Creating crontab(5) file for user \"%%USER%%\"" + /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1 + fi + rm -f /tmp/mmctab$$ echo "---> Checking (and fixing) file and directory permissions" %%MAILMANDIR%%/bin/check_perms -f >/dev/null 2>&1 >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050210215659.92893B833>