denial of service security bug
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
Medium
|
Tokio Kikuchi |
Bug Description
We've had multiple incidents of this problem.
If a digest gets a message containing an attachment
using an RFC 2231 encoded parameter has a character
set that is unknown to Python (in this case, "X-
UNKNOWN"), then routine get_filename() in
email/Message.py (not to be confused with
Mailman/Message.py) calls unicode() without any error
trap.
The result is that digest delivery for that entire mailing
list is suspended until that message is manually
removed.
It appears that passing an "ignore" as the errors
parameter to unicode() won't stop Python from
generating this error.
I'm not sure as to the best way to fix this. I haven't
worked much with Python at all, and Mailman support
was just dumped on my lap.
I can see that there are lots of unicode() calls
throughout the Mailman source that don't have any error
protection. I don't know which ones are also vulnerable
to this attack.
Traceback (most recent call last):
File "/usr/local/
main()
File "/usr/local/
main
mlist.
File "/usr/local/
in send_digest_n
ow
ToDigest.
File "/usr/local/
line 132, in sen
d_digests
send_
File "/usr/local/
line 306, in sen
d_i18n_digests
msg = scrubber(mlist, msg)
File "/usr/local/
line 268, in pro
cess
url = save_attachment
File "/usr/local/
line 362, in sav
e_attachment
fnext = os.path.
File "/usr/local/
line 731, in get_f
ilename
return unicode(
LookupError: unknown encoding: X-UNKNOWN
[http://
We've kept copies of the messages which caused the
problem in the most recent incident, so if you need help in
reproducing/testing we'll be happy to supply them as test
data.