Path traversal vulnerability exists in Mailman and can be exploited if Mailman's MTA is Exim.

Bug #1437145 reported by Mark Sapiro on 2015-03-27
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Medium
Mark Sapiro

Bug Description

The recommended Mailman Transport for Exim invokes the Mailman mail wrapper with an unedited listname derived from the $local_part of the email address less any known suffix.

The problem with this configuration is that $local_part is not guaranteed to be safe for use as a filesystem directory name. This allows a local attacker to create a directory with a config.pck file in a location that the mailman user can access, send an email to an address with the directory traversal in it (../../../../../<email address hidden>), and then wait for the queue runner to execute arbitrary code as the mailman user either via the pickle file itself or through an extend.py file in the fake list directory. Neither exim nor mailman has code that protects against this attack.

The recommended Exim configiration does check that the lists/${lc::$local_part}/config.pck file does exist, but this check is also vulnerable to the path traversal attack.

Related branches

CVE References

Mark Sapiro (msapiro) on 2015-03-27
description: updated
Revision history for this message
Mark Sapiro (msapiro) wrote :

It appears that the postfix_to_mailman.py transport for Postfix and probably other MTA transports that deliver programmatically without using aliases are ulso vulnerable.

Revision history for this message
Mark Sapiro (msapiro) wrote :

This vulnerability has been assigned CVE-2015-2775.

Revision history for this message
Mark Sapiro (msapiro) wrote :

The patch to Mailman/Utils.py at <https://bugs.launchpad.net/mailman/+bug/1437145/+attachment/4358114/+files/p> can be applied with at most a line number offset to any Mailman 2.1.x version, but the referenced mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS setting didn't exist before Mailman 2.1.11 so if you are patching an older version, you need to add

ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'

to mm_cfg.py and/or Defaults.py.

Mark Sapiro (msapiro) on 2015-03-31
information type: Private Security → Public Security
Mark Sapiro (msapiro) on 2015-03-31
Changed in mailman:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers