| 2015-03-27 04:19:57 |
Mark Sapiro |
bug |
|
|
added bug |
| 2015-03-27 04:19:57 |
Mark Sapiro |
attachment added |
|
Patch to fix this bug https://bugs.launchpad.net/bugs/1437145/+attachment/4357559/+files/p |
|
| 2015-03-27 06:49:16 |
Mark Sapiro |
description |
The recommended Mailman Transport for Exim invokes the Mailman mail wrapper with an unedited listname derived from the $local_part of the email address less any known suffix.
The problem with this configuration is that $local_part is not guaranteed to be safe for use as a filesystem directory name. This allows a local attacker to create a directory with a config.pck file in a location that the mailman user can access, send an email to an address with the directory traversal in it (../../../../../tmp/fakelist@domain.com), and then wait for the queue runner to execute arbitrary code as the mailman user either via the pickle file itself or through an extend.py file in the fake list directory. Neither exim nor mailman has code that protects against this attack.
The recommended Exim configiration does check that the lists/${lc::$local_part}/config.pck file does exist, put this check is also vulnerable to the path traversal attack. |
The recommended Mailman Transport for Exim invokes the Mailman mail wrapper with an unedited listname derived from the $local_part of the email address less any known suffix.
The problem with this configuration is that $local_part is not guaranteed to be safe for use as a filesystem directory name. This allows a local attacker to create a directory with a config.pck file in a location that the mailman user can access, send an email to an address with the directory traversal in it (../../../../../tmp/fakelist@domain.com), and then wait for the queue runner to execute arbitrary code as the mailman user either via the pickle file itself or through an extend.py file in the fake list directory. Neither exim nor mailman has code that protects against this attack.
The recommended Exim configiration does check that the lists/${lc::$local_part}/config.pck file does exist, but this check is also vulnerable to the path traversal attack. |
|
| 2015-03-27 06:55:44 |
Mark Sapiro |
attachment removed |
Patch to fix this bug https://bugs.launchpad.net/mailman/+bug/1437145/+attachment/4357559/+files/p |
|
|
| 2015-03-27 06:56:32 |
Mark Sapiro |
attachment added |
|
Patch to fix this bug https://bugs.launchpad.net/mailman/+bug/1437145/+attachment/4357586/+files/p |
|
| 2015-03-27 06:57:35 |
Mark Sapiro |
attachment removed |
Patch to fix this bug https://bugs.launchpad.net/mailman/+bug/1437145/+attachment/4357586/+files/p |
|
|
| 2015-03-27 06:58:13 |
Mark Sapiro |
attachment added |
|
Patch to fix this bug https://bugs.launchpad.net/mailman/+bug/1437145/+attachment/4357587/+files/p |
|
| 2015-03-27 06:58:54 |
Mark Sapiro |
attachment removed |
Patch to fix this bug https://bugs.launchpad.net/mailman/+bug/1437145/+attachment/4357587/+files/p |
|
|
| 2015-03-27 07:00:42 |
Mark Sapiro |
attachment added |
|
Patch to fix this bug https://bugs.launchpad.net/mailman/+bug/1437145/+attachment/4357589/+files/p |
|
| 2015-03-27 18:28:16 |
Mark Sapiro |
attachment added |
|
Patch to fix this bug https://bugs.launchpad.net/mailman/+bug/1437145/+attachment/4358114/+files/p |
|
| 2015-03-27 18:29:04 |
Mark Sapiro |
attachment removed |
Patch to fix this bug https://bugs.launchpad.net/mailman/+bug/1437145/+attachment/4357589/+files/p |
|
|
| 2015-03-27 21:54:03 |
Mark Sapiro |
cve linked |
|
2015-2775 |
|
| 2015-03-31 14:26:33 |
Mark Sapiro |
information type |
Private Security |
Public Security |
|
| 2015-03-31 16:43:25 |
Launchpad Janitor |
branch linked |
|
lp:mailman/2.1 |
|
| 2015-03-31 17:54:56 |
Mark Sapiro |
mailman: status |
In Progress |
Fix Released |
|
