Ubuntu
mailman package

mailman: (CAN-2005-0202) directory traversal vulnerability

Bug #12719 reported by Debian Bug Importer
6
Affects Status Importance Assigned to Milestone
mailman (Debian)
Fix Released
Unknown
mailman (Ubuntu)
Fix Released
High
Tollef Fog Heen

Bug Description

Automatically imported from Debian bug report #294467 http://bugs.debian.org/294467

See original description

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #294467 http://bugs.debian.org/294467

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Wed, 09 Feb 2005 21:46:07 +0100
From: Florian Weimer <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mailman: (CAN-2005-0202) directory traversal vulnerability

--===============1997112492==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: mailman
Version: 2.1.5-5
Severity: grave
Tags: security
Justification: user security hole

See:

  <http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html>

The attached patch fixes this hole. The list expression works on Python
2.1.3.

--===============1997112492==
Content-Type: application/x-shellscript
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="40_can-2005-0202.dpatch"

IyEgL2Jpbi9zaCAvdXNyL3NoYXJlL2RwYXRjaC9kcGF0Y2gtcnVuCiMjIDQwX2Nhbi0yMDA1LTAy
MDIuZHBhdGNoIGJ5ICA8ZndAZGVuZWIuZW55by5kZT4KIyMKIyMgQWxsIGxpbmVzIGJlZ2lubmlu
ZyB3aXRoIGAjIyBEUDonIGFyZSBhIGRlc2NyaXB0aW9uIG9mIHRoZSBwYXRjaC4KIyMgRFA6IEZp
eCBkaXJlY3RvcnkgdHJhdmVyc2FsIHNlY3VyaXR5IGJ1ZyBDQU4tMjAwNS0wMjAyLgoKQERQQVRD
SEAKZGlmZiAtdXJOYWQgbWFpbG1hbi0yLjEuNS9NYWlsbWFuL0NnaS9wcml2YXRlLnB5IC90bXAv
ZHBlcC4xczMzRmUvbWFpbG1hbi0yLjEuNS9NYWlsbWFuL0NnaS9wcml2YXRlLnB5Ci0tLSBtYWls
bWFuLTIuMS41L01haWxtYW4vQ2dpL3ByaXZhdGUucHkJMjAwMy0wMi0wOCAwODoxMzo1MC4wMDAw
MDAwMDAgKzAxMDAKKysrIC90bXAvZHBlcC4xczMzRmUvbWFpbG1hbi0yLjEuNS9NYWlsbWFuL0Nn
aS9wcml2YXRlLnB5CTIwMDUtMDItMDkgMjE6MDA6MzYuMDAwMDAwMDAwICswMTAwCkBAIC0zNywx
MSArMzcsMTIgQEAKIAogCiAMCitTTEFTSCA9ICcvJworCiBkZWYgdHJ1ZV9wYXRoKHBhdGgpOgog
ICAgICJFbnN1cmUgdGhhdCB0aGUgcGF0aCBpcyBzYWZlIGJ5IHJlbW92aW5nIC4uIgotICAgIHBh
dGggPSBwYXRoLnJlcGxhY2UoJy4uLycsICcnKQotICAgIHBhdGggPSBwYXRoLnJlcGxhY2UoJy4v
JywgJycpCi0gICAgcmV0dXJuIHBhdGhbMTpdCisgICAgcGFydHMgPSBbeCBmb3IgeCBpbiBwYXRo
LnNwbGl0KFNMQVNIKSBpZiB4IG5vdCBpbiAoJy4nLCAnLi4nKV0KKyAgICByZXR1cm4gU0xBU0gu
am9pbihwYXJ0cylbMTpdCiAKIAogDAo=

--===============1997112492==--

Revision history for this message
In , Tollef Fog Heen (tfheen) wrote : Bug#294467: fixed in mailman 2.1.5-6

Source: mailman
Source-Version: 2.1.5-6

We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive:

mailman_2.1.5-6.diff.gz
  to pool/main/m/mailman/mailman_2.1.5-6.diff.gz
mailman_2.1.5-6.dsc
  to pool/main/m/mailman/mailman_2.1.5-6.dsc
mailman_2.1.5-6_i386.deb
  to pool/main/m/mailman/mailman_2.1.5-6_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tollef Fog Heen <email address hidden> (supplier of updated mailman package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 10 Feb 2005 12:10:42 +0100
Source: mailman
Binary: mailman
Architecture: source i386
Version: 2.1.5-6
Distribution: unstable
Urgency: high
Maintainer: Tollef Fog Heen <email address hidden>
Changed-By: Tollef Fog Heen <email address hidden>
Description:
 mailman - Powerful, web-based mailing list manager
Closes: 283973 291289 293002 294467
Changes:
 mailman (2.1.5-6) unstable; urgency=high
 .
   * SECURITY UPDATE: fix information disclosure
   * Added debian/patches/04_CAN-2005-0202.dpatch:
     Mailman/Cgi/private.py, true_path(): fix the removal of '..' and '.' from
     private mail archive paths to prohibit path traversal (the former version
     transformed ".....///" to "../") (closes: #294467)
     (References: CAN-2005-0202)
   * Tighten build-deps on dpatch. (closes: #291289)
   * Update Czech debconf translation. (closes: #293002)
   * Add Dutch debconf translation. (closes: #283973)
Files:
 91fdedde9ada517bc94e52a29d8fa56a 651 mail optional mailman_2.1.5-6.dsc
 bf85a3cb885618a9964a873fb769225e 182465 mail optional mailman_2.1.5-6.diff.gz
 f30d18591db657a0c2870e54326a566c 6609034 mail optional mailman_2.1.5-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCC0YhQSseMYF6mWoRAn0FAJ91wD2djTv3KfETu6Cc3o/+WwjsKwCfX5jM
mkzVv05og/sDBHWI4mLFd50=
=+ZBW
-----END PGP SIGNATURE-----

Revision history for this message
Tollef Fog Heen (tfheen) wrote :

Fixed in hoary and warty by Martin Pitt.

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 10 Feb 2005 06:47:31 -0500
From: Tollef Fog Heen <email address hidden>
To: <email address hidden>
Subject: Bug#294467: fixed in mailman 2.1.5-6

Source: mailman
Source-Version: 2.1.5-6

We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive:

mailman_2.1.5-6.diff.gz
  to pool/main/m/mailman/mailman_2.1.5-6.diff.gz
mailman_2.1.5-6.dsc
  to pool/main/m/mailman/mailman_2.1.5-6.dsc
mailman_2.1.5-6_i386.deb
  to pool/main/m/mailman/mailman_2.1.5-6_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tollef Fog Heen <email address hidden> (supplier of updated mailman package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 10 Feb 2005 12:10:42 +0100
Source: mailman
Binary: mailman
Architecture: source i386
Version: 2.1.5-6
Distribution: unstable
Urgency: high
Maintainer: Tollef Fog Heen <email address hidden>
Changed-By: Tollef Fog Heen <email address hidden>
Description:
 mailman - Powerful, web-based mailing list manager
Closes: 283973 291289 293002 294467
Changes:
 mailman (2.1.5-6) unstable; urgency=high
 .
   * SECURITY UPDATE: fix information disclosure
   * Added debian/patches/04_CAN-2005-0202.dpatch:
     Mailman/Cgi/private.py, true_path(): fix the removal of '..' and '.' from
     private mail archive paths to prohibit path traversal (the former version
     transformed ".....///" to "../") (closes: #294467)
     (References: CAN-2005-0202)
   * Tighten build-deps on dpatch. (closes: #291289)
   * Update Czech debconf translation. (closes: #293002)
   * Add Dutch debconf translation. (closes: #283973)
Files:
 91fdedde9ada517bc94e52a29d8fa56a 651 mail optional mailman_2.1.5-6.dsc
 bf85a3cb885618a9964a873fb769225e 182465 mail optional mailman_2.1.5-6.diff.gz
 f30d18591db657a0c2870e54326a566c 6609034 mail optional mailman_2.1.5-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCC0YhQSseMYF6mWoRAn0FAJ91wD2djTv3KfETu6Cc3o/+WwjsKwCfX5jM
mkzVv05og/sDBHWI4mLFd50=
=+ZBW
-----END PGP SIGNATURE-----

Bug Watch Updater (bug-watch-updater)
Changed in mailman:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.