[ mailman-Bugs-1179487 ] denial of service security bug

SourceForge.net noreply at sourceforge.net
Sat Apr 9 22:57:50 CEST 2005


Bugs item #1179487, was opened at 2005-04-08 21:46
Message generated for change (Comment added) made by tkikuchi
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1179487&group_id=103

Category: mail delivery
Group: 2.1 (stable)
Status: Open
Resolution: None
Priority: 5
Submitted By: Mark Crispin (mrcrispin)
>Assigned to: Tokio Kikuchi (tkikuchi)
Summary: denial of service security bug

Initial Comment:
We've had multiple incidents of this problem.

If a digest gets a message containing an attachment 
using an RFC 2231 encoded parameter has a character 
set that is unknown to Python (in this case, "X-
UNKNOWN"), then routine get_filename() in 
email/Message.py (not to be confused with 
Mailman/Message.py) calls unicode() without any error 
trap.

The result is that digest delivery for that entire mailing 
list is suspended until that message is manually 
removed.

It appears that passing an "ignore" as the errors 
parameter to unicode() won't stop Python from 
generating this error.

I'm not sure as to the best way to fix this.  I haven't 
worked much with Python at all, and Mailman support 
was just dumped on my lap.

I can see that there are lots of unicode() calls 
throughout the Mailman source that don't have any error 
protection.  I don't know which ones are also vulnerable 
to this attack.

Traceback (most recent call last):
  File "/usr/local/mailman/cron/senddigests", line 94, in ?
    main()
  File "/usr/local/mailman/cron/senddigests", line 86, in 
main
    mlist.send_digest_now()
  File "/usr/local/mailman/Mailman/Digester.py", line 60, 
in send_digest_n
ow
    ToDigest.send_digests(self, mboxfp)
  
File "/usr/local/mailman/Mailman/Handlers/ToDigest.py",
 line 132, in sen
d_digests
    send_i18n_digests(mlist, mboxfp)
  
File "/usr/local/mailman/Mailman/Handlers/ToDigest.py",
 line 306, in sen
d_i18n_digests
    msg = scrubber(mlist, msg)
  
File "/usr/local/mailman/Mailman/Handlers/Scrubber.py",
 line 268, in pro
cess
    url = save_attachment(mlist, part, dir)
  
File "/usr/local/mailman/Mailman/Handlers/Scrubber.py",
 line 362, in sav
e_attachment
    fnext = os.path.splitext(msg.get_filename(''))[1]
  File "/usr/local/mailman/pythonlib/email/Message.py", 
line 731, in get_f
ilename
    return unicode(newvalue[2], newvalue[0] or 'us-ascii')
LookupError: unknown encoding: X-UNKNOWN

----------------------------------------------------------------------

>Comment By: Tokio Kikuchi (tkikuchi)
Date: 2005-04-09 20:57

Message:
Logged In: YES 
user_id=67709

What is your mailman version? I believe i18n charset issues
are greatly improved in 2.1.6 beta.
BTW, I don't like to call this a security issue.


----------------------------------------------------------------------

Comment By: Mark Crispin (mrcrispin)
Date: 2005-04-09 16:38

Message:
Logged In: YES 
user_id=1255784

We've kept copies of the messages which caused the 
problem in the most recent incident, so if you need help in 
reproducing/testing we'll be happy to supply them as test 
data.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1179487&group_id=103


More information about the Mailman-coders mailing list