[ mailman-Bugs-1179487 ] denial of service security bug

SourceForge.net noreply at sourceforge.net
Sun Jun 26 07:33:46 CEST 2005


Bugs item #1179487, was opened at 2005-04-08 21:46
Message generated for change (Comment added) made by tkikuchi
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1179487&group_id=103

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: mail delivery
Group: 2.1 (stable)
Status: Open
Resolution: None
Priority: 5
Submitted By: Mark Crispin (mrcrispin)
Assigned to: Tokio Kikuchi (tkikuchi)
Summary: denial of service security bug

Initial Comment:
We've had multiple incidents of this problem.

If a digest gets a message containing an attachment 
using an RFC 2231 encoded parameter has a character 
set that is unknown to Python (in this case, "X-
UNKNOWN"), then routine get_filename() in 
email/Message.py (not to be confused with 
Mailman/Message.py) calls unicode() without any error 
trap.

The result is that digest delivery for that entire mailing 
list is suspended until that message is manually 
removed.

It appears that passing an "ignore" as the errors 
parameter to unicode() won't stop Python from 
generating this error.

I'm not sure as to the best way to fix this.  I haven't 
worked much with Python at all, and Mailman support 
was just dumped on my lap.

I can see that there are lots of unicode() calls 
throughout the Mailman source that don't have any error 
protection.  I don't know which ones are also vulnerable 
to this attack.

Traceback (most recent call last):
  File "/usr/local/mailman/cron/senddigests", line 94, in ?
    main()
  File "/usr/local/mailman/cron/senddigests", line 86, in 
main
    mlist.send_digest_now()
  File "/usr/local/mailman/Mailman/Digester.py", line 60, 
in send_digest_n
ow
    ToDigest.send_digests(self, mboxfp)
  
File "/usr/local/mailman/Mailman/Handlers/ToDigest.py",
 line 132, in sen
d_digests
    send_i18n_digests(mlist, mboxfp)
  
File "/usr/local/mailman/Mailman/Handlers/ToDigest.py",
 line 306, in sen
d_i18n_digests
    msg = scrubber(mlist, msg)
  
File "/usr/local/mailman/Mailman/Handlers/Scrubber.py",
 line 268, in pro
cess
    url = save_attachment(mlist, part, dir)
  
File "/usr/local/mailman/Mailman/Handlers/Scrubber.py",
 line 362, in sav
e_attachment
    fnext = os.path.splitext(msg.get_filename(''))[1]
  File "/usr/local/mailman/pythonlib/email/Message.py", 
line 731, in get_f
ilename
    return unicode(newvalue[2], newvalue[0] or 'us-ascii')
LookupError: unknown encoding: X-UNKNOWN

----------------------------------------------------------------------

>Comment By: Tokio Kikuchi (tkikuchi)
Date: 2005-06-26 05:33

Message:
Logged In: YES 
user_id=67709

It looks like the current scheme of sending digest during
the course of regular delivery was a bad idea.  Workaround
may be to enclose the send_digest part in try - except
clause.  Please try the latest CVS code.


----------------------------------------------------------------------

Comment By: Mark Crispin (mrcrispin)
Date: 2005-04-10 01:48

Message:
Logged In: YES 
user_id=1255784

Our version of mailman is 2.1.5, the current release version, 
along with customizations made at UW by my predecessor 
for use with our web pubcookie authentication system.  
However, the fault occurs in unmodified Mailman code, and 
he insists that nothing he did would affect this.

I call it a security issue because anyone can send a 
message to a mailman mailing list that will cause digests to 
fail and be stuck, just by using a bogus character set name 
in an attachment filename.  Not only isn't the message in 
question sent, but all subsequent messages are also held 
because of the trap.

A denial of service problem *is* a security problem.

I don't know how extensive the problem is in Mailman, but I 
see numerous unicode() calls in the Mailman source that 
have no protection from error traps.  So maybe more than 
just digests are affected.

If you can't reproduce the problem, I'll be happy to provide 
some of the messages which hung our digests.  The problem 
definitely happens with charset names in encoded-
parameters in MIME (attachment filenames).

Thank you in advance for your rapid attention.

----------------------------------------------------------------------

Comment By: Tokio Kikuchi (tkikuchi)
Date: 2005-04-09 20:57

Message:
Logged In: YES 
user_id=67709

What is your mailman version? I believe i18n charset issues
are greatly improved in 2.1.6 beta.
BTW, I don't like to call this a security issue.


----------------------------------------------------------------------

Comment By: Mark Crispin (mrcrispin)
Date: 2005-04-09 16:38

Message:
Logged In: YES 
user_id=1255784

We've kept copies of the messages which caused the 
problem in the most recent incident, so if you need help in 
reproducing/testing we'll be happy to supply them as test 
data.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1179487&group_id=103


More information about the Mailman-coders mailing list