[Bug 1437145] [NEW] Path traversal vulnerability exists in Mailman and can be exploited if Mailman's MTA is Exim.

[Mark Sapiro]

*** This bug is a security vulnerability ***

Private security bug reported:

The recommended Mailman Transport for Exim invokes the Mailman mail
wrapper with an unedited listname derived from the $local_part of the
email address less any known suffix.

The problem with this configuration is that $local_part is not
guaranteed to be safe for use as a filesystem directory name. This
allows a local attacker to create a directory with a config.pck file in
a location that the mailman user can access, send an email to an address
with the directory traversal in it
(../../../../../tmp/fakelist at domain.com), and then wait for the queue
runner to execute arbitrary code as the mailman user either via the
pickle file itself or through an extend.py file in the fake list
directory. Neither exim nor mailman has code that protects against this
attack.

The recommended Exim configiration does check that the
lists/${lc::$local_part}/config.pck file does exist, put this check is
also vulnerable to the path traversal attack.

** Affects: mailman
     Importance: Medium
     Assignee: Mark Sapiro (msapiro)
         Status: In Progress

** Patch added: "Patch to fix this bug"
   https://bugs.launchpad.net/bugs/1437145/+attachment/4357559/+files/p

-- 
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1437145

Title:
  Path traversal vulnerability exists in Mailman and can be exploited if
  Mailman's MTA is Exim.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1437145/+subscriptions