[Mailman-Users] Re: Critical security update for Mailman 2.1.5 and earlier

dave at umiacs.umd.edu dave at umiacs.umd.edu
Thu Feb 10 17:03:12 CET 2005 

On Thu, 10 Feb 2005, John Swartzentruber wrote:

> On 2/10/2005 9:41 AM Barry Warsaw wrote:
>> Until Mailman 2.1.6 is released, the longer term fix is to apply this
>> patch:
>> 
>> 	http://www.list.org/CAN-2005-0202.txt
>
> Could an expert please help out a non-expert? I applied this patch to 
> /usr/lib/mailman/Mailman/Cgi, and the private.py file was correctly patched. 
> I'm not sure that this is enough, however, because the private.pyc file 
> wasn't changed, even after I restarted mailman. Should I have patched the 
> private.py file in the source, then gone through the "make" and "make 
> install" process?
>

Edit $MAILMAN/Mailman/Cgi/private.py   (probably wise to save the orig)
Where you see lines in the diff beginning with "-", remove those lines,
Where you see lines in the diff beginning with "+", add those lines,

Once the edit is complete, stop and restart the qrunner (perhaps its
/etc/init.d/mailman  or $MAILMAN/bin/mailmanctl   depending on how you're
set up.


The pyc will only get remade when needed and since this only affects lists
with archives, try going to some list of yours with an archive.

The original patch I saw on the net seems to work fine but doesn't log the
hack attempts to the $MAILMAN/logs/mischief  file. Here it is:

----------------------------------------------------
i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)


SLASH = '/'

def true_path(path):
     "Ensure that the path is safe by removing .."
     parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
     return SLASH.join(parts)[1:]
-----------------------------------------------------

The one from the diffs looks like this:

----------------------------------------------------
i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)


^L
SLASH = '/'

def true_path(path):
     "Ensure that the path is safe by removing .."
     parts = path.split(SLASH)
     safe = [x for x in parts if x not in ('.', '..')]
     if parts <> safe:
      syslog('mischief', 'Directory traversal attack thwarted')
     return SLASH.join(safe)[1:]

------------------------------------------------------

If I got any of the above wrong, I apology; please lemme know.
We're all in this together


  =-=-=-=-=-=-=-=-=-=-  generated by /dev/dave -=-=-=-=-=-=-=-=-=-=-=-=
  David Stern                                    University of Maryland
            Institute for Advanced Computer Studies

More information about the Mailman-Users mailing list