From 78a9a5c49eedee9dfef29e6b0892a4f401e62933 Mon Sep 17 00:00:00 2001 From: Pav Lucistnik Date: Thu, 10 Feb 2005 22:25:02 +0000 Subject: - Fix a security problem in private mailing list archives could allow anyone to read any file on web server. - Minor port changes PR: ports/77364 Submitted by: Vivek Khera (maintainer) Security: CVE number CAN-2005-0202 --- mail/mailman/Makefile | 6 +++- mail/mailman/files/patch-Mailman::Cgi::private.py | 34 +++++++++++++++++++++++ mail/mailman/pkg-deinstall | 26 +++++++++-------- mail/mailman/pkg-install | 18 ++++++++++-- 4 files changed, 69 insertions(+), 15 deletions(-) create mode 100644 mail/mailman/files/patch-Mailman::Cgi::private.py diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile index 7ae3d023512d..ea3f497528ab 100644 --- a/mail/mailman/Makefile +++ b/mail/mailman/Makefile @@ -7,7 +7,7 @@ PORTNAME= mailman PORTVERSION= 2.1.5 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES?= mail MASTER_SITES= http://www.list.org/ \ ${MASTER_SITE_GNU} \ @@ -125,6 +125,10 @@ post-configure: @ ${SED} -e 's#%%MAILMANDIR%%#${MAILMANDIR}#g' \ -e 's#%%DOCSDIR%%#${DOCSDIR}#g' -e 's#%%LOCALBASE%%#${LOCALBASE}#g' \ ${MASTERDIR}/pkg-message > ${PKGMESSAGE} +# port system auditors complain if dir is created prior to install +# but configure demands it be there. we delete it now if empty, +# so it will be re-created. For existing installs, this is ignored + @- rmdir ${MAILMANDIR} 2> /dev/null pre-install: @ ${SH} ${PKGREQ} INSTALL diff --git a/mail/mailman/files/patch-Mailman::Cgi::private.py b/mail/mailman/files/patch-Mailman::Cgi::private.py new file mode 100644 index 000000000000..08fd1390c7a6 --- /dev/null +++ b/mail/mailman/files/patch-Mailman::Cgi::private.py @@ -0,0 +1,34 @@ +Index: Mailman/Cgi/private.py +=================================================================== +RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/private.py,v +retrieving revision 2.16.2.1 +diff -u -r2.16.2.1 private.py +--- private.py 8 Feb 2003 07:13:50 -0000 2.16.2.1 ++++ private.py 10 Feb 2005 03:34:21 -0000 +@@ -1,4 +1,4 @@ +-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc. ++# Copyright (C) 1998-2005 by the Free Software Foundation, Inc. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of the GNU General Public License +@@ -35,13 +35,17 @@ + _ = i18n._ + i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE) + ++SLASH = '/' ++ + + + def true_path(path): + "Ensure that the path is safe by removing .." +- path = path.replace('../', '') +- path = path.replace('./', '') +- return path[1:] ++ parts = path.split(SLASH) ++ safe = [x for x in parts if x not in ('.', '..')] ++ if parts <> safe: ++ syslog('mischief', 'Directory traversal attack thwarted') ++ return SLASH.join(safe)[1:] + + + diff --git a/mail/mailman/pkg-deinstall b/mail/mailman/pkg-deinstall index 180ac640fa0d..1ab07c748f92 100644 --- a/mail/mailman/pkg-deinstall +++ b/mail/mailman/pkg-deinstall @@ -9,9 +9,15 @@ case $2 in DEINSTALL) echo "---> Starting deinstall script:" - echo "---> Zeroing crontab(5) file belonging to user \"%%USER%%\"" - /usr/bin/crontab -u %%USER%% /dev/null - echo " (The crontab(5) will be deleted completely when user %%USER%% is removed.)" + if /usr/bin/crontab -u "%%USER%%" -l | \ + /usr/bin/diff - %%MAILMANDIR%%/cron/crontab.in >/dev/null 2>&1 ; then + echo "---> Zeroing crontab for \"%%USER%%\"" + /usr/bin/crontab -u "%%USER%%" /dev/null + else + echo "---> Crontab for \"%%USER%%\" not removed: please deinstall" + echo "---> manually if you no-longer wish to use Mailman. eg:" + echo "---> /usr/bin/crontab -u "%%USER%%" -r" + fi echo "---> Stopping Mailman's qrunner daemon" %%PREFIX%%/etc/rc.d/mailman.sh stop >/dev/null 2>&1 @@ -36,19 +42,15 @@ POST-DEINSTALL) if [ -d %%MAILMANDIR%% ]; then echo '---> %%MAILMANDIR%% is not empty - this installation may have active lists!' - echo '---> - The "%%USER%%" user and "%%GROUP%%" group were therefore not deleted.' - echo '---> - You may delete them with "pw groupdel %%GROUP%%; pw userdel %%USER%%".' - echo "---> Restoring \"last_mailman_version\" file" [ -d %%MAILMANDIR%%/data ] || /bin/mkdir %%MAILMANDIR%%/data /bin/mv -f /var/tmp/last_mailman_version %%MAILMANDIR%%/data/ - - else - echo "---> Removing group \"%%GROUP%%\"" - /usr/sbin/pw groupdel -n %%GROUP%% - echo "---> Removing user \"%%USER%%\"" - echo 'y' | /usr/sbin/pw userdel -n %%USER%% fi + + echo '---> - If you are not using Mailman any more, you should manually delete' + echo '---> - the "%%USER%%" user and "%%GROUP%%" group.' + echo '---> - You may delete them with "pw groupdel %%GROUP%%; pw userdel %%USER%%".' + ;; esac diff --git a/mail/mailman/pkg-install b/mail/mailman/pkg-install index 214bf3df6499..fc2dd3e53bc7 100644 --- a/mail/mailman/pkg-install +++ b/mail/mailman/pkg-install @@ -49,8 +49,22 @@ PRE-INSTALL) POST-INSTALL) echo "---> Starting post-install script:" - echo "---> Creating crontab(5) file for user \"%%USER%%\"" - /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1 + echo "---> Checking crontab(5) file for user \"%%USER%%\"" + + if /usr/bin/crontab -u "%%USER%%" -l >/tmp/mmctab$$ 2>&1 ; then + if test -s /tmp/mmctab$$; then + echo "---> \"%%USER%%\" already has a crontab. Not overwriting it" + echo "---> Please merge any changes from the standard crontab file" + echo "---> %%MAILMANDIR%%/cron/crontab.in" + else + echo "---> Installing crontab(5) file for user \"%%USER%%\"" + /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1 + fi + else + echo "---> Creating crontab(5) file for user \"%%USER%%\"" + /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1 + fi + rm -f /tmp/mmctab$$ echo "---> Checking (and fixing) file and directory permissions" %%MAILMANDIR%%/bin/check_perms -f >/dev/null 2>&1 -- cgit v1.2.3