Bug 1208059 (CVE-2015-2775)
| Summary: | CVE-2015-2775 mailman: directory traversal in MTA transports that deliver programmatically | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jkaluza, jrusnack |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mailman 2.1.20 | Doc Type: | Bug Fix |
| Doc Text: |
It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-22 08:40:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1208060, 1214147, 1230144, 1230145 | ||
| Bug Blocks: | 1193283, 1208061 | ||
|
Description
Vasyl Kaigorodov
2015-04-01 09:46:39 UTC
Created mailman tracking bugs for this issue: Affects: fedora-all [bug 1208060] More detailed description from https://bugs.launchpad.net/mailman/+bug/1437145 : "The recommended Mailman Transport for Exim invokes the Mailman mail wrapper with an unedited listname derived from the $local_part of the email address less any known suffix. The problem with this configuration is that $local_part is not guaranteed to be safe for use as a filesystem directory name. This allows a local attacker to create a directory with a config.pck file in a location that the mailman user can access, send an email to an address with the directory traversal in it (../../../../../<email address hidden>), and then wait for the queue runner to execute arbitrary code as the mailman user either via the pickle file itself or through an extend.py file in the fake list directory. Neither exim nor mailman has code that protects against this attack. The recommended Exim configiration does check that the lists/${lc::$local_part}/config.pck file does exist, but this check is also vulnerable to the path traversal attack." Upstream bug: https://bugs.launchpad.net/mailman/+bug/1437145 mailman-2.1.20-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. Statement: (none) mailman-2.1.20-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1153 https://rhn.redhat.com/errata/RHSA-2015-1153.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1417 https://rhn.redhat.com/errata/RHSA-2015-1417.html |