Bug 723584 (CVE-2002-0389)

Summary: CVE-2002-0389 mailman: Local users able to read private mailing list archives
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jkaluza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that mailman stored private email messages in a world-readable directory. A local user could use this flaw to read private mailing list archives.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 08:40:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1214147    
Bug Blocks: 1193283    
Attachments:
Description Flags
Relevant mailman-2.1.13-3 and mailman-2.1.13-4 SPEC file difference none

Description Jan Lieskovsky 2011-07-20 16:10:32 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2002-0389 to the following vulnerability:

Pipermail in Mailman stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0389
[2] http://marc.theaimsgroup.com/?l=bugtraq&m=101902003314968&w=2
[3] http://sourceforge.net/tracker/?func=detail&atid=100103&aid=474616&group_id=103
[4] http://www.iss.net/security_center/static/8874.php
[5] http://www.securityfocus.com/bid/4538

Further references:
[6] https://bugzilla.novell.com/show_bug.cgi?id=418589
[7] https://bugzilla.redhat.com/show_bug.cgi?id=459530

Proposed upstream solution:
[8] http://www.list.org/mailman-install/node9.html (in the Warning part)
Comment 1 Jan Lieskovsky 2011-07-20 16:12:04 UTC 
Exact form of the upstream solution proposal (from [8]):
========================================================

Warning: If you're running Mailman on a shared multiuser system, and you have mailing lists with private archives, you may want to hide the private archive directory from other users on your system. In that case, you should drop the other execute permission (o-x) from the archives/private directory. However, the web server process must be able to follow the symbolic link in public directory, otherwise your public Pipermail archives will not work. To set this up, become root and run the following commands:

# cd <prefix>/archives
# chown <web-server-user> private
# chmod o-x private

You need to know what user your web server runs as. It may be www, apache, httpd or nobody, depending on your server's configuration.
Comment 2 Jan Lieskovsky 2011-07-20 16:14:25 UTC 
This issue affects the versions of the mailman package, as shipped with Red Hat Enterprise Linux 4, 5, and 6.

--

This issue does NOT affect the versions of the mailman package, as shipped with Fedora release of 14 and 15. It has been corrected in mailman-2.1.13-4.fc14 already. Relevant Changelog entry:

* Tue Jul 13 2010 Jan Kaluza <jkaluza> 3:2.1.13-4
- #459530 - fix permissions of archives/private directory
Comment 3 Jan Lieskovsky 2011-07-20 16:28:23 UTC 
Created attachment 514052 [details]
Relevant mailman-2.1.13-3 and mailman-2.1.13-4 SPEC file difference

Implements the changes, suggested to be performed post mailman installation (steps described in that Warning)
Comment 4 Huzaifa S. Sidhpurwala 2011-07-21 05:51:18 UTC 
Statement:

(none)
Comment 6 errata-xmlrpc 2015-07-22 07:41:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1417 https://rhn.redhat.com/errata/RHSA-2015-1417.html