Bug 1208059 (CVE-2015-2775) - CVE-2015-2775 mailman: directory traversal in MTA transports that deliver programmatically
Summary: CVE-2015-2775 mailman: directory traversal in MTA transports that deliver pro...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-2775
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150331,repor...
Depends On: 1208060 1214147 1230144 1230145
Blocks: 1193283 1208061
TreeView+ depends on / blocked
 
Reported: 2015-04-01 09:46 UTC by Vasyl Kaigorodov
Modified: 2019-06-08 20:31 UTC (History)
2 users (show)

Fixed In Version: mailman 2.1.20
Doc Type: Bug Fix
Doc Text:
It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman.
Clone Of:
Environment:
Last Closed: 2015-07-22 08:40:03 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1153 normal SHIPPED_LIVE Moderate: mailman security and bug fix update 2015-06-23 13:11:39 UTC
Red Hat Product Errata RHSA-2015:1417 normal SHIPPED_LIVE Moderate: mailman security and bug fix update 2015-07-20 18:06:40 UTC

Description Vasyl Kaigorodov 2015-04-01 09:46:39 UTC
A path traversal vulnerability has been discovered and fixed in Mailman 2.1.20.  This vulnerability is only exploitable by a local user on a Mailman server where the suggested Exim transport, the Postfix postfix_to_mailman.py transport or some other programmatic MTA delivery not using aliases is employed.

The patch to Mailman/Utils.py at <https://bugs.launchpad.net/mailman/+bug/1437145/+attachment/4358114/+files/p> can be applied with at most a line number offset to any Mailman 2.1.x version, but the referenced mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS setting didn't exist before Mailman 2.1.11 so if you are patching an older version, you need to add:

ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'

to mm_cfg.py and/or Defaults.py.

Comment 1 Vasyl Kaigorodov 2015-04-01 09:47:04 UTC
Created mailman tracking bugs for this issue:

Affects: fedora-all [bug 1208060]

Comment 2 Ján Rusnačko 2015-04-03 10:01:59 UTC
More detailed  description from https://bugs.launchpad.net/mailman/+bug/1437145 :
"The recommended Mailman Transport for Exim invokes the Mailman mail wrapper with an unedited listname derived from the $local_part of the email address less any known suffix.

The problem with this configuration is that $local_part is not guaranteed to be safe for use as a filesystem directory name. This allows a local attacker to create a directory with a config.pck file in a location that the mailman user can access, send an email to an address with the directory traversal in it (../../../../../<email address hidden>), and then wait for the queue runner to execute arbitrary code as the mailman user either via the pickle file itself or through an extend.py file in the fake list directory. Neither exim nor mailman has code that protects against this attack.

The recommended Exim configiration does check that the lists/${lc::$local_part}/config.pck file does exist, but this check is also vulnerable to the path traversal attack."

Comment 3 Ján Rusnačko 2015-04-03 10:33:28 UTC
Upstream bug:

https://bugs.launchpad.net/mailman/+bug/1437145

Comment 5 Fedora Update System 2015-04-21 18:25:42 UTC
mailman-2.1.20-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Huzaifa S. Sidhpurwala 2015-04-22 06:12:54 UTC
Statement:

(none)

Comment 8 Fedora Update System 2015-04-30 11:48:07 UTC
mailman-2.1.20-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 errata-xmlrpc 2015-06-23 09:12:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1153 https://rhn.redhat.com/errata/RHSA-2015-1153.html

Comment 11 errata-xmlrpc 2015-07-22 07:42:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1417 https://rhn.redhat.com/errata/RHSA-2015-1417.html


Note You need to log in before you can comment on or make changes to this bug.