diff --git a/SOURCES/mailman-2_1-xss_vulnerability.patch b/SOURCES/mailman-2_1-xss_vulnerability.patch new file mode 100644 index 0000000..94b89aa --- /dev/null +++ b/SOURCES/mailman-2_1-xss_vulnerability.patch @@ -0,0 +1,55 @@ +diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py +index 9a2389a..ae701a7 100644 +--- a/Mailman/Cgi/options.py ++++ b/Mailman/Cgi/options.py +@@ -18,6 +18,7 @@ + """Produce and handle the member options.""" + + import sys ++import re + import os + import cgi + import signal +@@ -149,19 +150,6 @@ def main(): + doc.set_language(userlang) + i18n.set_language(userlang) + +- # See if this is VARHELP on topics. +- varhelp = None +- if cgidata.has_key('VARHELP'): +- varhelp = cgidata['VARHELP'].value +- elif os.environ.get('QUERY_STRING'): +- # POST methods, even if their actions have a query string, don't get +- # put into FieldStorage's keys :-( +- qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP') +- if qs and type(qs) == types.ListType: +- varhelp = qs[0] +- if varhelp: +- topic_details(mlist, doc, user, cpuser, userlang, varhelp) +- return + + # Are we processing an unsubscription request from the login screen? + if cgidata.has_key('login-unsub'): +@@ -261,6 +249,22 @@ def main(): + print doc.Format() + return + ++ # See if this is VARHELP on topics. ++ varhelp = None ++ if cgidata.has_key('VARHELP'): ++ varhelp = cgidata['VARHELP'].value ++ elif os.environ.get('QUERY_STRING'): ++ # POST methods, even if their actions have a query string, don't get ++ # put into FieldStorage's keys :-( ++ qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP') ++ if qs and type(qs) == types.ListType: ++ varhelp = qs[0] ++ if varhelp: ++ # Sanitize the topic name. ++ varhelp = re.sub('<.*', '', varhelp) ++ topic_details(mlist, doc, user, cpuser, userlang, varhelp) ++ return ++ + # From here on out, the user is okay to view and modify their membership + # options. The first set of checks does not require the list to be + # locked. diff --git a/SPECS/mailman.spec b/SPECS/mailman.spec index 0b921c7..e9f4066 100644 --- a/SPECS/mailman.spec +++ b/SPECS/mailman.spec @@ -4,7 +4,7 @@ Summary: Mailing list manager with built in Web access Name: mailman Version: 2.1.15 -Release: 24%{?dist} +Release: 26%{?dist}.1 Epoch: 3 Group: Applications/Internet Source0: ftp://ftp.gnu.org/pub/gnu/mailman/mailman-%{version}.tgz @@ -44,6 +44,8 @@ Patch24: mailman-2.1.15-CVE-2015-2775.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1351939 Patch25: mailman-2.1.15-rh1351939.patch Patch26: mailman-2.1.12-newlist-ja.patch +Patch27: mailman-2_1-xss_vulnerability.patch + License: GPLv2+ URL: http://www.list.org/ @@ -142,6 +144,7 @@ additional installation steps, these are described in: %patch24 -p1 %patch25 -p0 %patch26 -p1 +%patch27 -p1 -b .xss # Change `#!/usr/bin/env python` shebang to `#!/usr/bin/python` sed -i '1s|^#! */usr/bin/env python$|#!/usr/bin/python|' `find -iname '*.py'` @@ -597,6 +600,18 @@ exit 0 %dir %attr(775,root,%{mmgroup}) %{lockdir} %changelog +* Fri Mar 02 2018 Pavel Zhukov - 3:2.1.15-26.1 +- Related: #1545974 - Add import regular expression module + +* Fri Mar 02 2018 Pavel Zhukov - 3:2.1.15-26 +- Related: #1545974 - Bump release to make it higher than 7.5 + +* Fri Mar 02 2018 Pavel Zhukov - 3:2.1.15-24.2 +- Resolves: #1545974 - Add sanitizer to mitigate XSS injection + +* Fri Feb 16 2018 Pavel Zhukov - 3:2.1.15-24.1 +- Resolves: #1545974 - Fix XSS vulnerability in web UI + * Wed Feb 22 2017 Pavel Šimerda - 3:2.1.15-24 - Resolves: #1232737 - Fix instances of #!/usr/bin/env python in mailman