diff --git a/mailman-CVE-2021-42096-2021-42097.patch b/mailman-CVE-2021-42096-2021-42097.patch new file mode 100644 index 0000000..ee05f0a --- /dev/null +++ b/mailman-CVE-2021-42096-2021-42097.patch @@ -0,0 +1,129 @@ +diff --git a/Mailman/CSRFcheck.py b/Mailman/CSRFcheck.py +index a1e78d9..24e3e11 100644 +--- a/Mailman/CSRFcheck.py ++++ b/Mailman/CSRFcheck.py +@@ -18,11 +18,13 @@ + """ Cross-Site Request Forgery checker """ + + import time ++import urllib + import marshal + import binascii + + from Mailman import mm_cfg +-from Mailman.Utils import sha_new ++from Mailman.Logging.Syslog import syslog ++from Mailman.Utils import UnobscureEmail, sha_new + + keydict = { + 'user': mm_cfg.AuthUser, +@@ -37,6 +39,10 @@ keydict = { + def csrf_token(mlist, contexts, user=None): + """ create token by mailman cookie generation algorithm """ + ++ if user: ++ # Unmunge a munged email address. ++ user = UnobscureEmail(urllib.unquote(user)) ++ + for context in contexts: + key, secret = mlist.AuthContextInfo(context, user) + if key: +@@ -49,9 +55,8 @@ def csrf_token(mlist, contexts, user=None): + token = binascii.hexlify(marshal.dumps((issued, keymac))) + return token + +-def csrf_check(mlist, token): ++def csrf_check(mlist, token, options_user=None): + """ check token by mailman cookie validation algorithm """ +- + try: + issued, keymac = marshal.loads(binascii.unhexlify(token)) + key, received_mac = keymac.split(':', 1) +@@ -62,6 +67,17 @@ def csrf_check(mlist, token): + key, user = key.split('+', 1) + else: + user = None ++ if user: ++ # This is for CVE-2021-42097. The token is a user token because ++ # of the fix for CVE-2021-42096 but it must match the user for ++ # whom the options page is requested. ++ raw_user = UnobscureEmail(urllib.unquote(user)) ++ if options_user and options_user != raw_user: ++ syslog('mischief', ++ 'Form for user %s submitted with CSRF token ' ++ 'issued for %s.', ++ options_user, raw_user) ++ return False + context = keydict.get(key) + key, secret = mlist.AuthContextInfo(context, user) + assert key +diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py +index 386b308..980fc09 100644 +--- a/Mailman/Cgi/options.py ++++ b/Mailman/Cgi/options.py +@@ -54,9 +54,6 @@ except NameError: + True = 1 + False = 0 + +-AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin, +- mm_cfg.AuthListModerator, mm_cfg.AuthUser) +- + + def main(): + global _ +@@ -124,15 +121,6 @@ def main(): + print doc.Format() + return + +- if set(params) - set(safe_params): +- csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token')) +- else: +- csrf_checked = True +- # if password is present, void cookie to force password authentication. +- if cgidata.getfirst('password'): +- os.environ['HTTP_COOKIE'] = '' +- csrf_checked = True +- + # Set the language for the page. If we're coming from the listinfo cgi, + # we might have a 'language' key in the cgi data. That was an explicit + # preference to view the page in, so we should honor that here. If that's +@@ -168,6 +156,16 @@ def main(): + user = user[-1] + + # Avoid cross-site scripting attacks ++ if set(params) - set(safe_params): ++ csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'), ++ Utils.UnobscureEmail(urllib.unquote(user))) ++ else: ++ csrf_checked = True ++ # if password is present, void cookie to force password authentication. ++ if cgidata.getfirst('password'): ++ os.environ['HTTP_COOKIE'] = '' ++ csrf_checked = True ++ + safeuser = Utils.websafe(user) + try: + Utils.ValidateEmail(user) +@@ -867,8 +865,9 @@ def options_page(mlist, doc, user, cpuser, userlang, message=''): + mlist.FormatButton('othersubs', + _('List my other subscriptions'))) + replacements[''] = ( ++ # Always make the CSRF token for the user. CVE-2021-42096 + mlist.FormatFormStart('options', user, mlist=mlist, +- contexts=AUTH_CONTEXTS, user=user)) ++ contexts=[mm_cfg.AuthUser], user=user)) + replacements[''] = user + replacements[''] = presentable_user + replacements[''] = mlist.FormatButton( +diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py +index 9b7f03f..e9e5ce5 100644 +--- a/Mailman/SecurityManager.py ++++ b/Mailman/SecurityManager.py +@@ -104,6 +104,7 @@ class SecurityManager: + if user is None: + # A bad system error + raise TypeError, 'No user supplied for AuthUser context' ++ user = Utils.UnobscureEmail(urllib.unquote(user)) + secret = self.getMemberPassword(user) + userdata = urllib.quote(Utils.ObscureEmail(user), safe='') + key += 'user+%s' % userdata diff --git a/mailman-CVE-2021-44227.patch b/mailman-CVE-2021-44227.patch new file mode 100644 index 0000000..0fab95c --- /dev/null +++ b/mailman-CVE-2021-44227.patch @@ -0,0 +1,82 @@ +diff --git a/Mailman/CSRFcheck.py b/Mailman/CSRFcheck.py +index 24e3e11..81998cf 100644 +--- a/Mailman/CSRFcheck.py ++++ b/Mailman/CSRFcheck.py +@@ -55,7 +55,7 @@ def csrf_token(mlist, contexts, user=None): + token = binascii.hexlify(marshal.dumps((issued, keymac))) + return token + +-def csrf_check(mlist, token, options_user=None): ++def csrf_check(mlist, token, cgi_user=None): + """ check token by mailman cookie validation algorithm """ + try: + issued, keymac = marshal.loads(binascii.unhexlify(token)) +@@ -67,12 +67,25 @@ def csrf_check(mlist, token, options_user=None): + key, user = key.split('+', 1) + else: + user = None ++ # Don't allow unprivileged tokens for admin or admindb. ++ if cgi_user == 'admin': ++ if key not in ('admin', 'site'): ++ syslog('mischief', ++ 'admin form submitted with CSRF token issued for %s.', ++ key + '+' + user if user else key) ++ return False ++ elif cgi_user == 'admindb': ++ if key not in ('moderator', 'admin', 'site'): ++ syslog('mischief', ++ 'admindb form submitted with CSRF token issued for %s.', ++ key + '+' + user if user else key) ++ return False + if user: + # This is for CVE-2021-42097. The token is a user token because + # of the fix for CVE-2021-42096 but it must match the user for + # whom the options page is requested. + raw_user = UnobscureEmail(urllib.unquote(user)) +- if options_user and options_user != raw_user: ++ if cgi_user and cgi_user != raw_user: + syslog('mischief', + 'Form for user %s submitted with CSRF token ' + 'issued for %s.', +diff --git a/Mailman/Cgi/admin.py b/Mailman/Cgi/admin.py +index d2577b5..7c600df 100644 +--- a/Mailman/Cgi/admin.py ++++ b/Mailman/Cgi/admin.py +@@ -107,7 +107,8 @@ def main(): + 'legend'] + params = cgidata.keys() + if set(params) - set(safe_params): +- csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token')) ++ csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'), ++ 'admin') + else: + csrf_checked = True + # if password is present, void cookie to force password authentication. +diff --git a/Mailman/Cgi/admindb.py b/Mailman/Cgi/admindb.py +index 58bb357..c152501 100644 +--- a/Mailman/Cgi/admindb.py ++++ b/Mailman/Cgi/admindb.py +@@ -144,7 +144,8 @@ def main(): + safe_params = ['adminpw', 'admlogin', 'msgid', 'sender', 'details'] + params = cgidata.keys() + if set(params) - set(safe_params): +- csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token')) ++ csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'), ++ 'admindb') + else: + csrf_checked = True + # if password is present, void cookie to force password authentication. +diff --git a/Mailman/Cgi/edithtml.py b/Mailman/Cgi/edithtml.py +index 1dd9e87..170e811 100644 +--- a/Mailman/Cgi/edithtml.py ++++ b/Mailman/Cgi/edithtml.py +@@ -111,7 +111,8 @@ def main(): + safe_params = ['VARHELP', 'adminpw', 'admlogin'] + params = cgidata.keys() + if set(params) - set(safe_params): +- csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token')) ++ csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'), ++ 'admin') + else: + csrf_checked = True + # if password is present, void cookie to force password authentication. diff --git a/mailman.spec b/mailman.spec index 566010f..18412e4 100644 --- a/mailman.spec +++ b/mailman.spec @@ -3,7 +3,7 @@ Summary: Mailing list manager with built in Web access Name: mailman Version: 2.1.29 -Release: 12%{?dist} +Release: 12%{?dist}.2 Epoch: 3 Group: Applications/Internet Source0: ftp://ftp.gnu.org/pub/gnu/mailman/mailman-%{version}.tgz @@ -34,6 +34,8 @@ Patch26: mailman-bouncer_oom_crash.patch Patch27: mailman-2.1.29-login_content_injection.patch Patch28: mailman-2.1.29-options_content_njection.patch Patch29: mailman-2.1.29-cmd_reply_encoding.patch +Patch30: mailman-CVE-2021-42096-2021-42097.patch +Patch31: mailman-CVE-2021-44227.patch License: GPLv2+ URL: http://www.list.org/ @@ -127,6 +129,8 @@ additional installation steps, these are described in: %patch27 -p0 -b .login_injection %patch28 -p0 -b .options_injection %patch29 -p0 -b .cmd_reply_encoding +%patch30 -p1 -b .CVE-2021-42096-2021-42097 +%patch31 -p1 -b .CVE-2021-44227 #cp $RPM_SOURCE_DIR/mailman.INSTALL.REDHAT.in INSTALL.REDHAT.in cp %{SOURCE5} INSTALL.REDHAT.in @@ -580,6 +584,15 @@ exit 0 %dir %attr(775,root,%{mmgroup}) %{lockdir} %changelog +* Sun Nov 28 2021 Martin Osvald - 3:2.1.29-12.2 +- Fix for CVE-2021-44227 +- Resolves: #2026871 + +* Tue Nov 09 2021 Martin Osvald - 3:2.1.29-12.1 +- Fix for CVE-2021-42096 +- Fix for CVE-2021-42097 +- Resolves: #2021139, #2020692 + * Mon Apr 12 2021 Tomas Korbar - 3:2.1.29-12 - Fix encoding handling of command replies - Resolves: rhzb#1907323