Debian Bug report logs -
#358892
Uncaught runner exception: len() of unsized object
Reported by: Sven Hartge <sven@svenhartge.de>
Date: Sat, 25 Mar 2006 00:33:07 UTC
Severity: important
Tags: fixed, patch, sarge, security
Found in version mailman/2.1.5-8sarge1
Fixed in version 2.1.6-1
Done: Thijs Kinkhorst <thijs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
:
Bug#358892
; Package mailman
.
(full text, mbox, link).
Acknowledgement sent to Sven Hartge <sven@svenhartge.de>
:
New Bug report received and forwarded. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: mailman
Version: 2.1.5-8sarge1
Severity: important
Tags: patch
Hello.
Mailman 2.1.5 contains a subtle bug inside its Scrubber.py, which can
cause some messages with badly formed mime multiparts and sometimes all
messaged received after the defective one to be shunted, thus rendering
the specific list to be unusable. (Thus the slightly increased
severity.)
See also http://mail.python.org/pipermail/mailman-users/2005-June/045107.html
Example for one traceback:
(The date is so old, because I since fixed this problem locally but never
got around to submitting this bug to the BTS.)
Feb 19 08:26:35 2006 (2786) SHUNTING: 1140333994.5416+92548399c95eda0df954edc5b01362c2ddda88bf
Feb 19 09:04:19 2006 (2786) Uncaught runner exception: len() of unsized object
Feb 19 09:04:19 2006 (2786) Traceback (most recent call last):
File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 111, in _oneloop
self._onefile(msg, msgdata)
File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 167, in _onefile
keepqueued = self._dispose(mlist, msg, msgdata)
File "/usr/lib/mailman/Mailman/Queue/IncomingRunner.py", line 130, in _dispose
more = self._dopipeline(mlist, msg, msgdata, pipeline)
File "/usr/lib/mailman/Mailman/Queue/IncomingRunner.py", line 153, in _dopipeline
sys.modules[modname].process(mlist, msg, msgdata)
File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 91, in process
send_digests(mlist, mboxfp)
File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 132, in send_digests
send_i18n_digests(mlist, mboxfp)
File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 306, in send_i18n_digests
msg = scrubber(mlist, msg)
File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 262, in process
size = len(payload)
TypeError: len() of unsized object
The patch (attached for your convenience) is also in 2.1.6, see
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1099138&group_id=103
Please include this simple fix in the next point release.
Grüße,
Sven Hartge
[mailman-payload-patch.diff (text/plain, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
:
Bug#358892
; Package mailman
.
(full text, mbox, link).
Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>
:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #10 received at 358892@bugs.debian.org (full text, mbox, reply):
tags 358892 +security sarge
fixed 358892 2.1.6
reopen 358892
thanks
On Sat, Mar 25, 2006 at 01:27:33AM +0100, Sven Hartge wrote:
> Mailman 2.1.5 contains a subtle bug inside its Scrubber.py, which
> can cause some messages with badly formed mime multiparts and
> sometimes all messaged received after the defective one to be
> shunted, thus rendering the specific list to be unusable.
This thus leads to a DoS attack vector, and makes it a security
vulnerability.
I wasn't able to find a CVE number for this; none of
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mailman looks
relevant. Should we get one? If yes, will the security team take care
of this?
> See also http://mail.python.org/pipermail/mailman-users/2005-June/045107.html
> The patch (attached for your convenience) is also in 2.1.6, see
> https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1099138&group_id=103
> diff -ur mailman-2.1.5.orig/Mailman/Handlers/Scrubber.py mailman-2.1.5/Mailman/Handlers/Scrubber.py
> --- mailman-2.1.5.orig/Mailman/Handlers/Scrubber.py 2003-12-01 02:43:18.000000000 +0100
> +++ mailman-2.1.5/Mailman/Handlers/Scrubber.py 2006-03-25 01:25:57.000000000 +0100
> @@ -259,6 +259,14 @@
> elif not part.is_multipart():
> payload = part.get_payload(decode=True)
> ctype = part.get_type()
> + # XXX Under email 2.5, it is possible that payload will be None.
> + # This can happen when you have a Content-Type: multipart/* with
> + # only one part and that part has two blank lines between the
> + # first boundary and the end boundary. In email 3.0 you end up
> + # with a string in the payload. I think in this case it's safe to
> + # ignore the part.
> + if payload is None:
> + continue
> size = len(payload)
> omask = os.umask(002)
> try:
As maintainer of the Debian package of Mailman, I approve this
patch. Please issue a DSA with this update.
Thanks,
--
Lionel
Tags added: security, sarge
Request was from Lionel Elie Mamane <lionel@mamane.lu>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
:
Bug#358892
; Package mailman
.
(full text, mbox, link).
Acknowledgement sent to Lionel Elie Mamane <lmamane@debian.org>
:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #17 received at 358892@bugs.debian.org (full text, mbox, reply):
(Please don't hijack old threads about different issues, in particular
not without changing the subject line.)
On Wed, Mar 29, 2006 at 08:15:40PM +0100, Steve Kemp wrote:
> Package for Sarge at:
> http://people.debian.org/~skx/updates/mailman/
> Potential advisory text - need to know which version in sid
> will fix it.
Sid and etch are not vulnerable; problem was fixed in upstream 2.1.6;
etch contains 2.1.7-1; it was fixed in sid (without even realising it)
with the upload of 2.1.6-1 on Sun, 25 Dec 2005.
Please take this opportunity to retroactively add to the changelog of
2.1.5-8sarge1 that the
* Don't die on overflow in date handling, which could lead to a DoS
attack (closes: #326024)
is CVE-2005-4153.
Also add (closes: #358892) to your changelog entry.
> Package : mailman
> Vulnerability : denial of service
> Problem-Type : remote
> Debian-specific: no
> CVE ID : CVE-2006-0052
Debian Bug : 358892
> A potential denial of service problem has been discovered in mailman,
> the web-based GNU mailing list manager. The Common Vulnerabilities and
> Exposures project identifies the following problems:
We should give more details, because there have been two other DoS
vulnerabilities recently, so we don't want people to get confused. I
propose something along the lines of:
A potential denial of service problem has been discovered in mailman,
the web-based GNU mailing list manager. The (failing) parsing of
messages with malformed mime multiparts sometimes caused the whole
mailing list to become inoperative.
> The old stable distribution (woody) is not vulnerable to this issue.
> For the unstable distribution (sid) this problem will be fixed soon.
--
Lionel
Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
:
Bug#358892
; Package mailman
.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>
:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #22 received at 358892@bugs.debian.org (full text, mbox, reply):
On Wed, Mar 29, 2006 at 09:44:35PM +0200, Lionel Elie Mamane wrote:
> (Please don't hijack old threads about different issues, in particular
> not without changing the subject line.)
Sorry, it wasn't intentional.
> Sid and etch are not vulnerable; problem was fixed in upstream 2.1.6;
> etch contains 2.1.7-1; it was fixed in sid (without even realising it)
> with the upload of 2.1.6-1 on Sun, 25 Dec 2005.
OK.
> Please take this opportunity to retroactively add to the changelog of
> 2.1.5-8sarge1 that the
>
> * Don't die on overflow in date handling, which could lead to a DoS
> attack (closes: #326024)
>
> is CVE-2005-4153.
>
> Also add (closes: #358892) to your changelog entry.
Alright. I'll update the changelog and upload to the queue now.
Thanks for the updated advisory text.
Steve
--
Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
:
Bug#358892
; Package mailman
.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>
:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #27 received at 358892@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
this issue has been assigned CVE-2006-0052. In Ubuntu, we used this
patch:
http://patches.ubuntu.com/patches/mailman.CVE-2006-0052.diff
It's a bit longer, since I started with fixing with upstream bug
1430236. Now it's a bit redundant, but better safe than sorry. :)
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Tags added: fixed
Request was from Steve Kemp <skx@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Tags added: fixed
Request was from Steve Kemp <skx@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as fixed in version 2.1.6-1, send any further explanations to Sven Hartge <sven@svenhartge.de>
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 27 Jun 2007 04:09:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:10:11 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.