Uncaught runner exception: len() of unsized object

Debian Bug report logs - #358892
Uncaught runner exception: len() of unsized object

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sven Hartge <sven@svenhartge.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Uncaught runner exception: len() of unsized object

Date: Sat, 25 Mar 2006 01:27:33 +0100

[Message part 1 (text/plain, inline)]

Package: mailman
Version: 2.1.5-8sarge1
Severity: important
Tags: patch

Hello.

Mailman 2.1.5 contains a subtle bug inside its Scrubber.py, which can
cause some messages with badly formed mime multiparts and sometimes all
messaged received after the defective one to be shunted, thus rendering
the specific list to be unusable. (Thus the slightly increased
severity.)

See also http://mail.python.org/pipermail/mailman-users/2005-June/045107.html

Example for one traceback:

(The date is so old, because I since fixed this problem locally but never
got around to submitting this bug to the BTS.)

Feb 19 08:26:35 2006 (2786) SHUNTING: 1140333994.5416+92548399c95eda0df954edc5b01362c2ddda88bf
Feb 19 09:04:19 2006 (2786) Uncaught runner exception: len() of unsized object
Feb 19 09:04:19 2006 (2786) Traceback (most recent call last):
  File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 111, in _oneloop
    self._onefile(msg, msgdata)
  File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 167, in _onefile
    keepqueued = self._dispose(mlist, msg, msgdata)
  File "/usr/lib/mailman/Mailman/Queue/IncomingRunner.py", line 130, in _dispose
    more = self._dopipeline(mlist, msg, msgdata, pipeline)
  File "/usr/lib/mailman/Mailman/Queue/IncomingRunner.py", line 153, in _dopipeline
    sys.modules[modname].process(mlist, msg, msgdata)
  File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 91, in process
    send_digests(mlist, mboxfp)
  File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 132, in send_digests
    send_i18n_digests(mlist, mboxfp)
  File "/var/lib/mailman/Mailman/Handlers/ToDigest.py", line 306, in send_i18n_digests
    msg = scrubber(mlist, msg)
  File "/var/lib/mailman/Mailman/Handlers/Scrubber.py", line 262, in process
    size = len(payload)
TypeError: len() of unsized object

The patch (attached for your convenience) is also in 2.1.6, see 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1099138&group_id=103

Please include this simple fix in the next point release.

Grüße,
Sven Hartge

[mailman-payload-patch.diff (text/plain, attachment)]

Message #10 received at 358892@bugs.debian.org (full text, mbox, reply):

From: Lionel Elie Mamane <lionel@mamane.lu>

To: Sven Hartge <sven@svenhartge.de>, 358892@bugs.debian.org, security@debian.org

Cc: control@bugs.debian.org, 358892-subscribe-security=debian.org@bugs.debian.org

Subject: Re: [Pkg-mailman-hackers] Bug#358892: Uncaught runner exception: len() of unsized object

Date: Tue, 28 Mar 2006 23:17:58 +0200

tags 358892 +security sarge
fixed 358892 2.1.6
reopen 358892
thanks

On Sat, Mar 25, 2006 at 01:27:33AM +0100, Sven Hartge wrote:

> Mailman 2.1.5 contains a subtle bug inside its Scrubber.py, which
> can cause some messages with badly formed mime multiparts and
> sometimes all messaged received after the defective one to be
> shunted, thus rendering the specific list to be unusable.

This thus leads to a DoS attack vector, and makes it a security
vulnerability.

I wasn't able to find a CVE number for this; none of
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mailman looks
relevant. Should we get one? If yes, will the security team take care
of this?

> See also http://mail.python.org/pipermail/mailman-users/2005-June/045107.html

> The patch (attached for your convenience) is also in 2.1.6, see 
> https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1099138&group_id=103

> diff -ur mailman-2.1.5.orig/Mailman/Handlers/Scrubber.py mailman-2.1.5/Mailman/Handlers/Scrubber.py
> --- mailman-2.1.5.orig/Mailman/Handlers/Scrubber.py	2003-12-01 02:43:18.000000000 +0100
> +++ mailman-2.1.5/Mailman/Handlers/Scrubber.py	2006-03-25 01:25:57.000000000 +0100
> @@ -259,6 +259,14 @@
>          elif not part.is_multipart():
>              payload = part.get_payload(decode=True)
>              ctype = part.get_type()
> +            # XXX Under email 2.5, it is possible that payload will be None.
> +            # This can happen when you have a Content-Type: multipart/* with
> +            # only one part and that part has two blank lines between the
> +            # first boundary and the end boundary.  In email 3.0 you end up
> +            # with a string in the payload.  I think in this case it's safe to
> +            # ignore the part.
> +            if payload is None:
> +                continue
>              size = len(payload)
>              omask = os.umask(002)
>              try:

As maintainer of the Debian package of Mailman, I approve this
patch. Please issue a DSA with this update.

Thanks,

-- 
Lionel

Message #17 received at 358892@bugs.debian.org (full text, mbox, reply):

From: Lionel Elie Mamane <lmamane@debian.org>

To: Steve Kemp <skx@debian.org>

Cc: team@security.debian.org, 358892@bugs.debian.org

Subject: Mailman DoS CVE-2006-0052, debbug #358892

Date: Wed, 29 Mar 2006 21:44:35 +0200

(Please don't hijack old threads about different issues, in particular
 not without changing the subject line.)

On Wed, Mar 29, 2006 at 08:15:40PM +0100, Steve Kemp wrote:

>   Package for Sarge at:

>         http://people.debian.org/~skx/updates/mailman/

>   Potential advisory text - need to know which version in sid
>  will fix it.

Sid and etch are not vulnerable; problem was fixed in upstream 2.1.6;
etch contains 2.1.7-1; it was fixed in sid (without even realising it)
with the upload of 2.1.6-1 on Sun, 25 Dec 2005.

Please take this opportunity to retroactively add to the changelog of
2.1.5-8sarge1 that the

 * Don't die on overflow in date handling, which could lead to a DoS
   attack (closes: #326024)

is CVE-2005-4153.

Also add (closes: #358892) to your changelog entry.

> Package        : mailman
> Vulnerability  : denial of service
> Problem-Type   : remote
> Debian-specific: no
> CVE ID         : CVE-2006-0052
Debian Bug     : 358892

> A potential denial of service problem has been discovered in mailman,
> the web-based GNU mailing list manager.  The Common Vulnerabilities and
> Exposures project identifies the following problems:

We should give more details, because there have been two other DoS
vulnerabilities recently, so we don't want people to get confused. I
propose something along the lines of:

 A potential denial of service problem has been discovered in mailman,
 the web-based GNU mailing list manager. The (failing) parsing of
 messages with malformed mime multiparts sometimes caused the whole
 mailing list to become inoperative.

> The old stable distribution (woody) is not vulnerable to this issue.

> For the unstable distribution (sid) this problem will be fixed soon.

-- 
Lionel

Message #22 received at 358892@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: Lionel Elie Mamane <lmamane@debian.org>

Cc: team@security.debian.org, 358892@bugs.debian.org

Subject: Re: Mailman DoS CVE-2006-0052, debbug #358892

Date: Wed, 29 Mar 2006 20:57:55 +0100

On Wed, Mar 29, 2006 at 09:44:35PM +0200, Lionel Elie Mamane wrote:

> (Please don't hijack old threads about different issues, in particular
>  not without changing the subject line.)

  Sorry, it wasn't intentional.

> Sid and etch are not vulnerable; problem was fixed in upstream 2.1.6;
> etch contains 2.1.7-1; it was fixed in sid (without even realising it)
> with the upload of 2.1.6-1 on Sun, 25 Dec 2005.

  OK.

> Please take this opportunity to retroactively add to the changelog of
> 2.1.5-8sarge1 that the
> 
>  * Don't die on overflow in date handling, which could lead to a DoS
>    attack (closes: #326024)
> 
> is CVE-2005-4153.
> 
> Also add (closes: #358892) to your changelog entry.

  Alright.  I'll update the changelog and upload to the queue now.

  Thanks for the updated advisory text.

Steve
-- 

Message #27 received at 358892@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <martin.pitt@ubuntu.com>

To: 358892@bugs.debian.org

Subject: CVE number, Ubuntu patch

Date: Mon, 3 Apr 2006 15:12:15 +0200

[Message part 1 (text/plain, inline)]

Hi,

this issue has been assigned CVE-2006-0052. In Ubuntu, we used this
patch:

  http://patches.ubuntu.com/patches/mailman.CVE-2006-0052.diff

It's a bit longer, since I started with fixing with upstream bug
1430236. Now it's a bit redundant, but better safe than sorry. :)

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.