Created attachment 157322 [details] patch to fix CVE-2015-2775 Directory traversal vulnerability CVE-2015-2775 may affect mailman-2.1.14+j7. Unfortunately, development of this software has stoped on 2012, so the fix will not be provided from upstream. So we must fix it on ports/package side. Here is a patch to fix it, (Originally getting from http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1553/Mailman/Utils.py , applying against mailman-2.1.14+j7, and getting diff again.)
Please see also, https://bugs.launchpad.net/mailman/+bug/1437145
A commit references this bug: Author: delphij Date: Wed Jun 17 00:44:49 UTC 2015 New revision: 389895 URL: https://svnweb.freebsd.org/changeset/ports/389895 Log: Apply patch for CVE-2015-2775. PR: ports/200562 Submitted by: Yasuhito FUTATSUKI <freebsd-bug-report-yf yf bsdclub org> Approved by: maintainer timeout Changes: head/japanese/mailman/Makefile head/japanese/mailman/files/patch-CVE-2015-2775
Patch applied against -HEAD. What's the main differences between this port and mail/mailman? Will it be possible that we upstream the improvements and just remove this port?
Created attachment 157830 [details] patch to security/vuxml/vuln.xml
Should we modify vuln.xml in security/vuxml to add ja-mailman and Merge From Head 2015Q2?
(In reply to Xin LI from comment #3) No. Read pkg-descr in japanese/mailman in detail.
Comment on attachment 157322 [details] patch to fix CVE-2015-2775 >--- Mailman/Utils.py.orig 2011-12-11 16:56:23.000000000 +0900 >+++ Mailman/Utils.py 2015-06-01 13:25:26.000000000 +0900 >@@ -93,6 +93,12 @@ > # > # The former two are for 2.1alpha3 and beyond, while the latter two are > # for all earlier versions. >+ # >+ # But first ensure the list name doesn't contain a path traversal >+ # attack. >+ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0: >+ syslog('mischief', 'Hostile listname: %s', listname) >+ return False > basepath = Site.get_listpath(listname) > for ext in ('.pck', '.pck.last', '.db', '.db.last'): > dbfile = os.path.join(basepath, 'config' + ext)
A commit references this bug: Author: delphij Date: Wed Jun 17 17:21:19 UTC 2015 New revision: 389950 URL: https://svnweb.freebsd.org/changeset/ports/389950 Log: MFH: r389895 (requested by tato@) Apply patch for CVE-2015-2775. PR: ports/200562 Submitted by: Yasuhito FUTATSUKI <freebsd-bug-report-yf yf bsdclub org> Approved by: ports-secteam@ Changes: _U branches/2015Q2/ branches/2015Q2/japanese/mailman/Makefile branches/2015Q2/japanese/mailman/files/patch-CVE-2015-2775
(In reply to TAKATSU Tomonari from comment #4) Committed, thanks! (Sorry I gets confused and should have credited you instead).
(In reply to TAKATSU Tomonari from comment #5) The MFH was done in r389950 and thanks for reminding. Note that since this is a patch-only security fix, you can actually use the ports-secteam@ blanket to merge it to the quarterly branch next time.
(In reply to TAKATSU Tomonari from comment #6) I see, thanks for the clarification!