229351 – japanese/mailman may be also affectd by JVN#00846677/JPCERT#97432283/CVE-2018-0618

Bug 229351 - japanese/mailman may be also affectd by JVN#00846677/JPCERT#97432283/CVE-2018-0618

Summary: japanese/mailman may be also affectd by JVN#00846677/JPCERT#97432283/CVE-2018...

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	TAKATSU Tomonari

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-26 17:13 UTC by Yasuhito FUTATSUKI
Modified:	2018-07-30 09:41 UTC (History)
CC List:	0 users

See Also:

Flags:	bugzilla: maintainer-feedback? (tota)

Attachments
patch to fix CVE-2018-0618 (4.75 KB, patch) 2018-07-03 05:39 UTC, Yasuhito FUTATSUKI	no flags	Details \| Diff
patch to fix CVE-2018-13796 (1.36 KB, patch) 2018-07-23 15:06 UTC, Yasuhito FUTATSUKI	no flags	Details \| Diff
patch to fix CVE-2018-13796 (1.37 KB, patch) 2018-07-25 03:52 UTC, Yasuhito FUTATSUKI	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yasuhito FUTATSUKI 2018-06-26 17:13:56 UTC

In GNU Mailman 2.1.27 release announcement, it contains fix of JVN#00846677/JPCERT#97432283. 

I'm not sure which change between 2.1.26 and 2.17 are the fix of them, but they may be rev 1747, rev 1754, and rev 1782.
(1747, 1754 from NEWS file changes, and 1782 from merge review comment)

https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1747
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1754
https://code.launchpad.net/~futatuki/mailman/enhance-i18n-list-overview/+merge/348365/comments/909595

These may be applied against mailman 2.1.14+j7, and it may be able to make a patch for them.

Alternatively, we can use release of my branch 2.1.27+j1, based on mailman 2.1.14+j7 and merged almost all changes in upstream, with some my own change.
(If it can be trusted my work :-).) 
Please see https://mm.poem.co.jp/#mailman-japan-poem for about it.

Comment 1 Yasuhito FUTATSUKI 2018-07-03 05:39:44 UTC

Created attachment 194849 [details]
patch to fix CVE-2018-0618

Comment 2 Yasuhito FUTATSUKI 2018-07-03 05:48:35 UTC

(In reply to Yasuhito FUTATSUKI from comment #0)
> https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1754
This is not applied against 2.1.14+j7 because this fix a bug introduced after 2.1.15 (Errors.EmailAddressErrors message string is not used in 2.1.14+j7).

The patch I attached were created from rev 1747
(https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1747)
and least part of rev 1782 to fix this problem
(https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1782)

Comment 3 Yasuhito FUTATSUKI 2018-07-23 15:06:55 UTC

Created attachment 195390 [details]
patch to fix CVE-2018-13796

Another vulnerability has been published, CVE-2018-13796.

I've made additional patch for it attached here.

Comment 4 Yasuhito FUTATSUKI 2018-07-25 03:52:18 UTC

Created attachment 195437 [details]
patch to fix CVE-2018-13796

Previous fix for CVE-2018-13796 was updated. (https://bugs.launchpad.net/mailman/+bug/1780874)

Here is update to patch for 2.1.14+j1.

Comment 5 commit-hook freebsd_committer

2018-07-29 03:41:11 UTC

A commit references this bug:

Author: tota
Date: Sun Jul 29 03:40:19 UTC 2018
New revision: 475623
URL: https://svnweb.freebsd.org/changeset/ports/475623

Log:
  - Rename patches
    * extra-patch-Mailman-Cgi-private.py to extra-patch-Mailman_Cgi_private.py
    * patch-CVE-2015-2775 to patch-Mailman_Utils.py
    * patch-CVE-2018-5950 to patch-Mailman_Cgi_options.py
  - Apply CVE-2018-0618 patches [1]

  PR:		229351 [1]
  Submitted by:	Yasuhito FUTATSUKI
  MFH:		2018Q3
  Security:	CVE-2018-0618

Changes:
  head/japanese/mailman/Makefile
  head/japanese/mailman/files/extra-patch-Mailman-Cgi-private.py
  head/japanese/mailman/files/extra-patch-Mailman_Cgi_private.py
  head/japanese/mailman/files/patch-CVE-2015-2775
  head/japanese/mailman/files/patch-CVE-2018-5950
  head/japanese/mailman/files/patch-Mailman_Cgi_admin.py
  head/japanese/mailman/files/patch-Mailman_Cgi_options.py
  head/japanese/mailman/files/patch-Mailman_Gui_General.py
  head/japanese/mailman/files/patch-Mailman_Utils.py

Comment 6 commit-hook freebsd_committer

2018-07-30 03:10:44 UTC

A commit references this bug:

Author: tota
Date: Mon Jul 30 03:10:35 UTC 2018
New revision: 475861
URL: https://svnweb.freebsd.org/changeset/ports/475861

Log:
  MFH: r475623

  - Rename patches
    * extra-patch-Mailman-Cgi-private.py to extra-patch-Mailman_Cgi_private.py
    * patch-CVE-2015-2775 to patch-Mailman_Utils.py
    * patch-CVE-2018-5950 to patch-Mailman_Cgi_options.py
  - Apply CVE-2018-0618 patches [1]

  PR:		229351 [1]
  Submitted by:	Yasuhito FUTATSUKI
  Security:	CVE-2018-0618
  Approved by:	ports-secteam (miwi@)

Changes:
_U  branches/2018Q3/
  branches/2018Q3/japanese/mailman/Makefile
  branches/2018Q3/japanese/mailman/files/extra-patch-Mailman-Cgi-private.py
  branches/2018Q3/japanese/mailman/files/extra-patch-Mailman_Cgi_private.py
  branches/2018Q3/japanese/mailman/files/patch-CVE-2015-2775
  branches/2018Q3/japanese/mailman/files/patch-CVE-2018-5950
  branches/2018Q3/japanese/mailman/files/patch-Mailman_Cgi_admin.py
  branches/2018Q3/japanese/mailman/files/patch-Mailman_Cgi_options.py
  branches/2018Q3/japanese/mailman/files/patch-Mailman_Gui_General.py
  branches/2018Q3/japanese/mailman/files/patch-Mailman_Utils.py

Comment 7 TAKATSU Tomonari freebsd_committer

2018-07-30 03:24:49 UTC

Yasuhito-san,

Would you submit CVE-2018-13796 as another bug report?

Comment 8 Yasuhito FUTATSUKI 2018-07-30 09:23:00 UTC

(In reply to TAKATSU Tomonari from comment #7)
I've re submit it as a new Bug #230183

Comment 9 TAKATSU Tomonari freebsd_committer

2018-07-30 09:41:04 UTC

(In reply to Yasuhito FUTATSUKI from comment #8)
Thank you very much.