Bug 229351

Summary:

japanese/mailman may be also affectd by JVN#00846677/JPCERT#97432283/CVE-2018-0618

Product:

Ports & Packages

Reporter:

Yasuhito FUTATSUKI <freebsd-bug-report-yf>

Component:

Individual Port(s)

Assignee:

TAKATSU Tomonari <tota>

Status:

Closed FIXED

Severity:

Affects Some People

Flags:

bugzilla: maintainer-feedback? (tota)

Priority:

---

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
patch to fix CVE-2018-0618	none
patch to fix CVE-2018-13796	none
patch to fix CVE-2018-13796	none

Description Yasuhito FUTATSUKI 2018-06-26 17:13:56 UTC

In GNU Mailman 2.1.27 release announcement, it contains fix of JVN#00846677/JPCERT#97432283. 

I'm not sure which change between 2.1.26 and 2.17 are the fix of them, but they may be rev 1747, rev 1754, and rev 1782.
(1747, 1754 from NEWS file changes, and 1782 from merge review comment)

https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1747
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1754
https://code.launchpad.net/~futatuki/mailman/enhance-i18n-list-overview/+merge/348365/comments/909595

These may be applied against mailman 2.1.14+j7, and it may be able to make a patch for them.

Alternatively, we can use release of my branch 2.1.27+j1, based on mailman 2.1.14+j7 and merged almost all changes in upstream, with some my own change.
(If it can be trusted my work :-).) 
Please see https://mm.poem.co.jp/#mailman-japan-poem for about it.

Comment 1 Yasuhito FUTATSUKI 2018-07-03 05:39:44 UTC

Created attachment 194849 [details]
patch to fix CVE-2018-0618

Comment 2 Yasuhito FUTATSUKI 2018-07-03 05:48:35 UTC

(In reply to Yasuhito FUTATSUKI from comment #0)
> https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1754
This is not applied against 2.1.14+j7 because this fix a bug introduced after 2.1.15 (Errors.EmailAddressErrors message string is not used in 2.1.14+j7).

The patch I attached were created from rev 1747
(https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1747)
and least part of rev 1782 to fix this problem
(https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1782)

Comment 3 Yasuhito FUTATSUKI 2018-07-23 15:06:55 UTC

Created attachment 195390 [details]
patch to fix CVE-2018-13796

Another vulnerability has been published, CVE-2018-13796.

I've made additional patch for it attached here.

Comment 4 Yasuhito FUTATSUKI 2018-07-25 03:52:18 UTC

Created attachment 195437 [details]
patch to fix CVE-2018-13796

Previous fix for CVE-2018-13796 was updated. (https://bugs.launchpad.net/mailman/+bug/1780874)

Here is update to patch for 2.1.14+j1.

Comment 5 commit-hook freebsd_committer

2018-07-29 03:41:11 UTC

A commit references this bug:

Author: tota
Date: Sun Jul 29 03:40:19 UTC 2018
New revision: 475623
URL: https://svnweb.freebsd.org/changeset/ports/475623

Log:
  - Rename patches
    * extra-patch-Mailman-Cgi-private.py to extra-patch-Mailman_Cgi_private.py
    * patch-CVE-2015-2775 to patch-Mailman_Utils.py
    * patch-CVE-2018-5950 to patch-Mailman_Cgi_options.py
  - Apply CVE-2018-0618 patches [1]

  PR:		229351 [1]
  Submitted by:	Yasuhito FUTATSUKI
  MFH:		2018Q3
  Security:	CVE-2018-0618

Changes:
  head/japanese/mailman/Makefile
  head/japanese/mailman/files/extra-patch-Mailman-Cgi-private.py
  head/japanese/mailman/files/extra-patch-Mailman_Cgi_private.py
  head/japanese/mailman/files/patch-CVE-2015-2775
  head/japanese/mailman/files/patch-CVE-2018-5950
  head/japanese/mailman/files/patch-Mailman_Cgi_admin.py
  head/japanese/mailman/files/patch-Mailman_Cgi_options.py
  head/japanese/mailman/files/patch-Mailman_Gui_General.py
  head/japanese/mailman/files/patch-Mailman_Utils.py

Comment 6 commit-hook freebsd_committer

2018-07-30 03:10:44 UTC

A commit references this bug:

Author: tota
Date: Mon Jul 30 03:10:35 UTC 2018
New revision: 475861
URL: https://svnweb.freebsd.org/changeset/ports/475861

Log:
  MFH: r475623

  - Rename patches
    * extra-patch-Mailman-Cgi-private.py to extra-patch-Mailman_Cgi_private.py
    * patch-CVE-2015-2775 to patch-Mailman_Utils.py
    * patch-CVE-2018-5950 to patch-Mailman_Cgi_options.py
  - Apply CVE-2018-0618 patches [1]

  PR:		229351 [1]
  Submitted by:	Yasuhito FUTATSUKI
  Security:	CVE-2018-0618
  Approved by:	ports-secteam (miwi@)

Changes:
_U  branches/2018Q3/
  branches/2018Q3/japanese/mailman/Makefile
  branches/2018Q3/japanese/mailman/files/extra-patch-Mailman-Cgi-private.py
  branches/2018Q3/japanese/mailman/files/extra-patch-Mailman_Cgi_private.py
  branches/2018Q3/japanese/mailman/files/patch-CVE-2015-2775
  branches/2018Q3/japanese/mailman/files/patch-CVE-2018-5950
  branches/2018Q3/japanese/mailman/files/patch-Mailman_Cgi_admin.py
  branches/2018Q3/japanese/mailman/files/patch-Mailman_Cgi_options.py
  branches/2018Q3/japanese/mailman/files/patch-Mailman_Gui_General.py
  branches/2018Q3/japanese/mailman/files/patch-Mailman_Utils.py

Comment 7 TAKATSU Tomonari freebsd_committer

2018-07-30 03:24:49 UTC

Yasuhito-san,

Would you submit CVE-2018-13796 as another bug report?

Comment 8 Yasuhito FUTATSUKI 2018-07-30 09:23:00 UTC

(In reply to TAKATSU Tomonari from comment #7)
I've re submit it as a new Bug #230183

Comment 9 TAKATSU Tomonari freebsd_committer

2018-07-30 09:41:04 UTC

(In reply to Yasuhito FUTATSUKI from comment #8)
Thank you very much.