!13 [sync] PR-11: fix CVE-2020-12108 CVE-2020-12137

From: @openeuler-sync-bot Reviewed-by: @small_leek Signed-off-by: @small_leek
2021-10-19 08:05:22 +00:00 · 2021-10-19 08:05:22 +00:00 · 7cd1c2ec34
commit 7cd1c2ec34
parent 3a652a15f1 e50f0eeb83
3 changed files with 57 additions and 1 deletions
--- a/CVE-2020-12108.patch
+++ b/CVE-2020-12108.patch
@ -0,0 +1,25 @@
+From 966f6556766d24eb53055782b74a02d8c5969be2 Mon Sep 17 00:00:00 2001
+From: Utkarsh Gupta <utkarsh@debian.org>
+Date: Tue, 19 Oct 2021 09:50:58 +0800
+Subject: [PATCH] 2
+
+---
+ Mailman/Cgi/options.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
+index 34a7718..386b308 100644
+--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
+@@ -172,7 +172,7 @@ def main():
+     try:
+         Utils.ValidateEmail(user)
+     except Errors.EmailAddressError:
+-        doc.addError(_('Illegal Email Address: %(safeuser)s'))
+        doc.addError(_('Illegal Email Address'))
+         loginpage(mlist, doc, None, language)
+         print doc.Format()
+         return
+-- 
+2.27.0
+
--- a/CVE-2020-12137.patch
+++ b/CVE-2020-12137.patch
@ -0,0 +1,26 @@
+From ce32b3a6223efac121fc0df59e5316cfb6b8d3a0 Mon Sep 17 00:00:00 2001
+From: Mark Sapiro <mark@debian.org>
+Date: Tue, 19 Oct 2021 11:14:11 +0800
+Subject: [PATCH] 2
+
+---
+ Mailman/Handlers/Scrubber.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Mailman/Handlers/Scrubber.py b/Mailman/Handlers/Scrubber.py
+index 429312b..08ae55a 100644
+--- a/Mailman/Handlers/Scrubber.py
+++ b/Mailman/Handlers/Scrubber.py
+@@ -87,6 +87,9 @@ def guess_extension(ctype, ext):
+     all = guess_all_extensions(ctype, strict=False)
+     if ext in all:
+         return ext
+    if ctype.lower == 'application/octet-stream':
+          # For this type,all[0] is '.obj'.'.bin' is better.
+          return '.bin'
+     return all and all[0]
+ 
+ 
+-- 
+2.27.0
+
--- a/mailman.spec
+++ b/mailman.spec
@ -3,7 +3,7 @@

 Name:           mailman
 Version:        2.1.29
-Release:        5
+Release:        6
 Epoch:          3
 Summary:        GNU Mailing List Manager
 License:        GPLv2+
@ -27,6 +27,8 @@ Patch7:         mailman-2.1.13-archive-reply.patch
 Patch13:        mailman-2.1.9-unicode.patch
 Patch21:        mailman-2.1.13-env-python.patch
 Patch22:        mailman-2.1.15-check_perms.patch
+Patch23:        CVE-2020-12108.patch
+Patch24:        CVE-2020-12137.patch

 BuildRequires:  automake gcc python2-devel systemd python2-dns
 Requires(pre):  shadow-utils
@ -421,5 +423,8 @@ exit 0
 %dir %attr(775,root,%{name}) /var/lock/%{name}

 %changelog
+* Tue Oct 19 2021 liwu <liwu13@huawei.com> - 2.1.29-6
+- Fix CVE-2020-12108 CVE-2020-12137
+
 * Fri Feb 14 2020 lihao <lihao129@huawei.com> - 2.1.29-5
 - Package init