fix CVE-2020-15011

(cherry picked from commit 743d820ab532a7b5a2c006bc31a52986139210ff)
2021-10-25 14:53:54 +08:00 · 2021-10-25 14:53:54 +08:00 · 84e068463d
commit 84e068463d
parent 7cd1c2ec34
2 changed files with 31 additions and 1 deletions
--- a/CVE-2020-15011.patch
+++ b/CVE-2020-15011.patch
@ -0,0 +1,26 @@
+Description: Arbitrary content injection via Cgi/private.py archive login page
+Origin: https://bugs.launchpad.net/mailman/+bug/1877379
+Author: Mark Sapiro
+
+=== modified file 'Mailman/Cgi/private.py'
+Index: mailman-2.1.26/Mailman/Cgi/private.py
+===================================================================
+--- mailman-2.1.26.orig/Mailman/Cgi/private.py
+++ mailman-2.1.26/Mailman/Cgi/private.py
+@@ -155,13 +155,9 @@ def main():
+             if mlist.isMember(username):
+                 mlist.MailUserPassword(username)
+             elif username:
+-                # Not a member
+-                if mlist.private_roster == 0:
+-                    # Public rosters
+-                    safeuser = Utils.websafe(username)
+-                    message = Bold(FontSize('+1',
+-                                  _('No such member: %(safeuser)s.'))).Format()
+-                else:
+                # Not a member. Don't report address in any case. It leads to
+                # Content injection. Just log if roster is not public.
+                if mlist.private_roster != 0:
+                     syslog('mischief',
+                        'Reminder attempt of non-member w/ private rosters: %s',
+                        username)
--- a/mailman.spec
+++ b/mailman.spec
@ -3,7 +3,7 @@

 Name:           mailman
 Version:        2.1.29
-Release:        6
+Release:        7
 Epoch:          3
 Summary:        GNU Mailing List Manager
 License:        GPLv2+
@ -29,6 +29,7 @@ Patch21:        mailman-2.1.13-env-python.patch
 Patch22:        mailman-2.1.15-check_perms.patch
 Patch23:        CVE-2020-12108.patch
 Patch24:        CVE-2020-12137.patch
+Patch25:        CVE-2020-15011.patch

 BuildRequires:  automake gcc python2-devel systemd python2-dns
 Requires(pre):  shadow-utils
@ -423,6 +424,9 @@ exit 0
 %dir %attr(775,root,%{name}) /var/lock/%{name}

 %changelog
+* Mon Oct 25 2021 yaoxin <yaoxin30@huawei.com> - 2.1.29-7
+- Fix CVE-2020-15011
+
 * Tue Oct 19 2021 liwu <liwu13@huawei.com> - 2.1.29-6
 - Fix CVE-2020-12108 CVE-2020-12137