Fedora Extras seems to include my Enemies of Carlotta mailing list
manager. I've just made a new release to fix a security problem, so I'd
like to suggest that you update the package. Please see attached message
and
http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00336.html
Thanks, and sorry for the mess I created.
--
If possible, use code, not comments.
--- Begin Message ---
My face is covered in egg.
Antti-Juhani Kaijanaho found a security problem in EoC, both the 1.0.3
and the 1.2.3 versions. The problem is that EoC did not quote shell
arguments properly. I have fixed the problem in 1.2.4, which contains no
other changes relative to 1.2.3. This problem has the code
CVE-2006-5875.
You can find the 1.2.4 version from the EoC website:
http://liw.iki.fi/liw/eoc/ and I have also uploaded it to Debian's
unstable.
Debian's stable contains 1.0.3, and I have prepared a patch for that. It
is actually essentially the same patch as was used to create 1.2.4. The
Debian security team has uploaded a fixed version of the 1.0.3 package
to security.debian.org. I've attached it to this message in case anyone
not running Debian wants to stay with 1.0.3, but I won't be releasing a
1.0.4 unless someone really needs it (if you do, please tell me
immediately).
For risk assessment: I was unable to come up with an exploit. Doing so
would require getting a certain kind of construct through the SMTP level
to EoC, and I wasn't able to make that happen, but I would not rely on
it being impossible. Therefore, please upgrade immediately.
I apologize for this problem. It was amateurish to let the problematic
code into a released version of the program, I knew better than do that.
diff -u enemies-of-carlotta-1.0.3/debian/changelog enemies-of-carlotta-1.0.3/debian/changelog
--- enemies-of-carlotta-1.0.3/debian/changelog
+++ enemies-of-carlotta-1.0.3/debian/changelog
@@ -1,3 +1,13 @@
+enemies-of-carlotta (1.0.3-2) stable-security; urgency=high
+
+ * Security fix for CVE-2006-5875. There is no bug report for this, the
+ problem was reported privately to me by Antti-Juhani Kaijanaho.
+ * EoC did not correctly deal with SMTP level e-mail addresses that contain
+ shell meta characters. This has been fixed by running /usr/sbin/sendmail
+ via fork and exec, instead of os.popen.
+
+ -- Lars Wirzenius <liw@xxxxxx> Fri, 8 Dec 2006 19:49:07 +0200
+
enemies-of-carlotta (1.0.3-1) unstable; urgency=low
* New upstream release:
only in patch2:
unchanged:
--- enemies-of-carlotta-1.0.3.orig/eoc.py
+++ enemies-of-carlotta-1.0.3/eoc.py
@@ -119,6 +119,33 @@
return string.join(map(lambda c: "%02x" % ord(c), hash), "")
+def forkexec(argv, text):
+ """Run a command (given as argv array) and write text to its stdin"""
+ (r, w) = os.pipe()
+ pid = os.fork()
+ if pid == -1:
+ raise Exception("fork failed")
+ elif pid == 0:
+ os.dup2(r, 0)
+ os.close(r)
+ os.close(w)
+ fd = os.open("/dev/null", os.O_RDWR)
+ os.dup2(fd, 1)
+ os.dup2(fd, 2)
+ os.execvp(argv[0], argv)
+ sys.exit(1)
+ else:
+ os.close(r)
+ os.write(w, text)
+ os.close(w)
+ (pid2, exit) = os.waitpid(pid, 0)
+ if pid != pid2:
+ raise Exception("os.waitpid for %d returned for %d" % (pid, pid2))
+ if exit != 0:
+ raise Exception("subprocess failed, exit=0x%x" % exit)
+ return exit
+
+
environ = None
def set_environ(new_environ):
@@ -379,12 +406,8 @@
smtp.sendmail(envelope_sender, recipients, text)
smtp.quit()
else:
- recipients = string.join(recipients, " ")
- f = os.popen("%s -oi -f '%s' %s" %
- (self.mlm.sendmail, envelope_sender, recipients),
- "w")
- f.write(text)
- f.close()
+ forkexec([self.mlm.sendmail, "-oi", "-f", envelope_sender] +
+ recipients, text)
else:
debug("send_mail: no recipients, not sending")
--- End Message ---
--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list