[arch-commits] Commit in mailman/trunk (02-fix-CVE-2015-2775.patch PKGBUILD)

Sébastien Luttringer seblu at archlinux.org
Tue Mar 31 15:54:32 UTC 2015 

    Date: Tuesday, March 31, 2015 @ 17:54:32
  Author: seblu
Revision: 130414

upgpkg: mailman 2.1.19-2

- fix CVE-2015-2775

Added:
  mailman/trunk/02-fix-CVE-2015-2775.patch
Modified:
  mailman/trunk/PKGBUILD

----------------------------+
 02-fix-CVE-2015-2775.patch |   17 +++++++++++++++++
 PKGBUILD                   |   17 ++++++++++++-----
 2 files changed, 29 insertions(+), 5 deletions(-)

Added: 02-fix-CVE-2015-2775.patch
===================================================================
--- 02-fix-CVE-2015-2775.patch	                        (rev 0)
+++ 02-fix-CVE-2015-2775.patch	2015-03-31 15:54:32 UTC (rev 130414)
@@ -0,0 +1,17 @@
+--- a/Mailman/Utils.py	2015-01-23 23:50:47 +0000
++++ b/Mailman/Utils.py	2015-03-27 18:14:06 +0000
+@@ -100,6 +100,12 @@
+     #
+     # The former two are for 2.1alpha3 and beyond, while the latter two are
+     # for all earlier versions.
++    #
++    # But first ensure the list name doesn't contain a path traversal
++    # attack.
++    if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
++        syslog('mischief', 'Hostile listname: %s', listname)
++        return False
+     basepath = Site.get_listpath(listname)
+     for ext in ('.pck', '.pck.last', '.db', '.db.last'):
+         dbfile = os.path.join(basepath, 'config' + ext)
+
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2015-03-31 15:03:57 UTC (rev 130413)
+++ PKGBUILD	2015-03-31 15:54:32 UTC (rev 130414)
@@ -5,7 +5,7 @@
 pkgname=mailman
 _pkgver=2.1.19
 pkgver=${_pkgver//-/.}
-pkgrel=1
+pkgrel=2
 pkgdesc='The GNU Mailing List Manager'
 arch=(i686 x86_64)
 license=('GPL')
@@ -35,7 +35,8 @@
         'mailman-nightlygzip.timer'
         'mailman-senddigests.service'
         'mailman-senddigests.timer'
-        '01-mailman-2.1-build.patch')
+        '01-mailman-2.1-build.patch'
+        '02-fix-CVE-2015-2775.patch')
 md5sums=('13a33d758f8a6308c91dd267fc3ba123'
          'a9c71ec940c56173415fbd49087d10b0'
          '85a8c30ffc444e677b286f54df530482'
@@ -55,7 +56,8 @@
          '3af65082d3cd4d5746944890c7a72962'
          '350dac1e350691e3d9cb8f99fd4b669a'
          '52917f62441ac5d950789e8f8af28f09'
-         'ed04d062379eb21e39ce1e70e6b1ade2')
+         'ed04d062379eb21e39ce1e70e6b1ade2'
+         'c80ee5b3e14df0a0c6a499b81e0726b4')
 
 prepare() {
   # some files in mailman doesn't use configure parameter
@@ -62,8 +64,13 @@
   find $pkgname-$_pkgver -type f -exec \
     sed -i '1s,^#! \?/usr/bin/\(env \|\)python$,#!/usr/bin/python2,' {} \;
 
-  # fix directory permissions to satisfy check_perms
-  patch -p1 -d $pkgname-$_pkgver < 01-mailman-2.1-build.patch
+  # apply patch from sources
+  for _p in "${source[@]}"; do
+    if [[ "$_p" =~ .+\.patch$ ]]; then
+      msg2 "Applying patch $_p"
+      patch -p1 -d $pkgname-$_pkgver < "$_p"
+    fi
+  done
 }
 
 build() {

More information about the arch-commits mailing list