From xanni@urYod.glasswings.com.au Wed May 26 10:27:04 2004 Return-Path: Delivered-To: guy-ezmlm@rucus.ru.ac.za Received: (qmail 95684 invoked by uid 1025); 26 May 2004 08:27:04 -0000 Received: (qmail-scanner-1.22 95683 invoked by uid 82); 26 May 2004 08:27:04 -0000 Received: from mail018.syd.optusnet.com.au (211.29.132.72) by server.rucus.ru.ac.za with SMTP; 26 May 2004 08:26:58 -0000 Received: from urYod.glasswings.com.au (c211-28-208-136.eburwd1.vic.optusnet.com.au [211.28.208.136]) by mail018.syd.optusnet.com.au (8.11.6p2/8.11.6) with ESMTP id i4Q8QmD27299 for ; Wed, 26 May 2004 18:26:49 +1000 Received: from urYod.glasswings.com.au (localhost.localdomain [127.0.0.1]) by urYod.glasswings.com.au (8.12.10/8.12.10) with ESMTP id i4Q8QlgD004619 for ; Wed, 26 May 2004 18:26:47 +1000 Received: (from xanni@localhost) by urYod.glasswings.com.au (8.12.10/8.12.10/Submit) id i4Q8Qljs004617 for guy-ezmlm@rucus.ru.ac.za; Wed, 26 May 2004 18:26:47 +1000 Date: Wed, 26 May 2004 18:26:47 +1000 From: Andrew Pam To: guy-ezmlm@rucus.ru.ac.za Subject: Another ezmlm-web patch Message-ID: <20040526082647.GN1975@urYod.glasswings.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Face: ="NXL=B\E?60DRs]*]Mp-[@,"/\ESi&5s~&qMPLKzyWqo*<)SiE$IykXoakjYA62"oQT_.0I-i:nay>Pg]I{>J&dN(D<]F}+eaMSI=Kv]fr7.e;3u(e1ZlP^C>pRxW*sJEgdAevnn^/D{Eg[f Status: RO Content-Length: 1682 Hello! I recently upgraded my system from Red Hat Linux 7.3 to Fedora Core 1 which in turn resulted in upgrading my perl to 5.8.3. This revealed a nasty security bug in Mail::Ezmlm which of course affects ezmlm-web.cgi and is detected by perl when running SUID. Mail::Ezmlm passes email addresses to the ezmlm tools on the command line using the "system" perl function, but doesn't check that the email addresses are free of dangerous characters. Here's a patch to ezmlm-web.cgi to make it check for valid characters before calling Mail::Ezmlm: --- ezmlm-web.cgi.orig 2000-09-26 06:58:08.000000000 +1100 +++ ezmlm-web.cgi 2004-05-26 17:54:30.000000000 +1000 @@ -477,7 +477,14 @@ untie %pretty; } - if ($list->sub($add->address(), $part) != 1) { +# Modified 2004-05-26 by Andrew Pam +# Untaint the address because $list->sub will pass it to ezmlm-sub +# on the command line! +# Note this may not handle some less common email address formats + my($addr) = $add->address() =~ /([\w\.\=]+\@[\w\.\=]+)/ + or die "Illegal character in address '" . $add->address() ."'"; +# if ($list->sub($add->address(), $part) != 1) { + if ($list->sub($addr, $part) != 1) { die "Unable to subscribe to list: $!"; } $count++; Of course arguably Mail::Ezmlm should really be doing this. Cheers, Andrew -- mailto:xanni@xanadu.net Andrew Pam http://www.xanadu.com.au/ Chief Scientist, Xanadu http://www.glasswings.com.au/ Technology Manager, Glass Wings http://www.sericyb.com.au/ Manager, Serious Cybernetics