codekasten/ezmlm-web-ng/contrib-patches/ezmlm-web-andrew-pam-20040526.txt

67 lines
3.2 KiB
Text

From xanni@urYod.glasswings.com.au Wed May 26 10:27:04 2004
Return-Path: <xanni@urYod.glasswings.com.au>
Delivered-To: guy-ezmlm@rucus.ru.ac.za
Received: (qmail 95684 invoked by uid 1025); 26 May 2004 08:27:04 -0000
Received: (qmail-scanner-1.22 95683 invoked by uid 82); 26 May 2004 08:27:04 -0000
Received: from mail018.syd.optusnet.com.au (211.29.132.72)
by server.rucus.ru.ac.za with SMTP; 26 May 2004 08:26:58 -0000
Received: from urYod.glasswings.com.au (c211-28-208-136.eburwd1.vic.optusnet.com.au [211.28.208.136])
by mail018.syd.optusnet.com.au (8.11.6p2/8.11.6) with ESMTP id i4Q8QmD27299
for <guy-ezmlm@rucus.ru.ac.za>; Wed, 26 May 2004 18:26:49 +1000
Received: from urYod.glasswings.com.au (localhost.localdomain [127.0.0.1])
by urYod.glasswings.com.au (8.12.10/8.12.10) with ESMTP id i4Q8QlgD004619
for <guy-ezmlm@rucus.ru.ac.za>; Wed, 26 May 2004 18:26:47 +1000
Received: (from xanni@localhost)
by urYod.glasswings.com.au (8.12.10/8.12.10/Submit) id i4Q8Qljs004617
for guy-ezmlm@rucus.ru.ac.za; Wed, 26 May 2004 18:26:47 +1000
Date: Wed, 26 May 2004 18:26:47 +1000
From: Andrew Pam <xanni@glasswings.com.au>
To: guy-ezmlm@rucus.ru.ac.za
Subject: Another ezmlm-web patch
Message-ID: <20040526082647.GN1975@urYod.glasswings.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
X-Face: ="NXL=B\E?60DRs]*]Mp-[@,"/\ESi&5s~&qMPLKzyWqo*<)SiE$IykXoakjYA62"oQT_.0I-i:nay>Pg]I{>J&dN(D<]F}+eaMSI=Kv]<L%q>fr7.e;3u(e1ZlP^C>pRxW*sJEgdAevnn^/D{Eg[f
Status: RO
Content-Length: 1682
Hello! I recently upgraded my system from Red Hat Linux 7.3 to
Fedora Core 1 which in turn resulted in upgrading my perl to 5.8.3.
This revealed a nasty security bug in Mail::Ezmlm which of course affects
ezmlm-web.cgi and is detected by perl when running SUID. Mail::Ezmlm
passes email addresses to the ezmlm tools on the command line using the
"system" perl function, but doesn't check that the email addresses are
free of dangerous characters. Here's a patch to ezmlm-web.cgi to make
it check for valid characters before calling Mail::Ezmlm:
--- ezmlm-web.cgi.orig 2000-09-26 06:58:08.000000000 +1100
+++ ezmlm-web.cgi 2004-05-26 17:54:30.000000000 +1000
@@ -477,7 +477,14 @@
untie %pretty;
}
- if ($list->sub($add->address(), $part) != 1) {
+# Modified 2004-05-26 by Andrew Pam <xanni@sericyb.com.au>
+# Untaint the address because $list->sub will pass it to ezmlm-sub
+# on the command line!
+# Note this may not handle some less common email address formats
+ my($addr) = $add->address() =~ /([\w\.\=]+\@[\w\.\=]+)/
+ or die "Illegal character in address '" . $add->address() ."'";
+# if ($list->sub($add->address(), $part) != 1) {
+ if ($list->sub($addr, $part) != 1) {
die "Unable to subscribe to list: $!";
}
$count++;
Of course arguably Mail::Ezmlm should really be doing this.
Cheers,
Andrew
--
mailto:xanni@xanadu.net Andrew Pam
http://www.xanadu.com.au/ Chief Scientist, Xanadu
http://www.glasswings.com.au/ Technology Manager, Glass Wings
http://www.sericyb.com.au/ Manager, Serious Cybernetics