- Fix a security problem in private mailing list archives could allow anyone to

read any file on web server. - Minor port changes PR: ports/77364 Submitted by: Vivek Khera <vivek@khera.org> (maintainer) Security: CVE number CAN-2005-0202
svn path=/head/; revision=128484
2024-11-23 00:43:28 +00:00 · 2005-02-10 22:25:02 +00:00 · 2005-02-10 22:25:02 +00:00 · 78a9a5c49e · 2021-03-31 03:12:20 +00:00
commit 78a9a5c49e
parent 94aaed7051
4 changed files with 69 additions and 15 deletions
--- a/mail/mailman/Makefile
+++ b/mail/mailman/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	mailman
 PORTVERSION=	2.1.5
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES?=	mail
 MASTER_SITES=	http://www.list.org/ \
 		${MASTER_SITE_GNU} \
@ -125,6 +125,10 @@ post-configure:
 	@ ${SED} -e 's#%%MAILMANDIR%%#${MAILMANDIR}#g' \
 	  -e 's#%%DOCSDIR%%#${DOCSDIR}#g' -e 's#%%LOCALBASE%%#${LOCALBASE}#g' \
 	  ${MASTERDIR}/pkg-message > ${PKGMESSAGE}
+# port system auditors complain if dir is created prior to install
+# but configure demands it be there.  we delete it now if empty,
+# so it will be re-created.  For existing installs, this is ignored
+	@- rmdir ${MAILMANDIR} 2> /dev/null

 pre-install:
 	@ ${SH} ${PKGREQ} INSTALL
--- a/mail/mailman/files/patch-Mailman::Cgi::private.py
+++ b/mail/mailman/files/patch-Mailman::Cgi::private.py
@ -0,0 +1,34 @@
+Index: Mailman/Cgi/private.py
+===================================================================
+RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/private.py,v
+retrieving revision 2.16.2.1
+diff -u -r2.16.2.1 private.py
+--- private.py	8 Feb 2003 07:13:50 -0000	2.16.2.1
+++ private.py	10 Feb 2005 03:34:21 -0000
+@@ -1,4 +1,4 @@
+-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2005 by the Free Software Foundation, Inc.
+ #
+ # This program is free software; you can redistribute it and/or
+ # modify it under the terms of the GNU General Public License
+@@ -35,13 +35,17 @@
+ _ = i18n._
+ i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
+ 
+SLASH = '/'
+
+ 
+ 
+ def true_path(path):
+     "Ensure that the path is safe by removing .."
+-    path = path.replace('../', '')
+-    path = path.replace('./', '')
+-    return path[1:]
+    parts = path.split(SLASH)
+    safe = [x for x in parts if x not in ('.', '..')]
+    if parts <> safe:
+        syslog('mischief', 'Directory traversal attack thwarted')
+    return SLASH.join(safe)[1:]
+ 
+ 
+ 
--- a/mail/mailman/pkg-deinstall
+++ b/mail/mailman/pkg-deinstall
@ -9,9 +9,15 @@ case $2 in
 DEINSTALL)
  echo "---> Starting deinstall script:"

-  echo "---> Zeroing crontab(5) file belonging to user \"%%USER%%\""
-  /usr/bin/crontab -u %%USER%% /dev/null
-  echo "     (The crontab(5) will be deleted completely when user %%USER%% is removed.)"
+  if /usr/bin/crontab -u "%%USER%%" -l | \
+      /usr/bin/diff - %%MAILMANDIR%%/cron/crontab.in >/dev/null 2>&1 ; then
+      echo "---> Zeroing crontab for \"%%USER%%\""
+      /usr/bin/crontab -u "%%USER%%" /dev/null
+  else
+      echo "---> Crontab for \"%%USER%%\" not removed: please deinstall"
+      echo "---> manually if you no-longer wish to use Mailman. eg:"
+      echo "--->     /usr/bin/crontab -u "%%USER%%" -r"
+  fi

  echo "---> Stopping Mailman's qrunner daemon"
  %%PREFIX%%/etc/rc.d/mailman.sh stop >/dev/null 2>&1
@ -36,19 +42,15 @@ POST-DEINSTALL)

  if [ -d %%MAILMANDIR%% ]; then
    echo '---> %%MAILMANDIR%% is not empty - this installation may have active lists!'
-    echo '---> - The "%%USER%%" user and "%%GROUP%%" group were therefore not deleted.'
-    echo '---> - You may delete them with "pw groupdel %%GROUP%%; pw userdel %%USER%%".'
-
    echo "---> Restoring \"last_mailman_version\" file"
    [ -d %%MAILMANDIR%%/data ] || /bin/mkdir %%MAILMANDIR%%/data
    /bin/mv -f /var/tmp/last_mailman_version %%MAILMANDIR%%/data/
-
-  else
-    echo "---> Removing group \"%%GROUP%%\""
-    /usr/sbin/pw groupdel -n %%GROUP%%
-    echo "---> Removing user \"%%USER%%\""
-    echo 'y' | /usr/sbin/pw userdel -n %%USER%%
  fi
+
+  echo '---> - If you are not using Mailman any more, you should manually delete'
+  echo '---> - the "%%USER%%" user and "%%GROUP%%" group.'
+  echo '---> - You may delete them with "pw groupdel %%GROUP%%; pw userdel %%USER%%".'
+
  ;;

 esac
--- a/mail/mailman/pkg-install
+++ b/mail/mailman/pkg-install
@ -49,8 +49,22 @@ PRE-INSTALL)
 POST-INSTALL)
  echo "---> Starting post-install script:"

-  echo "---> Creating crontab(5) file for user \"%%USER%%\""
-  /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1
+  echo "---> Checking crontab(5) file for user \"%%USER%%\""
+
+  if /usr/bin/crontab -u "%%USER%%" -l >/tmp/mmctab$$ 2>&1 ; then
+      if test -s /tmp/mmctab$$; then
+          echo "---> \"%%USER%%\" already has a crontab.  Not overwriting it"
+          echo "---> Please merge any changes from the standard crontab file"
+          echo "--->     %%MAILMANDIR%%/cron/crontab.in"
+      else
+          echo "---> Installing crontab(5) file for user \"%%USER%%\""
+          /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1
+      fi
+  else
+      echo "---> Creating crontab(5) file for user \"%%USER%%\""
+      /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1
+  fi
+  rm -f /tmp/mmctab$$

  echo "---> Checking (and fixing) file and directory permissions"
  %%MAILMANDIR%%/bin/check_perms -f >/dev/null 2>&1