From e873e95349dfe5c5e5872ffc777f386d571f9cb1 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 10 2020 01:24:19 +0000 Subject: import mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b --- diff --git a/SOURCES/mailman-bouncer_oom_crash.patch b/SOURCES/mailman-bouncer_oom_crash.patch new file mode 100644 index 0000000..54da0c9 --- /dev/null +++ b/SOURCES/mailman-bouncer_oom_crash.patch @@ -0,0 +1,78 @@ +--- Mailman/Bouncers/SimpleMatch.py 2018-06-17 23:47:34 +0000 ++++ Mailman/Bouncers/SimpleMatch.py 2020-01-17 00:03:34 +0000 +@@ -25,6 +25,9 @@ + def _c(pattern): + return re.compile(pattern, re.IGNORECASE) + ++# Pattern to match any valid email address and not much more. ++VALID = _c(r'[\x21-\x3d\x3f\x41-\x7e]+@[a-z0-9._]+') ++ + # This is a list of tuples of the form + # + # (start cre, end cre, address cre) +@@ -227,4 +230,4 @@ + break + if addrs: + break +- return addrs.keys() ++ return [x for x in addrs.keys() if VALID.match(x)] + +=== modified file 'Mailman/Bouncers/SimpleWarning.py' +--- Mailman/Bouncers/SimpleWarning.py 2018-06-17 23:47:34 +0000 ++++ Mailman/Bouncers/SimpleWarning.py 2020-01-17 00:03:34 +0000 +@@ -17,9 +17,10 @@ + + """Recognizes simple heuristically delimited warnings.""" + ++import email ++ + from Mailman.Bouncers.BouncerAPI import Stop + from Mailman.Bouncers.SimpleMatch import _c +-from Mailman.Bouncers.SimpleMatch import process as _process + + + +@@ -67,8 +68,25 @@ + + + def process(msg): +- if _process(msg, patterns): +- # It's a recognized warning so stop now +- return Stop +- else: +- return [] ++ # We used to just import process from SimpleMatch, but with the change in ++ # SimpleMatch to return only vaild addresses, that doesn't work any more. ++ # So, we copy most of the process from SimpleMatch here. ++ addrs = {} ++ for scre, ecre, acre in patterns: ++ state = 0 ++ for line in email.Iterators.body_line_iterator(msg, decode=True): ++ if state == 0: ++ if scre.search(line): ++ state = 1 ++ if state == 1: ++ mo = acre.search(line) ++ if mo: ++ addr = mo.group('addr') ++ if addr: ++ addrs[addr.strip('<>')] = 1 ++ elif ecre.search(line): ++ break ++ if addrs: ++ # It's a recognized warning so stop now ++ return Stop ++ return [] + +--- Mailman/Bouncers/SimpleMatch.py 2020-01-17 00:03:34 +0000 ++++ Mailman/Bouncers/SimpleMatch.py 2020-01-17 03:25:09 +0000 +@@ -26,7 +26,7 @@ + return re.compile(pattern, re.IGNORECASE) + + # Pattern to match any valid email address and not much more. +-VALID = _c(r'[\x21-\x3d\x3f\x41-\x7e]+@[a-z0-9._]+') ++VALID = _c(r'^[\x21-\x3d\x3f\x41-\x7e]+@[a-z0-9._]+$') + + # This is a list of tuples of the form + # + diff --git a/SPECS/mailman.spec b/SPECS/mailman.spec index 462b1dd..301a343 100644 --- a/SPECS/mailman.spec +++ b/SPECS/mailman.spec @@ -3,7 +3,7 @@ Summary: Mailing list manager with built in Web access Name: mailman Version: 2.1.29 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 3 Group: Applications/Internet Source0: ftp://ftp.gnu.org/pub/gnu/mailman/mailman-%{version}.tgz @@ -30,6 +30,7 @@ Patch21: mailman-2.1.13-env-python.patch Patch22: mailman-2.1.15-check_perms.patch Patch24: mailman-specify_python_version.patch Patch25: mailman-CVE-2020-12137.patch +Patch26: mailman-bouncer_oom_crash.patch License: GPLv2+ @@ -120,6 +121,7 @@ additional installation steps, these are described in: %patch22 -p1 %patch24 -p1 -b .python_version %patch25 -p0 -b .cve_obj_mime +%patch26 -p0 -b .bouncer_match #cp $RPM_SOURCE_DIR/mailman.INSTALL.REDHAT.in INSTALL.REDHAT.in cp %{SOURCE5} INSTALL.REDHAT.in @@ -573,6 +575,9 @@ exit 0 %dir %attr(775,root,%{mmgroup}) %{lockdir} %changelog +* Mon May 25 2020 Pavel Zhukov - 3:2.1.29-10 +- Fix match patter to reduce false allocation + * Mon May 25 2020 Pavel Zhukov - 3:2.1.29-9 - Fix for CVE-2020-12137