Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Apr 2015 11:04:00 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: mailman-security@...hon.org,
        "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Limited DoS in mailman (requires non standard config)

So I recently ran into a flaw in mailman where I had imported a text
list of email addresses of people that wanted to sign up. It turns out
one of the addresses was in the form "user@...ain.tld/random", not sure
how that snuck in but anyways. When sending email to this list it fails
due to that address being present:

from mailman posts log:

Apr 28 16:46:23 2015 (29704) post to testing from testing-request@...,
size=1786, message-id=<mailman.0.1430239582.16535.testing@...>, 1 failures

from smtp-failure log:

smtp-failure:Apr 28 16:46:44 2015 (29704) All recipients refused:
{'kurt@...fried.org/foo': (501, '5.1.3 Bad recipient address syntax')},
msgid: <CAEo5KB7F3LNCv7Q09ppqBRgUZTaGizyRHx1WS81w8K7S8Yhk7A@...>

So obviously any list configured to require confirmation will not be
affected by this, but lists using import via file or web interface could
potentially be affected (if you get a "dirty" list), or lists that are
require admin approval only and not confirmation (e.g. the admin doesn't
notice it when they hit accept).

Overall I don't think this is a security vulnerability, if you have
"require confirmation" and clean any address prior to import it cannot
be triggered, but it would be nice to have this hardened I think.


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ