From d3124395a3abfe0ccd9f1c37096292bfbe939a85 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Fri, 27 Mar 2015 14:12:16 -0700
Subject: Fix for path traversal vulnerability.

---
 Mailman/Defaults.py.in |  2 +-
 Mailman/Utils.py       |  6 ++++++
 NEWS                   | 10 +++++++++-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in
index 068a7dab..9e9e93af 100755
--- a/Mailman/Defaults.py.in
+++ b/Mailman/Defaults.py.in
@@ -138,7 +138,7 @@ HTML_TO_PLAIN_TEXT_COMMAND = '/usr/bin/lynx -dump %(filename)s'
 
 # A Python regular expression character class which defines the characters
 # allowed in list names.  Lists cannot be created with names containing any
-# character that doesn't match this class.
+# character that doesn't match this class.  Do not include '/' in this list.
 ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
 
 # Shall the user's real names be displayed along with their email addresses
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 13c4ed8b..1cd1cdb7 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -100,6 +100,12 @@ def list_exists(listname):
     #
     # The former two are for 2.1alpha3 and beyond, while the latter two are
     # for all earlier versions.
+    #
+    # But first ensure the list name doesn't contain a path traversal
+    # attack.
+    if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
+        syslog('mischief', 'Hostile listname: %s', listname)
+        return False
     basepath = Site.get_listpath(listname)
     for ext in ('.pck', '.pck.last', '.db', '.db.last'):
         dbfile = os.path.join(basepath, 'config' + ext)
diff --git a/NEWS b/NEWS
index b021f309..94571b4a 100755
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,15 @@ Copyright (C) 1998-2015 by the Free Software Foundation, Inc.
 
 Here is a history of user visible changes to Mailman.
 
-2.1.20 (xx-xxx-xxxx)
+2.1.20 (31-Mar-2015)
+
+  Security
+
+    - A path traversal vulnerability has been discovered and fixed.  This
+      vulnerability is only exploitable by a local user on a Mailman server
+      where the suggested Exim transport, the Postfix postfix_to_mailman.py
+      transport or some other programmatic MTA delivery not using aliases
+      is employed.  CVE-2015-2775  (LP: #1437145)
 
   New Features
 
-- 
cgit v1.2.3