'[Mailman-Developers] CVE-2021-40347: New security release for Postorius'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mailman-developers
Subject:    [Mailman-Developers] CVE-2021-40347: New security release for Postorius
From:       Abhilash Raj <maxking () asynchronous ! in>
Date:       2021-09-05 18:14:52
Message-ID: 10705c84-aa4f-0766-fcb0-1237e89e421c () asynchronous ! in
[Download RAW message or body]

[Attachment #2 (text/plain)]

Everyone,

A security vulnerability was reported against Postorius recently which 
allows any logged-in user to unsubscribe any other member on any other 
list on same Mailman installation using a specially crafted POST request 
due to a missing ownership check. This has been assigned CVE-2021-40347.

This affects all past versions of Postorius including 1.0.0.

Thanks to Kunal Mehta for the security report and a quick patch to fix 
the vulnerability.

I am also attaching a minimal patch that fixes it along with this email, 
without tests and NEWS so that it applies to older versions of Postorius 
easily (I have tested the included patch with 1.3.3, 1.3.2 git tags).

Upgrading to 1.3.5 release is highly recommended and it mostly includes 
the fix for this vulnerability (and a small compatibility fix for 
django-mailman3 1.3.6) so it shouldn't introduce any other bugs.

You can upgrade to this release by running:

     $ pip install postorius==1.3.5

A full change log is available here[1] as usual and can be downloaded 
from PyPI[2].

[1]: 
https://docs.mailman3.org/projects/postorius/en/latest/news.html#news-1-3-5
[2]: https://pypi.org/project/postorius/1.3.5/

Since there aren't many changes, this release requires 3.5+ like 1.3.4. 
Although, note that the next release will drop support for 3.5 and will 
support 3.6 only.

For those of you who use container images, I am working on 0.3.12 of 
container images right now, so look out for that announcement. For those 
of you using the rolling releases, you can already upgrade to the latest 
version of the rolling release as it has the fix.


-- 
thanks,
Abhilash Raj (maxking)

["cve-2021-40347.patch" (text/plain)]

diff --git a/src/postorius/views/list.py b/src/postorius/views/list.py
index 37d7ff6b..cd4967b9 100644
--- a/src/postorius/views/list.py
+++ b/src/postorius/views/list.py
@@ -502,6 +502,15 @@ class ListUnsubscribeView(MailingListView):
     @method_decorator(login_required)
     def post(self, request, *args, **kwargs):
         email = request.POST['email']
+        # Verify the user actually controls this email, should
+        # return 1 if the user owns the email, 0 otherwise.
+        found_email = EmailAddress.objects.filter(
+            user=request.user, email=email, verified=True).count()
+        if found_email == 0:
+            messages.error(
+                request,
+                _('You can only unsubscribe yourself.'))
+            return redirect('list_summary', self.mailing_list.list_id)
         try:
             self.mailing_list.unsubscribe(email)
             messages.success(request, _('%s has been unsubscribed'


_______________________________________________
Mailman-Developers mailing list -- mailman-developers@python.org
To unsubscribe send an email to mailman-developers-leave@python.org
https://mail.python.org/mailman3/lists/mailman-developers.python.org/
Mailman FAQ: https://wiki.list.org/x/AgA3

Security Policy: https://wiki.list.org/x/QIA9


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic