From e50f0eeb83dd4ee0f3db57309569e674186186d3 Mon Sep 17 00:00:00 2001
From: programmer12 <964969108@qq.com>
Date: Tue, 19 Oct 2021 15:13:30 +0800
Subject: [PATCH] fix CVES

(cherry picked from commit aa7a1256e2a38decd24fa171a8cf06026d8d7f8f)
---
 CVE-2020-12108.patch | 25 +++++++++++++++++++++++++
 CVE-2020-12137.patch | 26 ++++++++++++++++++++++++++
 mailman.spec         |  7 ++++++-
 3 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-12108.patch
 create mode 100644 CVE-2020-12137.patch

diff --git a/CVE-2020-12108.patch b/CVE-2020-12108.patch
new file mode 100644
index 0000000..39e1033
--- /dev/null
+++ b/CVE-2020-12108.patch
@@ -0,0 +1,25 @@
+From 966f6556766d24eb53055782b74a02d8c5969be2 Mon Sep 17 00:00:00 2001
+From: Utkarsh Gupta <utkarsh@debian.org>
+Date: Tue, 19 Oct 2021 09:50:58 +0800
+Subject: [PATCH] 2
+
+---
+ Mailman/Cgi/options.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
+index 34a7718..386b308 100644
+--- a/Mailman/Cgi/options.py
++++ b/Mailman/Cgi/options.py
+@@ -172,7 +172,7 @@ def main():
+     try:
+         Utils.ValidateEmail(user)
+     except Errors.EmailAddressError:
+-        doc.addError(_('Illegal Email Address: %(safeuser)s'))
++        doc.addError(_('Illegal Email Address'))
+         loginpage(mlist, doc, None, language)
+         print doc.Format()
+         return
+-- 
+2.27.0
+
diff --git a/CVE-2020-12137.patch b/CVE-2020-12137.patch
new file mode 100644
index 0000000..5816481
--- /dev/null
+++ b/CVE-2020-12137.patch
@@ -0,0 +1,26 @@
+From ce32b3a6223efac121fc0df59e5316cfb6b8d3a0 Mon Sep 17 00:00:00 2001
+From: Mark Sapiro <mark@debian.org>
+Date: Tue, 19 Oct 2021 11:14:11 +0800
+Subject: [PATCH] 2
+
+---
+ Mailman/Handlers/Scrubber.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Mailman/Handlers/Scrubber.py b/Mailman/Handlers/Scrubber.py
+index 429312b..08ae55a 100644
+--- a/Mailman/Handlers/Scrubber.py
++++ b/Mailman/Handlers/Scrubber.py
+@@ -87,6 +87,9 @@ def guess_extension(ctype, ext):
+     all = guess_all_extensions(ctype, strict=False)
+     if ext in all:
+         return ext
++    if ctype.lower == 'application/octet-stream':
++          # For this type,all[0] is '.obj'.'.bin' is better.
++          return '.bin'
+     return all and all[0]
+ 
+ 
+-- 
+2.27.0
+
diff --git a/mailman.spec b/mailman.spec
index 018685b..ab9200b 100644
--- a/mailman.spec
+++ b/mailman.spec
@@ -3,7 +3,7 @@
 
 Name:           mailman
 Version:        2.1.29
-Release:        5
+Release:        6
 Epoch:          3
 Summary:        GNU Mailing List Manager
 License:        GPLv2+
@@ -27,6 +27,8 @@ Patch7:         mailman-2.1.13-archive-reply.patch
 Patch13:        mailman-2.1.9-unicode.patch
 Patch21:        mailman-2.1.13-env-python.patch
 Patch22:        mailman-2.1.15-check_perms.patch
+Patch23:        CVE-2020-12108.patch
+Patch24:        CVE-2020-12137.patch
 
 BuildRequires:  automake gcc python2-devel systemd python2-dns
 Requires(pre):  shadow-utils
@@ -421,5 +423,8 @@ exit 0
 %dir %attr(775,root,%{name}) /var/lock/%{name}
 
 %changelog
+* Tue Oct 19 2021 liwu <liwu13@huawei.com> - 2.1.29-6
+- Fix CVE-2020-12108 CVE-2020-12137
+
 * Fri Feb 14 2020 lihao <lihao129@huawei.com> - 2.1.29-5
 - Package init
-- 
Gitee