diff --git a/CVE-2021-34337.patch b/CVE-2021-34337.patch new file mode 100644 index 0000000000000000000000000000000000000000..11d0194e96b63eabd637b22f27716032f9e817a2 --- /dev/null +++ b/CVE-2021-34337.patch @@ -0,0 +1,44 @@ +From e4a39488c4510fcad8851217f10e7337a196bb51 Mon Sep 17 00:00:00 2001 +From: Kunal Mehta +Date: Tue, 8 Jun 2021 00:54:14 -0400 +Subject: [PATCH] Check the REST API password in a way that is resistant to + timing attacks (CVE-2021-34337) + +Using basic string equality is vulnerable to timing attacks as it will +short circuit at the first wrong character. Using hmac.compare_digest +avoids that issue and will take the same time, regardless of whether +the value is correct or not. + +This is only exploitable if an attacker can talk directly to the +REST API, which by default is bound to localhost. + +Fixes #911. +--- + src/mailman/rest/wsgiapp.py | 4 +++- + 1 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/mailman/rest/wsgiapp.py b/src/mailman/rest/wsgiapp.py +index 14d9a4e03..ab5be448d 100644 +--- a/src/mailman/rest/wsgiapp.py ++++ b/src/mailman/rest/wsgiapp.py +@@ -18,6 +18,7 @@ + """Basic WSGI Application object for REST server.""" + + import re ++import hmac + import logging + + from base64 import b64decode +@@ -55,7 +56,8 @@ class Middleware: + credentials = b64decode(request.auth[6:]).decode('utf-8') + username, password = credentials.split(':', 1) + if (username == config.webservice.admin_user and +- password == config.webservice.admin_pass): ++ hmac.compare_digest( ++ password, config.webservice.admin_pass)): + authorized = True + if not authorized: + # Not authorized. +-- +GitLab + diff --git a/mailman.spec b/mailman.spec index f46de6251279048cd4a0ccc039e4bd1a5ff2ef07..0863301168ec29b491094c3e7e3c2b0cd969c86f 100644 --- a/mailman.spec +++ b/mailman.spec @@ -7,7 +7,7 @@ Name: mailman Version: 3.3.2 -Release: 7 +Release: 5 Epoch: 3 Summary: The GNU mailing list manager License: GPLv3 @@ -19,17 +19,11 @@ Source3: mailman3.service Source4: mailman3.logrotate Source5: mailman3-digests.service Source6: mailman3-digests.timer -#Refer: https://gitlab.com/mailman/mailman/-/merge_requests/860 -Patch01: mailman3-click8.patch Patch11: mailman-subject-prefix.patch Patch14: mailman-use-either-importlib_resources-or-directly-importlib.patch -#Refer: https://bugzilla.redhat.com/show_bug.cgi?id=1900668#c9 -Patch15: mailman3-do-not-assume-sapce-in-banner.patch -#Refer: https://gitlab.com/mailman/mailman/-/merge_requests/772 -Patch16: mailman3-test_as_string_python_bug_27321.patch -Patch17: 0001-fix-tests-assertion-error.patch -#Refer: https://gitlab.com/mailman/mailman/-/issues/964#note_1001855903 -Patch18: support-sqlalchemy-1-4.patch +Patch15: fixbuilderror-1.patch +Patch16: fixbuilderror-2.patch +Patch17: CVE-2021-34337.patch BuildArch: noarch BuildRequires: glibc-langpack-en BuildRequires: python%{python3_pkgversion}-devel >= 3.5 python%{python3_pkgversion}-setuptools @@ -211,17 +205,11 @@ done %{_datadir}/selinux/*/mailman3.pp %changelog -* Thu Jul 07 2022 wangkai - 3:3.3.2-7 -- Silence sqlalchemy-1.4 warning +* Sun Oct 09 2022 liyuxiang - 3.3.2-5 +- fix CVE-2021-34337 -* Mon Jun 20 2022 baizhonggui - 3:3.3.2-6 -- Fix tests assertion error - -* Tue May 24 2022 wulei - 3:3.3.2-5 -- Require click >=8.0.0 and fix the tests it breaks - -* Fri May 13 2022 caodongxia - 3:3.3.2-4 -- Fix test_interact and test_message failure +* Thu Jan 13 2022 liwu - 3.3.2-4 +- fix build error * Thu Aug 12 2021 wangyue - 3.3.2-3 - fix build error