https://bugzilla.novell.com/show_bug.cgi?id=697638 https://bugzilla.novell.com/show_bug.cgi?id=697638#c0 Summary: VUL-1: mailman data leak Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: Other OS/Version: Linux Status: ASSIGNED Severity: Normal Priority: P5 - None Component: Other AssignedTo: jmatejek@novell.com ReportedBy: mvyskocil@novell.com QAContact: qa@suse.de CC: krahmer@novell.com, security-team@suse.de Found By: --- Blocker: --- +++ This bug was initially created as a clone of Bug #418589 +++ Date: Tue, 19 Aug 2008 12:10:20 -0700 From: "H. Peter Anvin" <hpa@zytor.com> User-Agent: Thunderbird 2.0.0.14 (X11/20080501) To: mailman-security@python.org, Linux vendor security list <vendor-sec@lst.de> I just re-discovered a security hole I found back in 2001, CVE-2002-0389. At least the way it is installed on RedHat/Fedora by default, if you have local access to the machine, you can read the archives of any mailing list, including private mailing lists. This appears to still be present as of mailman-2.1.9-10.fc9.x86_64.rpm, but I haven't attempted a clean install so it could be a matter of legacy mailing lists. /var/lib/mailman/private is set up mode 2771, (mailman,mailman). Under that directory are the archive directories in plaintext, publically writable (so that the http server can access them via a symlink from the public directory). There is no salting, so if you know the name of the list and has local access to the machine, you can access the archives simply by cd'ing to /var/lib/mailman/archives/private/<listname>. The obvious fix for this is to salt the directory names, but this requires that legacy installations be migrated. Note that the salt would have to be changed on any transition from public to private, or a user could stash the salt from /var/lib/mailman/archives/public. -hpa -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.