- Fix a security problem in private mailing list archives could allow anyone to

  read any file on web server.
- Minor port changes

PR:		ports/77364
Submitted by:	Vivek Khera <vivek@khera.org> (maintainer)
Security:	CVE number CAN-2005-0202

4 files changed, 69 insertions, 15 deletions

diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile
index 7ae3d023512d..ea3f497528ab 100644
--- a/mail/mailman/Makefile
+++ b/mail/mailman/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	mailman
 PORTVERSION=	2.1.5
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES?=	mail
 MASTER_SITES=	http://www.list.org/ \
 		${MASTER_SITE_GNU} \
@@ -125,6 +125,10 @@ post-configure:
 	@ ${SED} -e 's#%%MAILMANDIR%%#${MAILMANDIR}#g' \
 	  -e 's#%%DOCSDIR%%#${DOCSDIR}#g' -e 's#%%LOCALBASE%%#${LOCALBASE}#g' \
 	  ${MASTERDIR}/pkg-message > ${PKGMESSAGE}
+# port system auditors complain if dir is created prior to install
+# but configure demands it be there.  we delete it now if empty,
+# so it will be re-created.  For existing installs, this is ignored
+	@- rmdir ${MAILMANDIR} 2> /dev/null
 
 pre-install:
 	@ ${SH} ${PKGREQ} INSTALL
diff --git a/mail/mailman/files/patch-Mailman::Cgi::private.py b/mail/mailman/files/patch-Mailman::Cgi::private.py
new file mode 100644
index 000000000000..08fd1390c7a6
--- /dev/null
+++ b/mail/mailman/files/patch-Mailman::Cgi::private.py
@@ -0,0 +1,34 @@
+Index: Mailman/Cgi/private.py
+===================================================================
+RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/private.py,v
+retrieving revision 2.16.2.1
+diff -u -r2.16.2.1 private.py
+--- private.py	8 Feb 2003 07:13:50 -0000	2.16.2.1
++++ private.py	10 Feb 2005 03:34:21 -0000
+@@ -1,4 +1,4 @@
+-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc.
++# Copyright (C) 1998-2005 by the Free Software Foundation, Inc.
+ #
+ # This program is free software; you can redistribute it and/or
+ # modify it under the terms of the GNU General Public License
+@@ -35,13 +35,17 @@
+ _ = i18n._
+ i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
+ 
++SLASH = '/'
++
+ 
+ 
+ def true_path(path):
+     "Ensure that the path is safe by removing .."
+-    path = path.replace('../', '')
+-    path = path.replace('./', '')
+-    return path[1:]
++    parts = path.split(SLASH)
++    safe = [x for x in parts if x not in ('.', '..')]
++    if parts <> safe:
++        syslog('mischief', 'Directory traversal attack thwarted')
++    return SLASH.join(safe)[1:]
+ 
+ 
+ 
diff --git a/mail/mailman/pkg-deinstall b/mail/mailman/pkg-deinstall
index 180ac640fa0d..1ab07c748f92 100644
--- a/mail/mailman/pkg-deinstall
+++ b/mail/mailman/pkg-deinstall
@@ -9,9 +9,15 @@ case $2 in
 DEINSTALL)
   echo "---> Starting deinstall script:"
 
-  echo "---> Zeroing crontab(5) file belonging to user \"%%USER%%\""
-  /usr/bin/crontab -u %%USER%% /dev/null
-  echo "     (The crontab(5) will be deleted completely when user %%USER%% is removed.)"
+  if /usr/bin/crontab -u "%%USER%%" -l | \
+      /usr/bin/diff - %%MAILMANDIR%%/cron/crontab.in >/dev/null 2>&1 ; then
+      echo "---> Zeroing crontab for \"%%USER%%\""
+      /usr/bin/crontab -u "%%USER%%" /dev/null
+  else
+      echo "---> Crontab for \"%%USER%%\" not removed: please deinstall"
+      echo "---> manually if you no-longer wish to use Mailman. eg:"
+      echo "--->     /usr/bin/crontab -u "%%USER%%" -r"
+  fi
 
   echo "---> Stopping Mailman's qrunner daemon"
   %%PREFIX%%/etc/rc.d/mailman.sh stop >/dev/null 2>&1
@@ -36,19 +42,15 @@ POST-DEINSTALL)
 
   if [ -d %%MAILMANDIR%% ]; then
     echo '---> %%MAILMANDIR%% is not empty - this installation may have active lists!'
-    echo '---> - The "%%USER%%" user and "%%GROUP%%" group were therefore not deleted.'
-    echo '---> - You may delete them with "pw groupdel %%GROUP%%; pw userdel %%USER%%".'
-
     echo "---> Restoring \"last_mailman_version\" file"
     [ -d %%MAILMANDIR%%/data ] || /bin/mkdir %%MAILMANDIR%%/data
     /bin/mv -f /var/tmp/last_mailman_version %%MAILMANDIR%%/data/
-
-  else
-    echo "---> Removing group \"%%GROUP%%\""
-    /usr/sbin/pw groupdel -n %%GROUP%%
-    echo "---> Removing user \"%%USER%%\""
-    echo 'y' | /usr/sbin/pw userdel -n %%USER%%
   fi
+
+  echo '---> - If you are not using Mailman any more, you should manually delete'
+  echo '---> - the "%%USER%%" user and "%%GROUP%%" group.'
+  echo '---> - You may delete them with "pw groupdel %%GROUP%%; pw userdel %%USER%%".'
+
   ;;
 
 esac
diff --git a/mail/mailman/pkg-install b/mail/mailman/pkg-install
index 214bf3df6499..fc2dd3e53bc7 100644
--- a/mail/mailman/pkg-install
+++ b/mail/mailman/pkg-install
@@ -49,8 +49,22 @@ PRE-INSTALL)
 POST-INSTALL)
   echo "---> Starting post-install script:"
 
-  echo "---> Creating crontab(5) file for user \"%%USER%%\""
-  /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1
+  echo "---> Checking crontab(5) file for user \"%%USER%%\""
+
+  if /usr/bin/crontab -u "%%USER%%" -l >/tmp/mmctab$$ 2>&1 ; then
+      if test -s /tmp/mmctab$$; then
+          echo "---> \"%%USER%%\" already has a crontab.  Not overwriting it"
+          echo "---> Please merge any changes from the standard crontab file"
+          echo "--->     %%MAILMANDIR%%/cron/crontab.in"
+      else
+          echo "---> Installing crontab(5) file for user \"%%USER%%\""
+          /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1
+      fi
+  else
+      echo "---> Creating crontab(5) file for user \"%%USER%%\""
+      /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1
+  fi
+  rm -f /tmp/mmctab$$
 
   echo "---> Checking (and fixing) file and directory permissions"
   %%MAILMANDIR%%/bin/check_perms -f >/dev/null 2>&1