summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatarGunnar Wolf <gwolf@debian.org>2018-09-05 10:41:39 -0500
committerLibravatarUnit 193 <unit193@ubuntu.com>2019-12-05 16:35:29 -0500
commit42ddd69717fad55c3c06e5fe8693e4b4237f8dcd (patch)
tree21d17c723a8bcdd7195cb09a15e98e62ea95316b
parent45e2b67628b0c4607aec408da8800a3ee6f5c081 (diff)
downloadlistadmin-debian/2.42-1.1.tar.bz2
listadmin-debian/2.42-1.1.tar.xz
listadmin-debian/2.42-1.1.tar.zst
Import Debian changes 2.42-1.1debian/2.42-1.1
listadmin (2.42-1.1) unstable; urgency=medium * Non-maintainer upload. * Allow listadmin to follow HTTPS redirects for Mailman (Closes: #873287) * Fix insecure use of /tmp (Closes: #740891)
-rw-r--r--debian/changelog8
-rw-r--r--debian/patches/follow_https_redirects41
-rw-r--r--debian/patches/insecure_use_of_tmp36
-rw-r--r--debian/patches/series2
4 files changed, 87 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 61b5145..d7ad9f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+listadmin (2.42-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Allow listadmin to follow HTTPS redirects for Mailman (Closes: #873287)
+ * Fix insecure use of /tmp (Closes: #740891)
+
+ -- Gunnar Wolf <gwolf@debian.org> Wed, 05 Sep 2018 10:41:39 -0500
+
listadmin (2.42-1) unstable; urgency=medium
* new upstream release from 2016-12-23 with new upstream maintainer
diff --git a/debian/patches/follow_https_redirects b/debian/patches/follow_https_redirects
new file mode 100644
index 0000000..e9ba02b
--- /dev/null
+++ b/debian/patches/follow_https_redirects
@@ -0,0 +1,41 @@
+Description: Make listadmin properly follow redirects to HTTPS-using mailmans
+Author: Gunnar Wolf <gwolf@debian.org>
+Bug: https://bugs.debian.org/873287
+Forwarded: No
+Last-Update: 2018-09-05
+
+Index: listadmin-2.42/listadmin.pl
+===================================================================
+--- listadmin-2.42.orig/listadmin.pl
++++ listadmin-2.42/listadmin.pl
+@@ -659,9 +659,30 @@ sub mailman_url {
+ $url .= "/$action";
+ }
+ $url .= "?$params" if $params;
++
++ $url = resolve_redirects($url);
+ return $url;
+ }
+
++sub resolve_redirects {
++ # Test whether the URL is a redirect and, if so, replace it with
++ # the destination one.
++ my ($url, $resp, $req);
++ $url = shift;
++ $resp = $ua->get($url);
++ # If the URL could not get to the requested URL, there's no point
++ # in trying any further
++ if (! $resp->is_success) {
++ print STDERR "Error: Fetching $url\n";
++ print STDERR $resp->status_line, "\n";
++ return undef;
++ }
++
++ # $req will have the final URI, even if redirects were followed.
++ $req = $resp->request->uri;
++ return $req;
++}
++
+ # Returns a ref to a hash with all the information about pending messages
+ sub get_list {
+ my ($list, $config, $pw) = @_;
diff --git a/debian/patches/insecure_use_of_tmp b/debian/patches/insecure_use_of_tmp
new file mode 100644
index 0000000..4523a47
--- /dev/null
+++ b/debian/patches/insecure_use_of_tmp
@@ -0,0 +1,36 @@
+Description: Securely open temporary files using File::Temp (mkstemps)
+Author: Gunnar Wolf <gwolf@debian.org>
+Bug: https://bugs.debian.org/740891
+Forwarded: No
+Last-update: 2018-09-05
+
+Index: listadmin-2.42/listadmin.pl
+===================================================================
+--- listadmin-2.42.orig/listadmin.pl
++++ listadmin-2.42/listadmin.pl
+@@ -29,6 +29,7 @@ use strict;
+ use English;
+ use IO::Socket::SSL;
+ use Net::INET6Glue::INET_is_INET6;
++use File::Temp qw(:mktemp);
+
+ my $rc = $ENV{"HOME"}."/.listadmin.ini";
+
+@@ -727,12 +728,12 @@ sub get_list {
+
+ if ($page !~ get_trans_re("pending_req")) {
+ my $msg = "unexpected contents";
+- # Use rand() to protect a little against tmpfile races
+- $dumpfile ||= "/tmp/dump-" . rand() . "-$list.html";
+- if (open(DUMP, ">$dumpfile")) {
++ if (! defined($dumpfile) or $dumpfile eq '') {
++ my $dumpfh;
++ ($dumpfh, $dumpfile) = mkstemps('/tmp/dump-XXXXXXXX', "-$list.html");
+ chmod(0600, $dumpfile);
+- print DUMP $page;
+- close(DUMP);
++ print $dumpfh $page;
++ close($dumpfh);
+ $msg .= ", please send $dumpfile to $maintainer";
+ }
+ return {servererror => $msg, url => $url};
diff --git a/debian/patches/series b/debian/patches/series
index e69de29..15ccd08 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+follow_https_redirects
+insecure_use_of_tmp