diff options
author | Gunnar Wolf <gwolf@debian.org> | 2018-09-05 10:41:39 -0500 |
---|---|---|
committer | Unit 193 <unit193@ubuntu.com> | 2019-12-05 16:35:29 -0500 |
commit | 42ddd69717fad55c3c06e5fe8693e4b4237f8dcd (patch) | |
tree | 21d17c723a8bcdd7195cb09a15e98e62ea95316b | |
parent | 45e2b67628b0c4607aec408da8800a3ee6f5c081 (diff) | |
download | listadmin-debian/2.42-1.1.tar.bz2 listadmin-debian/2.42-1.1.tar.xz listadmin-debian/2.42-1.1.tar.zst |
Import Debian changes 2.42-1.1debian/2.42-1.1
listadmin (2.42-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Allow listadmin to follow HTTPS redirects for Mailman (Closes: #873287)
* Fix insecure use of /tmp (Closes: #740891)
-rw-r--r-- | debian/changelog | 8 | ||||
-rw-r--r-- | debian/patches/follow_https_redirects | 41 | ||||
-rw-r--r-- | debian/patches/insecure_use_of_tmp | 36 | ||||
-rw-r--r-- | debian/patches/series | 2 |
4 files changed, 87 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 61b5145..d7ad9f4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +listadmin (2.42-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Allow listadmin to follow HTTPS redirects for Mailman (Closes: #873287) + * Fix insecure use of /tmp (Closes: #740891) + + -- Gunnar Wolf <gwolf@debian.org> Wed, 05 Sep 2018 10:41:39 -0500 + listadmin (2.42-1) unstable; urgency=medium * new upstream release from 2016-12-23 with new upstream maintainer diff --git a/debian/patches/follow_https_redirects b/debian/patches/follow_https_redirects new file mode 100644 index 0000000..e9ba02b --- /dev/null +++ b/debian/patches/follow_https_redirects @@ -0,0 +1,41 @@ +Description: Make listadmin properly follow redirects to HTTPS-using mailmans +Author: Gunnar Wolf <gwolf@debian.org> +Bug: https://bugs.debian.org/873287 +Forwarded: No +Last-Update: 2018-09-05 + +Index: listadmin-2.42/listadmin.pl +=================================================================== +--- listadmin-2.42.orig/listadmin.pl ++++ listadmin-2.42/listadmin.pl +@@ -659,9 +659,30 @@ sub mailman_url { + $url .= "/$action"; + } + $url .= "?$params" if $params; ++ ++ $url = resolve_redirects($url); + return $url; + } + ++sub resolve_redirects { ++ # Test whether the URL is a redirect and, if so, replace it with ++ # the destination one. ++ my ($url, $resp, $req); ++ $url = shift; ++ $resp = $ua->get($url); ++ # If the URL could not get to the requested URL, there's no point ++ # in trying any further ++ if (! $resp->is_success) { ++ print STDERR "Error: Fetching $url\n"; ++ print STDERR $resp->status_line, "\n"; ++ return undef; ++ } ++ ++ # $req will have the final URI, even if redirects were followed. ++ $req = $resp->request->uri; ++ return $req; ++} ++ + # Returns a ref to a hash with all the information about pending messages + sub get_list { + my ($list, $config, $pw) = @_; diff --git a/debian/patches/insecure_use_of_tmp b/debian/patches/insecure_use_of_tmp new file mode 100644 index 0000000..4523a47 --- /dev/null +++ b/debian/patches/insecure_use_of_tmp @@ -0,0 +1,36 @@ +Description: Securely open temporary files using File::Temp (mkstemps) +Author: Gunnar Wolf <gwolf@debian.org> +Bug: https://bugs.debian.org/740891 +Forwarded: No +Last-update: 2018-09-05 + +Index: listadmin-2.42/listadmin.pl +=================================================================== +--- listadmin-2.42.orig/listadmin.pl ++++ listadmin-2.42/listadmin.pl +@@ -29,6 +29,7 @@ use strict; + use English; + use IO::Socket::SSL; + use Net::INET6Glue::INET_is_INET6; ++use File::Temp qw(:mktemp); + + my $rc = $ENV{"HOME"}."/.listadmin.ini"; + +@@ -727,12 +728,12 @@ sub get_list { + + if ($page !~ get_trans_re("pending_req")) { + my $msg = "unexpected contents"; +- # Use rand() to protect a little against tmpfile races +- $dumpfile ||= "/tmp/dump-" . rand() . "-$list.html"; +- if (open(DUMP, ">$dumpfile")) { ++ if (! defined($dumpfile) or $dumpfile eq '') { ++ my $dumpfh; ++ ($dumpfh, $dumpfile) = mkstemps('/tmp/dump-XXXXXXXX', "-$list.html"); + chmod(0600, $dumpfile); +- print DUMP $page; +- close(DUMP); ++ print $dumpfh $page; ++ close($dumpfh); + $msg .= ", please send $dumpfile to $maintainer"; + } + return {servererror => $msg, url => $url}; diff --git a/debian/patches/series b/debian/patches/series index e69de29..15ccd08 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -0,0 +1,2 @@ +follow_https_redirects +insecure_use_of_tmp |