Limited DoS in mailman (requires non standard config)

[Kurt Seifried <kseifried () redhat com>]

So I recently ran into a flaw in mailman where I had imported a text
list of email addresses of people that wanted to sign up. It turns out
one of the addresses was in the form "user () domain tld/random", not sure
how that snuck in but anyways. When sending email to this list it fails
due to that address being present:

from mailman posts log:

Apr 28 16:46:23 2015 (29704) post to testing from testing-request@XXX,
size=1786, message-id=<mailman.0.1430239582.16535.testing@XXX>, 1 failures

from smtp-failure log:

smtp-failure:Apr 28 16:46:44 2015 (29704) All recipients refused:
{'kurt () seifried org/foo': (501, '5.1.3 Bad recipient address syntax')},
msgid: <CAEo5KB7F3LNCv7Q09ppqBRgUZTaGizyRHx1WS81w8K7S8Yhk7A@YYY>

So obviously any list configured to require confirmation will not be
affected by this, but lists using import via file or web interface could
potentially be affected (if you get a "dirty" list), or lists that are
require admin approval only and not confirmation (e.g. the admin doesn't
notice it when they hit accept).

Overall I don't think this is a security vulnerability, if you have
"require confirmation" and clean any address prior to import it cannot
be triggered, but it would be nice to have this hardened I think.


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature