From: Lars Wirzenius Date: Fri, 8 Dec 2006 18:30:48 +0000 (+0200) Subject: Applied patch for CVE-2006-5875. X-Git-Url: https://git.sommitrealweird.co.uk//gitweb/?p=eoc.git;a=commitdiff_plain;h=0ba02928fc2ebf4a2cbfa0ce7441730630acb3a8 Applied patch for CVE-2006-5875. --- diff --git a/eoc.py b/eoc.py index ecb8daf..f855b36 100644 --- a/eoc.py +++ b/eoc.py @@ -4,7 +4,7 @@ This is a simple mailing list manager that mimicks the ezmlm-idx mail address commands. See manual page for more information. """ -VERSION = "1.2.3" +VERSION = "1.2.4" PLUGIN_INTERFACE_VERSION = "1" import getopt @@ -80,6 +80,34 @@ COMMANDS = SIMPLE_COMMANDS + SUB_COMMANDS + HASH_COMMANDS def md5sum_as_hex(s): return md5.new(s).hexdigest() + +def forkexec(argv, text): + """Run a command (given as argv array) and write text to its stdin""" + (r, w) = os.pipe() + pid = os.fork() + if pid == -1: + raise Exception("fork failed") + elif pid == 0: + os.dup2(r, 0) + os.close(r) + os.close(w) + fd = os.open("/dev/null", os.O_RDWR) + os.dup2(fd, 1) + os.dup2(fd, 2) + os.execvp(argv[0], argv) + sys.exit(1) + else: + os.close(r) + os.write(w, text) + os.close(w) + (pid2, exit) = os.waitpid(pid, 0) + if pid != pid2: + raise Exception("os.waitpid for %d returned for %d" % (pid, pid2)) + if exit != 0: + raise Exception("subprocess failed, exit=0x%x" % exit) + return exit + + environ = None def set_environ(new_environ): @@ -411,14 +439,8 @@ class MailingListManager: error("Error sending QMQP mail, mail probably not sent") sys.exit(1) else: - recipients = string.join(recipients, " ") - f = os.popen("%s -oi -f '%s' %s" % - (self.sendmail, - envelope_sender, - recipients), - "w") - f.write(text) - status = f.close() + status = forkexec([self.sendmail, "-oi", "-f", + envelope_sender] + recipienients, text) if status: error("%s returned %s, mail sending probably failed" % (self.sendmail, status))