Bug 152855

Summary:	CAN-2004-1036 squirrelmail Cross Site Scripting in encoded text
Product:	[Retired] Fedora Legacy	Reporter:	Marc Deslauriers <marc.deslauriers>
Component:	squirrelmail	Assignee:	Fedora Legacy Bugs <bugs>
Status:	CLOSED DUPLICATE	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	deisenst, pekkas, rob.myers
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
URL:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1036
Whiteboard:	1, rh90
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2005-05-16 10:39:51 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:29:49 UTC

There is a cross site scripting issue in the decoding of encoded text
in certain headers. SquirrelMail correctly decodes the specially
crafted header, but doesn't sanitize the decoded strings.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139739
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1036



------- Additional Comments From michal 2004-11-22 19:24:04 ----

Contrary to what is implied by "Keywords" RH73 did not supply squirrelmail
it is not affected (well, obviously if you are not running squirrelmail as
an additional application :-).

RH9 did include a squirrelmail version for which even official updates were
loooong time obsolete.  In anything later this is already "standard".



------- Additional Comments From rob.myers.edu 2004-11-30 06:49:50 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here are updated squirrelmail packages to QA for rh9 and fc1:
  
- - includes patch for CAN-2004-1036 XSS vulnerability
- - basically the same source.
 
- - the fc1 rpm adds some requires: perl(Cwd) and perl(IO::Socket)
  but that is ok, correct?
 
changelogs:
 
rh9:
* Tue Nov 30 2004 Rob Myers <rob.myers.edu> 1.4.3-0.f0.9.2.legacy
- - apply patch for CAN-2004-1036 (FL #2290)
 
fc1:
* Tue Nov 30 2004 Rob Myers <rob.myers.edu> 1.4.3-0.f1.1.1.legacy
- - apply patch for CAN-2004-1036 (FL #2290)
 
sha1sums:
 
rh9:
a074793178877ad2ff9a8025369e4545693d8783 
squirrelmail-1.4.3-0.f0.9.2.legacy.noarch.rpm
e1b307f29b557f807c56ec5066cc0a6d69a5ae12  squirrelmail-1.4.3-0.f0.9.2.legacy.src.rpm
 
fc1:
70482e093169bf04bb07a337b38c76776047dc91 
squirrelmail-1.4.3-0.f1.1.1.legacy.noarch.rpm
accfeb15082d204460dd202334a6c91f07ec1a1f  squirrelmail-1.4.3-0.f1.1.1.legacy.src.rpm
  
files:
rh9:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squirrelmail-1.4.3-0.f0.9.2.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squirrelmail-1.4.3-0.f0.9.2.legacy.noarch.rpm
 
fc1:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squirrelmail-1.4.3-0.f1.1.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squirrelmail-1.4.3-0.f1.1.1.legacy.noarch.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBrKQdtU2XAt1OWnsRAv2iAKC4zRuuTDZX2LLK/ENfQsTD+/Jn8ACg8H6J
eGNNNbQgwtKFdp8uZWh8apQ=
=lAOx
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2004-12-19 08:56:39 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note that FL has already provided an update to squirrelmail, to 1.4.3, so it
does not need to be verified anymore.

I didn't realize this outright, and I also verified the diffs -- between RHL9
1.2.10 -> 1.4.3 is very similar to RHEL3 1.2.1 -> 1.4.3, so the RHL9 upgrade
has high chance for success.  The only major changes seem to be security fixes
for 1.2.10 which were integrated in 1.2.11, so this is OK.

As for the RHL9/FC1 SRPMs QA:
 - sources and other original unmodified, OK
 - the spec file changes to the last RHL9 FL update, and FC1 update are minimal
 - patch integrity verified.
 - building or installation not tested.

+PUBLISH RHL9,FC1


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBxc7HGHbTkzxSL7QRAvXmAJ4yz47NCldT2PJlyA03M+2quKNrZACePbWq
i5lD8Awl57k2dtfKByhbi9A=
=80Sz
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-02-04 16:26:02 ----

Packages were built and pushed to updates-testing.



------- Additional Comments From pekkas 2005-02-15 22:50:15 ----

Sigh. https://rhn.redhat.com/errata/RHSA-2005-135.html introduces three new
ones, CAN-2005-0075, CAN-2005-0103, CAN-2005-0104.

I'd say this should go back to the drawing board, no use shipping updates just
for the earlier vulnerability :(



------- Additional Comments From marcdeslauriers 2005-02-16 08:15:02 ----

There is a seperate bug for the new issues: Bug 2424





------- Additional Comments From marcdeslauriers 2005-02-23 18:00:09 ----

This bug has been obsoleted by bug 2424



------- Bug moved to this database by dkl 2005-03-30 18:29 -------

This bug previously known as bug 2290 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2290
Originally filed under the Fedora Legacy product and Package request component.
Bug depends on bug(s) 2424.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Pekka Savola 2005-05-16 10:39:51 UTC


*** This bug has been marked as a duplicate of 152900 ***