Bug 152900

Summary: CAN-2005-0075,0103,0104 squirrelmail security issues
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: squirrelmailAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: deisenst, pekkas, sheltren
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://rhn.redhat.com/errata/RHSA-2005-135.html
Whiteboard: 1, LEGACY, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-16 16:20:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:31:27 UTC 
Jimmy Conner discovered a missing variable initialization in Squirrelmail.
This flaw could allow potential insecure file inclusions on servers where
the PHP setting "register_globals" is set to "On". This is not a default or
recommended setting. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-0075 to this issue.

A URL sanitisation bug was found in Squirrelmail. This flaw could allow a
cross site scripting attack when loading the URL for the sidebar. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-0103 to this issue.

A missing variable initialization bug was found in Squirrelmail. This flaw
could allow a cross site scripting attack. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2005-0104 to
this issue.

Info:
https://rhn.redhat.com/errata/RHSA-2005-135.html



------- Additional Comments From marcdeslauriers 2005-02-10 14:03:56 ----

Must use packages from bug 2290 as base.



------- Additional Comments From marcdeslauriers 2005-02-16 09:48:53 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated squirrelmail packages to QA:

rh9 Changelog:
* Wed Feb 16 2005 Marc Deslauriers <marcdeslauriers>
1.4.3-0.f0.9.3.legacy
- - Applied patches for CAN-2005-0075, CAN-2005-0103, CAN-2005-0104

* Tue Nov 30 2004 Rob Myers <rob.myers.edu> 1.4.3-0.f0.9.2.legacy
- - apply patch for CAN-2004-1036 (FL #2290)

* Tue Jun 08 2004 Marc Deslauriers <marcdeslauriers>
1.4.3-0.f0.9.1.legacy
- - Rebuilt as Fedora Legacy update for rh9 (XSS vulnerabilities)

fc1 Changelog:
* Wed Feb 16 2005 Marc Deslauriers <marcdeslauriers>
1.4.3-0.f1.1.2.legacy
- - Applied patches for CAN-2005-0075, CAN-2005-0103, CAN-2005-0104

* Tue Nov 30 2004 Rob Myers <rob.myers.edu> 1.4.3-0.f1.1.1.legacy
- - apply patch for CAN-2004-1036 (FL #2290)

rh9:
e9d10f6f9abdeb0b0576459713fb758d57e689b7 
squirrelmail-1.4.3-0.f0.9.3.legacy.noarch.rpm
5703fd73add602a5377d7c6a9ebd605f8c6e069b  squirrelmail-1.4.3-0.f0.9.3.legacy.src.rpm

fc1:
b3e24d956472ba197422139282fac850516528bb 
squirrelmail-1.4.3-0.f1.1.2.legacy.noarch.rpm
18dae7f01ec7bc3e76e76509868a9f0ed27b4f6f  squirrelmail-1.4.3-0.f1.1.2.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/squirrelmail-1.4.3-0.f0.9.3.legacy.noarch.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/squirrelmail-1.4.3-0.f0.9.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/squirrelmail-1.4.3-0.f1.1.2.legacy.noarch.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/squirrelmail-1.4.3-0.f1.1.2.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCE6PnLMAs/0C4zNoRAkMAAKCaoHs80f7K+EZxoetZ2vQ9T5rJuQCZAV5e
4PMEg1d4qb+GTlbIGXwqOJE=
=3qeP
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2005-02-17 10:30:59 ----

Given that squirrelmail versions have seen major upgrades already in the past,
maybe the simplest thing to do here would be just upgrading to 1.4.4 and
removing all the security patches?

RHEL3 update uses 1.4.3a as a base, these are based on 1.4.3.  (At least if we
don't upgrade to 1.4.4, I think we should upgrade to 1.4.3a as RHEL did.)

Thoughts?



------- Additional Comments From marcdeslauriers 2005-02-17 12:04:00 ----

We're already at 1.4.3a...the included squirrelmail-1.4.3a.patch patch changes
the couple of lines that are different. We could change the tarball to have a
real 1.4.3a, but I don't see why we'd bother.

If we upgrade to 1.4.4, we'll break the upgrade path to FC2 and FC3, as they are
still at 1.4.3a.




------- Additional Comments From pekkas 2005-02-18 07:26:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, I agree with your reasoning about upgrade.  The main reason for
upgrading to 1.4.3a would have been to make it easier to QA.  As 1.4.3a or
1.4.3a are no longer even available for download, I had to do some tricks
to verify it.

QA w/ rpm-build-compare.sh:
 - source integrity OK (verified by comparing 1.4.3+patch against 1.4.3a
from RHEL3)
 - spec file changes minimal
 - patches verified to be OK

+PUBLISH RHL9,FC1

5703fd73add602a5377d7c6a9ebd605f8c6e069b  squirrelmail-1.4.3-0.f0.9.3.legacy.src.rpm
18dae7f01ec7bc3e76e76509868a9f0ed27b4f6f  squirrelmail-1.4.3-0.f1.1.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCFiUuGHbTkzxSL7QRAgJ5AJ9TqaNG52NGh0JjbCz8VZsDpD66pQCfZbtl
/1TM742OWzwQ3m4cuQf5evU=
=5C/a
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst 2005-02-22 21:07:55 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for Marc's FC1 version of squirrelmail, in comment 2.

18dae7f01ec7bc3e76e76509868a9f0ed27b4f6f  squirrelmail-1.4.3-0.f1.1.2.legacy.
                                          src.rpm

  * sha1 checksum matches
  * rpm --checksig  OK
  * Sources and other packaged files match previous release,
    squirrelmail-1.4.3-0.f1.1 from FC1 updates:
           859 May 12  2003 squirrelmail-1.4.0-docs.patch
           444 Jun  7  2004 squirrelmail-1.4.3-config.patch
       2254146 Jun  7  2004 squirrelmail-1.4.3.tar.bz2
          3533 Jun  7  2004 squirrelmail-1.4.3a.patch
          6554 Feb 10  2003 squirrelmail-splash.png
            96 Sep 20  2002 squirrelmail.conf
   * Patches for CAN-2004-1036, CAN-2005-0075, CAN-2005-0103, &
     CAN-2005-0104 all verified.
   * Spec file changes minimal, looks good.
   * Built and installed fine.
   * It works with my IMAP server.  Works very well (when configured cor-
     rectly).
   * Could not find exploit code to test that the CVE's are no longer
     exploitable.

  FC1 PUBLISH+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFCHCsSxou1V/j9XZwRAvKjAJ9F3EqT434WuXfYXi0GCoHEoUL9dgCbBBYU
abjsJodE4LCv3i4zK/XQUnU=
=E/wc
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst 2005-02-22 21:20:05 ----

Oh - just a thought.

 <http://members.gtw.net/~deisenst/legacy/FC1/squirrelmail-splash.png> is the
 little splash screen that shows up on user login to squirrelmail on FC1.

 Might we wish to substitute
   <http://members.gtw.net/~deisenst/legacy/FC1/squirrelmail-splash.png>
 instead for the FC1 package?

 (The later graphic I found in RHEL's .src.rpm, interestingly enough.  :-) )




------- Additional Comments From deisenst 2005-02-22 21:22:15 ----

Oops, the substitution image for FC1 would be
  <http://members.gtw.net/~deisenst/legacy/FC1/squirrelmail-splash-fedora.png>.
Sorry.



------- Additional Comments From marcdeslauriers 2005-02-23 17:59:35 ----

Packages were pushed to updates-testing



------- Bug moved to this database by dkl 2005-03-30 18:31 -------

This bug previously known as bug 2424 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2424
Originally filed under the Fedora Legacy product and Package request component.
Bug blocks bug(s) 2290.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Comment 1 Pekka Savola 2005-05-16 10:39:58 UTC 
*** Bug 152855 has been marked as a duplicate of this bug. ***
Comment 2 Jeff Sheltren 2005-07-16 01:06:37 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RH9 and FC1:
3196c12423fef52a83ad5e4636f7b74793c8e63e 
squirrelmail-1.4.3-0.f0.9.3.legacy.noarch.rpm
fee964ec13662fc69361810ed6a4a4d3f2c16196 
squirrelmail-1.4.3-0.f1.1.2.legacy.noarch.rpm

Signature OK
Packages installs cleanly
Able to login and use IMAP & SMTP, so it seems to work fine

It'd be nice to get these pushed out so we can get working on
packages for CAN-2005-1769 and CAN-2005-1769 :)

RH9 VERIFY++
FC1 VERIFY++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFC2F1xKe7MLJjUbNMRAh5EAKDAZ4Ap3MAw/nTYVvDqoy5nWrCHdACgkrcx
P8iHgKug6ZUlsTknlmEgajU=
=W7ZO
-----END PGP SIGNATURE-----
Comment 3 Marc Deslauriers 2005-07-16 16:20:55 UTC 
Packages were released to updates.