Bug 666468

Summary: Bug 664730 - MHonArc: Improper escaping of certain HTML sequences (XSS) [fedora-all]
Product: Red Hat Enterprise Linux 5 Reporter: Kurt Seifried <kurt>
Component: m17n-dbAssignee: Parag Nemade <pnemade>
Status: CLOSED NOTABUG QA Contact: QE Internationalization Bugs <qe-i18n-bugs>
Severity: medium Docs Contact:
Priority: low    
Version: 5.8CC: eng-i18n-bugs, jamatos, jlieskov, kurt, tremble
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 664730 Environment:
Last Closed: 2011-02-01 07:17:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kurt Seifried 2010-12-31 00:59:06 UTC 
+++ This bug was initially created as a clone of Bug #664730 +++


This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=664718

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please only close it when all
affected versions are fixed.


[bug automatically created by: add-tracking-bugs]

--- Additional comment from kurt on 2010-12-30 19:52:59 EST ---

http://seclists.org/oss-sec/2010/q4/376

From: 	Earl Hood   	12/30/10 3:12 PM 	  	 
To: 	oss-security <oss-security.com>
CC: 	"Steven M. Christey" <coley.org>,"non customers" <non-customers>, jeff,geissert, vendor-sec, mhonarc-dev
Subject: 	[oss-security] Fix for CVE-2010-4524 and CVE-2010-1677 ready for verfication
I've committed in a potential fix, and made a
snapshot build that should address the following
recent security issues:

  CVE-2010-4524
  CVE-2010-1677

Snapshot release is available at the following location:

  http://www.mhonarc.org/release/MHonArc/dist/

Any build dated 2010-12-30, or later, will contain the
fix.

I ask the interested parties verify that the fix addresses
concerns raised as I would like to make a formal release
as soon as possible.

Summary of fix:

  mhtxthtml.pl filter modified to reject any message with
  nested tags. This is invalid HTML, so any message
  that contains it would likely indicate a possible attack.

Whenever a formal, public, announcement of these vulnerabilities
are raise, please include link to the MHonArc FAQ that discusses
the security risks of HTML mail and how to disable HTML mail
in mhonarc archives:

  http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata
  http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow

This may be useful for users who may not be able to upgrade
to the latest release, but need a work-around solution to secure
their sites.

Thanks,

--ewh
-- 
Earl Hood, <earl>
Web: <http://www.earlhood.com/>
PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>

--- Additional comment from kurt on 2010-12-30 19:55:47 EST ---

Created attachment 471232 [details]
patch for CVE-2010-4524

diff -ru MHonArc-2.6.16 MHonArc-2010-12-30-snap > diff-ru.txt
Comment 1 Parag Nemade 2011-02-01 07:14:04 UTC 
How can above bug be related to m17n-db?
Comment 2 Parag Nemade 2011-02-01 07:17:55 UTC 
looks MHonArc is not in RHEL5