Bug 666470

Summary: MHonArc: (CVE-2010-1677) Improper escaping of certain HTML sequences (XSS) [fedora-all]
Product: [Fedora] Fedora Reporter: Kurt Seifried <kurt>
Component: mhonarcAssignee: José Matos <jamatos>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 14CC: jamatos, jlieskov, kurt, tremble, vdanen
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 664730 Environment:
Last Closed: 2011-01-05 18:33:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kurt Seifried 2010-12-31 01:00:47 UTC 
+    # Bug-32014 (CVE-2010-1677): Prevents DoS if massively nested.

--- Additional comment from kurt on 2010-12-30 19:52:59 EST ---

http://seclists.org/oss-sec/2010/q4/376

From: 	Earl Hood   	12/30/10 3:12 PM 	  	 
To: 	oss-security <oss-security.com>
CC: 	"Steven M. Christey" <coley.org>,"non customers" <non-customers>, jeff,geissert, vendor-sec, mhonarc-dev
Subject: 	[oss-security] Fix for CVE-2010-4524 and CVE-2010-1677 ready for verfication
I've committed in a potential fix, and made a
snapshot build that should address the following
recent security issues:

  CVE-2010-4524
  CVE-2010-1677

Snapshot release is available at the following location:

  http://www.mhonarc.org/release/MHonArc/dist/

Any build dated 2010-12-30, or later, will contain the
fix.

I ask the interested parties verify that the fix addresses
concerns raised as I would like to make a formal release
as soon as possible.

Summary of fix:

  mhtxthtml.pl filter modified to reject any message with
  nested tags. This is invalid HTML, so any message
  that contains it would likely indicate a possible attack.

Whenever a formal, public, announcement of these vulnerabilities
are raise, please include link to the MHonArc FAQ that discusses
the security risks of HTML mail and how to disable HTML mail
in mhonarc archives:

  http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata
  http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow

This may be useful for users who may not be able to upgrade
to the latest release, but need a work-around solution to secure
their sites.

Thanks,

--ewh
-- 
Earl Hood, <earl>
Web: <http://www.earlhood.com/>
PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>

--- Additional comment from kurt on 2010-12-30 19:55:47 EST ---

Created attachment 471232 [details]
patch for CVE-2010-4524

diff -ru MHonArc-2.6.16 MHonArc-2010-12-30-snap > diff-ru.txt
Comment 1 Vincent Danen 2011-01-05 18:33:17 UTC 

*** This bug has been marked as a duplicate of bug 667483 ***