Bug 152855 - CAN-2004-1036 squirrelmail Cross Site Scripting in encoded text
CAN-2004-1036 squirrelmail Cross Site Scripting in encoded text
Status: CLOSED DUPLICATE of bug 152900
Product: Fedora Legacy
Classification: Retired
Component: squirrelmail (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://cve.mitre.org/cgi-bin/cvename....
1, rh90
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-20 05:38 EST by Marc Deslauriers
Modified: 2007-04-18 13:22 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-16 06:39:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:29:49 EST
There is a cross site scripting issue in the decoding of encoded text
in certain headers. SquirrelMail correctly decodes the specially
crafted header, but doesn't sanitize the decoded strings.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139739
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1036



------- Additional Comments From michal@harddata.com 2004-11-22 19:24:04 ----

Contrary to what is implied by "Keywords" RH73 did not supply squirrelmail
it is not affected (well, obviously if you are not running squirrelmail as
an additional application :-).

RH9 did include a squirrelmail version for which even official updates were
loooong time obsolete.  In anything later this is already "standard".



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-30 06:49:50 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here are updated squirrelmail packages to QA for rh9 and fc1:
  
- - includes patch for CAN-2004-1036 XSS vulnerability
- - basically the same source.
 
- - the fc1 rpm adds some requires: perl(Cwd) and perl(IO::Socket)
  but that is ok, correct?
 
changelogs:
 
rh9:
* Tue Nov 30 2004 Rob Myers <rob.myers@gtri.gatech.edu> 1.4.3-0.f0.9.2.legacy
- - apply patch for CAN-2004-1036 (FL #2290)
 
fc1:
* Tue Nov 30 2004 Rob Myers <rob.myers@gtri.gatech.edu> 1.4.3-0.f1.1.1.legacy
- - apply patch for CAN-2004-1036 (FL #2290)
 
sha1sums:
 
rh9:
a074793178877ad2ff9a8025369e4545693d8783 
squirrelmail-1.4.3-0.f0.9.2.legacy.noarch.rpm
e1b307f29b557f807c56ec5066cc0a6d69a5ae12  squirrelmail-1.4.3-0.f0.9.2.legacy.src.rpm
 
fc1:
70482e093169bf04bb07a337b38c76776047dc91 
squirrelmail-1.4.3-0.f1.1.1.legacy.noarch.rpm
accfeb15082d204460dd202334a6c91f07ec1a1f  squirrelmail-1.4.3-0.f1.1.1.legacy.src.rpm
  
files:
rh9:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squirrelmail-1.4.3-0.f0.9.2.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squirrelmail-1.4.3-0.f0.9.2.legacy.noarch.rpm
 
fc1:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squirrelmail-1.4.3-0.f1.1.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squirrelmail-1.4.3-0.f1.1.1.legacy.noarch.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBrKQdtU2XAt1OWnsRAv2iAKC4zRuuTDZX2LLK/ENfQsTD+/Jn8ACg8H6J
eGNNNbQgwtKFdp8uZWh8apQ=
=lAOx
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2004-12-19 08:56:39 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note that FL has already provided an update to squirrelmail, to 1.4.3, so it
does not need to be verified anymore.

I didn't realize this outright, and I also verified the diffs -- between RHL9
1.2.10 -> 1.4.3 is very similar to RHEL3 1.2.1 -> 1.4.3, so the RHL9 upgrade
has high chance for success.  The only major changes seem to be security fixes
for 1.2.10 which were integrated in 1.2.11, so this is OK.

As for the RHL9/FC1 SRPMs QA:
 - sources and other original unmodified, OK
 - the spec file changes to the last RHL9 FL update, and FC1 update are minimal
 - patch integrity verified.
 - building or installation not tested.

+PUBLISH RHL9,FC1


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBxc7HGHbTkzxSL7QRAvXmAJ4yz47NCldT2PJlyA03M+2quKNrZACePbWq
i5lD8Awl57k2dtfKByhbi9A=
=80Sz
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-04 16:26:02 ----

Packages were built and pushed to updates-testing.



------- Additional Comments From pekkas@netcore.fi 2005-02-15 22:50:15 ----

Sigh. https://rhn.redhat.com/errata/RHSA-2005-135.html introduces three new
ones, CAN-2005-0075, CAN-2005-0103, CAN-2005-0104.

I'd say this should go back to the drawing board, no use shipping updates just
for the earlier vulnerability :(



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-16 08:15:02 ----

There is a seperate bug for the new issues: Bug 2424





------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-23 18:00:09 ----

This bug has been obsoleted by bug 2424



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:29 -------

This bug previously known as bug 2290 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2290
Originally filed under the Fedora Legacy product and Package request component.
Bug depends on bug(s) 2424.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Pekka Savola 2005-05-16 06:39:51 EDT

*** This bug has been marked as a duplicate of 152900 ***

Note You need to log in before you can comment on or make changes to this bug.