Bug 163047 - CAN-2005-1769,2095 Multiple XSS issues in squirrelmail
CAN-2005-1769,2095 Multiple XSS issues in squirrelmail
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: squirrelmail (Show other bugs)
fc2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
1, 2, rh90
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-12 11:10 EDT by Frederic Hermann
Modified: 2007-04-18 13:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-14 22:04:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Frederic Hermann 2005-07-12 11:10:58 EDT
+++ This bug was initially created as a clone of Bug #160242 +++

+++ This bug was initially created as a clone of Bug #160241 +++

We, the SquirrelMail project, plan on publicizing the attached patch
upcoming Wednesday, June 15th 2005. We're sending it here to give you
some advance notice to prepare for this if you want to. Sorry for the
short notice but this was mainly caused by the finding of some
additional issues.

- It contains fixes for several cross site scripting attacks, most by
URL manipulation, and some by sending a specially crafted HTML email.
- The attached patch is tentative; further testing or further revealed
issues may warrant changes between now and the release.
- The patch is made against the 1.4.4-release version of SquirrelMail.
- Please do not disclose information about this vulnerability until
Wednesday.
- Credits to many of the findings go to Martijn Brinkers.
Comment 1 John Dalbec 2005-07-21 10:45:46 EDT
05.28.27 CVE: CAN-2005-2095
Platform: Web Application
Title: SquirrelMail Unspecified Variable Handling Vulnerability
Description: SquirrelMail is a Web mail application It is affected by
an unspecified variable-handling vulnerability. It was reported that
an attacker can exploit this vulnerability to disclose and manipulate
users' preferences, write to arbitrary files in the context of
"www-data" and carry out cross-site scripting attacks.
Ref: http://www.securityfocus.com/bid/14254/ 
Comment 2 Jeff Sheltren 2005-07-26 23:59:14 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This also effects effects FC1 and RH9. 7.3 did not ship squirrelmail.

Anyone have any thoughts on how to patch this?  I see that before we actually
updated to a newer source.  That may be a good idea, but it could eventually
cause problems if, for example, they start using newer PHP features that we
don't have
available in our versions of PHP.

I could backport the patches to 1.4.3, but it looks like that would be rather
time consuming, so I thought I should ask first.

If we end up using the provided patches (instead of updating to newer source)
I've created an updated package for FC2 using the patches provided at
squirrelmail's website since I didn't need to make any changes to them for the FC2
package.

http://www.cs.ucsb.edu/~jeff/legacy/squirrelmail-1.4.4-1.FC2.1.legacy.src.rpm
5932f9f2239d759bb3e4f5d9ed1e5b831ae0fd87  squirrelmail-1.4.4-1.FC2.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFC5wVyKe7MLJjUbNMRAsvoAJ41J3/On+W6Lv9aDL3FoOTLbvDcCwCgl6hN
95iDEKPuMxItq2SSfVGk8Oc=
=bIGt
-----END PGP SIGNATURE-----
Comment 3 Pekka Savola 2005-07-27 02:58:06 EDT
FWIW, I'd be inclined to update to 1.4.5, as it's likely that getting QA would
be easier -- unless it's trivial to verify the correctness of patches (it often
isn't).
Comment 4 Marc Deslauriers 2005-07-27 08:07:26 EDT
We have to wait until updates come out for fc3 to make sure we don't break the
upgrade path.
Comment 5 Jeff Sheltren 2005-08-03 17:24:59 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are the RH9 and FC1 packages (based on RHEL3 patches)

http://www.cs.ucsb.edu/~jeff/legacy/squirrelmail-1.4.3-0.f0.9.4.legacy.src.rpm
b224417bf482a9bc24a113e386cd8d804f4fd54d  squirrelmail-1.4.3-0.f0.9.4.legacy.src.rpm

http://www.cs.ucsb.edu/~jeff/legacy/squirrelmail-1.4.3-0.f1.1.3.legacy.src.rpm
d45d104f0381b980858341a2b6f56084ff318a2c  squirrelmail-1.4.3-0.f1.1.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFC8TXEKe7MLJjUbNMRAtQmAKDMH9FrlIu9h7/tAodWichJiCMsBQCghVoy
Xs7PbHKkeZMULhMFqXeA8is=
=OdHi
-----END PGP SIGNATURE-----
Comment 6 Jeff Sheltren 2005-08-05 11:04:09 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There was a problem with the EL3 CAN-2005-1769 patch
which broke the addressbook (see bug #165094)
I have updated the packages to use the newer patch.

RH9:
http://www.cs.ucsb.edu/~jeff/legacy/squirrelmail-1.4.3-0.f0.9.5.legacy.src.rpm
2aa622750d9fdb5df32801064621421859a0cc19  squirrelmail-1.4.3-0.f0.9.5.legacy.src.rpm

FC1:
http://www.cs.ucsb.edu/~jeff/legacy/squirrelmail-1.4.3-0.f1.1.4.legacy.src.rpm
d0bfc69cb438871c63b8ad5e0d197cdb859ff848  squirrelmail-1.4.3-0.f1.1.4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFC83/XKe7MLJjUbNMRAnnQAJ4zxyHmBzChWImjYYm+8/72dIRM9gCgqyUB
psdFERyZHGKW1H6xO+INH3o=
=3ui0
-----END PGP SIGNATURE-----
Comment 7 Pekka Savola 2005-08-06 00:27:06 EDT
FC1 download gives a '403 forbidden'.  RHL9 looks good.  Can you pinpoint me to
the FC2 patch source for CAN-2005-2095, I couldn't find it?
Comment 8 Jeff Sheltren 2005-08-06 00:45:28 EDT
Sorry, permissions were bad on that file - should work now.

The FC2 patches are from the squirrelmail.org website.  Security patches are
listed here:
http://www.squirrelmail.org/security/
Here's a direct link to the 2095 patch:
http://easynews.dl.sourceforge.net/sourceforge/squirrelmail/sm_can-2005-2095.patch
Comment 9 Pekka Savola 2005-08-08 01:28:48 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                    
QA w/ rpm-build-compare.sh:
 - spec file changes minimal
 - source integrity good
 - patches verified to come from RHEL or upstream
                                                                               
                    
+PUBLISH RHL9, FC1, FC2
                                                                               
                    
2aa622750d9fdb5df32801064621421859a0cc19  squirrelmail-1.4.3-0.f0.9.5.legacy.src.rpm
d0bfc69cb438871c63b8ad5e0d197cdb859ff848  squirrelmail-1.4.3-0.f1.1.4.legacy.src.rpm
5932f9f2239d759bb3e4f5d9ed1e5b831ae0fd87  squirrelmail-1.4.4-1.FC2.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
                                                                               
                    
iD8DBQFC9u2MGHbTkzxSL7QRAs93AKCc3j49/yBdc3K6/OABuRQJe5td4ACfbSZT
bn6rxT4FW2cpzmgLaDIy2oo=
=bmV7
-----END PGP SIGNATURE-----
Comment 10 Pekka Savola 2005-08-08 01:29:25 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                    
QA w/ rpm-build-compare.sh:
 - spec file changes minimal
 - source integrity good
 - patches verified to come from RHEL or upstream
                                                                               
                    
+PUBLISH RHL9, FC1, FC2
                                                                               
                    
2aa622750d9fdb5df32801064621421859a0cc19  squirrelmail-1.4.3-0.f0.9.5.legacy.src.rpm
d0bfc69cb438871c63b8ad5e0d197cdb859ff848  squirrelmail-1.4.3-0.f1.1.4.legacy.src.rpm
5932f9f2239d759bb3e4f5d9ed1e5b831ae0fd87  squirrelmail-1.4.4-1.FC2.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
                                                                               
                    
iD8DBQFC9u2MGHbTkzxSL7QRAs93AKCc3j49/yBdc3K6/OABuRQJe5td4ACfbSZT
bn6rxT4FW2cpzmgLaDIy2oo=
=bmV7
-----END PGP SIGNATURE-----
Comment 11 Marc Deslauriers 2005-08-10 20:37:14 EDT
Packages were pushed to updates-testing
Comment 12 Frederic Hermann 2005-08-15 05:16:27 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Verify for package :
83e7c1b6a1f070894be5456b3dd850b3a6f090b2
squirrelmail-1.4.4-1.FC2.2.legacy.noarch.rpm

Signature OK
Package installs OK
Apache restart OK
Squirrelmail login OK
Read mail OK
Send mail OK
Address Book OK

VERIFY +FC2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
 
iD8DBQFDAF17JFKBKlfOQbIRAoBqAJ42yhm2HKS1Zx046fNi7uFpHrtQngCfSg1W
aD49g10XyGcU2Vf/2OQfEXs=
=RtwJ
-----END PGP SIGNATURE-----
Comment 13 Pekka Savola 2005-08-15 05:41:21 EDT
Thanks, timeouts in 4 weeks.
Comment 14 Pekka Savola 2005-09-14 00:20:20 EDT
Timeout over..
Comment 15 Marc Deslauriers 2005-09-14 22:04:23 EDT
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.