Bug 190884 - CVE-2006-0188, 0195, 0377 - squirrelmail security issues
CVE-2006-0188, 0195, 0377 - squirrelmail security issues
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: squirrelmail (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://rhn.redhat.com/errata/RHSA-20...
LEGACY, rh9, 1, 2, 3
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-05 18:13 EDT by Marc Deslauriers
Modified: 2007-04-18 13:42 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-06-06 19:22:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Proposed FLSA to close this issue. (5.55 KB, text/plain)
2006-06-06 17:40 EDT, David Eisenstein
no flags Details

  None (edit)
Description Marc Deslauriers 2006-05-05 18:13:33 EDT
A bug was found in the way SquirrelMail presents the right frame to the
user. If a user can be tricked into opening a carefully crafted URL, it is
possible to present the user with arbitrary HTML data. (CVE-2006-0188)

A bug was found in the way SquirrelMail filters incoming HTML email. It is
possible to cause a victim's web browser to request remote content by
opening a HTML email while running a web browser that processes certain
types of invalid style sheets. Only Internet Explorer is known to process
such malformed style sheets. (CVE-2006-0195)

A bug was found in the way SquirrelMail processes a request to select an
IMAP mailbox. If a user can be tricked into opening a carefully crafted
URL, it is possible to execute arbitrary IMAP commands as the user viewing
their mail with SquirrelMail. (CVE-2006-0377)

https://rhn.redhat.com/errata/RHSA-2006-0283.html
Comment 1 Marc Deslauriers 2006-05-05 19:45:34 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA.

e32ff605eabb23e878b9cda236313859387f3369 
9/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm
ceb4415436efda0389163a82cbf895870569e68e 
1/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm
3c983c43247825ce32e144475263c254936c0327 
2/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm
80e23122ccde12ef52621d55fae97a6dcee4d6c2 
3/squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm

Downloads:

http://www.infostrategique.com/linuxrpms/legacy/9/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEW+YMLMAs/0C4zNoRAn/OAJwPYF30PXx96enVhX5M1ULoz2nVigCeI/ee
Vkt60wIRnkp06dxEd2Grysg=
=FfOM
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2006-05-06 02:10:13 EDT
In spec file at least for RHL9, we now ship
%{_sysconfdir}/squirrelmail/default_pref.  I.e., the location changed. 
config_local.php is also installed now.

Does this cause issues for upgrades?  Otherwise all looks good.
Comment 3 Marc Deslauriers 2006-05-06 09:33:49 EDT
default_pref and config_local.php weren't marked as config files in the old rh9
spec file. Everytime a new squirrelmail package came out, the files were
overwritten anyway. With the new package, the files get overwritten one last
time, but now they're marked as config files, so it shouldn't be a problem anymore.
Comment 4 Pekka Savola 2006-05-06 09:47:07 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - no extra patches
 - spec files correspond to RHEL, should be OK

+PUBLISH RHL9, FC1, FC2, FC3

e32ff605eabb23e878b9cda236313859387f3369  squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm
ceb4415436efda0389163a82cbf895870569e68e  squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm
3c983c43247825ce32e144475263c254936c0327  squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm
80e23122ccde12ef52621d55fae97a6dcee4d6c2  squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFEXKpoGHbTkzxSL7QRAuz1AJ0TJAQXz/3eA7KWvAAl0jSld2FbtgCfSHMn
xEaciiuT9HdyTHTP/5SKXuY=
=BZZc
-----END PGP SIGNATURE-----
Comment 5 Marc Deslauriers 2006-05-15 20:02:55 EDT
Packages were pushed to updates-testing
Comment 6 Tres Seaver 2006-05-15 20:45:37 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Downloaded package does not match the md5 checksum
(0e2dbf765d4df6592fad31ff331a3101fd33674e) published in the advisory (I'm
assuming that this is an oversight):

  $ wget
http://download.fedoralegacy.org/fedora/1/updates-testing/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm
  --20:40:24-- 
http://download.fedoralegacy.org/fedora/1/updates-testing/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm
             => `squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm'
  ...
  $ md5sum squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm
  c7897fd426e17ec8057599adf4cbe459  squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm
RPM signature check OK:

  $ rpm --checksig squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm
  squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm: (sha1) dsa sha1 md5 gpg OK

Package installs cleanly:


Application continues to operate correctly after installation.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEaSIJ+gerLs4ltQ4RAhQYAKCqLL385QX6l7uUtu6XFCB/x/9ZYACfZhxH
OolZVXOeIVmiHf50G+gmgcQ=
=R+tA
-----END PGP SIGNATURE-----
Comment 7 Marc Deslauriers 2006-05-15 20:55:15 EDT
Fedora Legacy uses sha1sum checksums. Please try again using sha1sum instead of
md5sum.
Comment 8 Tres Seaver 2006-05-15 22:47:46 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Fedora Legacy uses sha1sum checksums. Please try again using sha1sum
> instead of md5sum.

D'oh!  I think I've made that mistake before.  I can't even read the
advisory, which clearly says '(sha1sums)' just above.

 $ sha1sum squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm
 0e2dbf765d4df6592fad31ff331a3101fd33674e 
squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEaT7x+gerLs4ltQ4RArwtAKC7Ctmdnrxf0T2owf4p9uV0hCPbNQCg26pg
0Iggg7ad01T5y9VMHWXNJ/Y=
=gmfn
-----END PGP SIGNATURE-----
Comment 9 Pekka Savola 2006-05-16 07:59:13 EDT
Thanks -- Timeout in two weeks.
Comment 10 Pekka Savola 2006-05-31 01:02:27 EDT
Timeout over.
Comment 11 Nils Breunese 2006-06-06 08:52:59 EDT
Timeout over indeed. When will the package be pushed to updates?
Comment 12 David Eisenstein 2006-06-06 17:34:11 EDT
Very soon now, Nils.  Would you like to look over the proposed FLSA release
update notification I'm about to post?
Comment 13 David Eisenstein 2006-06-06 17:40:57 EDT
Created attachment 130642 [details]
Proposed FLSA to close this issue.
Comment 14 David Eisenstein 2006-06-06 17:46:46 EDT
Oops.  Marc, for FC3, does the squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm
package also need to be put into the x86_64 directory?  If so, I missed that in
the proposed FLSA ...
Comment 15 Marc Deslauriers 2006-06-06 17:54:21 EDT
It's OK, I'll add it in when I release it.
Comment 16 Marc Deslauriers 2006-06-06 19:22:54 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.