It was discovered that original upstream patch for server-side command execution flaw affecting setups with map_yp_alias username map enabled did not address the issue completely, due to incorrect use of quoting (backticks vs. single quotes). Code execution was still possible in upstream version 1.4.18. Issue was fixed upstream in 1.4.19. Updated upstream security advisory: http://www.squirrelmail.org/security/issue/2009-05-10 Full upstream patch: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php?r1=13549&r2=13733
This problem did not affect squirrelmail packages as shipped in Red Hat Enterprise Linux 3, 4, and 5. Fix for CVE-2009-1579 has not been released yet, correct patch will be used in the future updates.
squirrelmail-1.4.19-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-1.fc11
squirrelmail-1.4.19-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-1.fc10
squirrelmail-1.4.19-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-1.fc9
CVE-2009-1381: The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1381 http://www.securityfocus.com/archive/1/archive/1/503718/100/0/threaded http://release.debian.org/proposed-updates/stable_diffs/squirrelmail_1.4.15-4+lenny2.debdiff http://www.debian.org/security/2009/dsa-1802 http://secunia.com/advisories/35140
squirrelmail-1.4.19-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
squirrelmail-1.4.19-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-5350 https://admin.fedoraproject.org/updates/F9/FEDORA-2009-5471
squirrelmail-1.4.19-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-2.fc11