Bug 783636 (CVE-2012-0791, CVE-2012-0909) - CVE-2012-0791 CVE-2012-0909 imp: Multiple XSS flaws fixed in v5.0.18
Summary: CVE-2012-0791 CVE-2012-0909 imp: Multiple XSS flaws fixed in v5.0.18
Keywords:
Status: CLOSED NEXTRELEASE
Alias: CVE-2012-0791, CVE-2012-0909
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 783637 783638 783639
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-21 10:41 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:50 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-01-30 21:40:08 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2012-01-21 10:41:00 UTC
Multiple XSS flaws were adressed in the v5.0.18 version of Horde IMP (from [1]):

"[mms] SECURITY: Fix XSS vulnerabilities on the compose page (traditional
view), the contacts popup window, and with certain IMAP mailbox names."

References:
[1] http://www.horde.org/apps/imp/docs/CHANGES
[2] http://www.horde.org/apps/imp/docs/RELEASE_NOTES
[3] http://secunia.com/advisories/47580
[4] https://bugs.gentoo.org/show_bug.cgi?id=399563

Upstream patches:
[5] https://github.com/horde/horde/commit/41136ea893b3d5a84c6228a552f8e211c90f58de
    (multiple XSS flaws)
[6] https://github.com/horde/horde/commit/208eae43c95136a67104f760027a8892a22b6e25
    (XSS in email validation)

Comment 1 Jan Lieskovsky 2012-01-21 10:45:02 UTC
CVE Request:
[7] http://www.openwall.com/lists/oss-security/2012/01/21/3

Comment 2 Jan Lieskovsky 2012-01-21 10:48:31 UTC
From look at the patches:
i)  the multiple XSS flaws [5] patch seem to be applicable to versions of imp, we ship in Fedora and EPEL (imp-4.3.9-2.*), though it would need to be backported to Horde IMP v4 version,

ii) the "XSS in email validation" patch [6] doesn't seem to be applicable to versions of imp, we ship in Fedora and EPEL (imp-4.3.9-2.*).

Comment 3 Jan Lieskovsky 2012-01-21 10:49:45 UTC
Created imp tracking bugs for this issue

Affects: fedora-all [bug 783637]
Affects: epel-6 [bug 783638]
Affects: epel-5 [bug 783639]

Comment 4 Jan Lieskovsky 2012-01-22 11:45:00 UTC
The CVE identifier of CVE-2012-0791 has been assigned to the:

"XSS in compose page, (traditional view), the contacts popup window, and with certain IMAP mailbox names.  Fixed in Horde IMP v5.0.18, and apparently Webmail 4.0.6"

issues and CVE identifier of CVE-2012-0909 has been assigned to the:

"XSS in email validation, related to the Form library, only affecting Webmail 4.0.6."

issue:
[8] http://www.openwall.com/lists/oss-security/2012/01/22/2

Comment 5 Nick Bebout 2012-01-30 21:40:08 UTC
-> CLOSED NEXTRELEASE

We are upgrading the whole horde and imp stack to the new pear-based version.


Note You need to log in before you can comment on or make changes to this bug.