Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 400971 (CVE-2012-0811) - <www-apps/postfixadmin-2.3.5 : Multiple vulnerabilities (CVE-2012-{0811,0812})
Summary: <www-apps/postfixadmin-2.3.5 : Multiple vulnerabilities (CVE-2012-{0811,0812})
Status: RESOLVED FIXED
Alias: CVE-2012-0811
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
: 410627 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-01-26 22:11 UTC by Agostino Sarubbo
Modified: 2012-09-27 12:26 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-01-26 22:11:44 UTC
From oss-security mailing list at $URL:


we (the upstream PostfixAdmin developers) received a report about SQL
injections and XSS in PostfixAdmin. 

The issues are fixed in PostfixAdmin 2.3.5, which I'll release today or 
tomorrow.


For reference, here's the changelog with all details:

  - fix SQL injection in pacrypt() (if $CONF[encrypt] == 'mysql_encrypt')
  - fix SQL injection in backup.php - the dump was not mysql_escape()d, 
    therefore users could inject SQL (for example in the vacation message)
    which will be executed when restoring the database dump.
    WARNING: database dumps created with backup.php from 2.3.4 or older might
             contain malicious SQL. Double-check before using them!
  - fix XSS with $_GET[domain] in templates/menu.php and edit-vacation
  - fix XSS in some create-domain input fields
  - fix XSS in create-alias and edit-alias error message
  - fix XSS (by values stored in the database) in fetchmail list view,
    list-domain and list-virtual
  - create-domain: fix SQL injection (only exploitable by superadmins)
  - add missing $LANG['pAdminDelete_admin_error']
  - don't mark mailbox targets with recipient delimiter as "forward only"
  - wrap hex2bin with function_exists() - PHP 5.3.8 has it as native function
Comment 1 tanstaafl@libertytrek.org 2012-03-29 15:14:12 UTC
any word on an ebuild version bump for 2.3.5?
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-05-08 12:56:45 UTC
*** Bug 410627 has been marked as a duplicate of this bug. ***
Comment 3 Josh G 2012-05-22 06:35:09 UTC
(In reply to comment #1)
> any word on an ebuild version bump for 2.3.5?

Rename the ebuild to 2.3.5 and change the SRC_URI line to the one below:
SRC_URI="mirror://sourceforge/projects/${PN}/${PN}/${P}/${PN}_${PV}.tar.gz"

Seems to work w/o problems.

-Josh
Comment 4 Josh G 2012-05-22 06:59:51 UTC
(In reply to comment #3)
> (In reply to comment #1)
> > any word on an ebuild version bump for 2.3.5?
> 
> Rename the ebuild to 2.3.5 and change the SRC_URI line to the one below:
> SRC_URI="mirror://sourceforge/projects/${PN}/${PN}/${P}/${PN}_${PV}.tar.gz"
> 
> Seems to work w/o problems.
> 
> -Josh

Heh, wrong SRC_URI, sorry...

SRC_URI="mirror://sourceforge/project/${PN}/${PN}/${P}/${PN}-${PV}.tar.gz"
Comment 5 Matti Bickel (RETIRED) gentoo-dev 2012-06-26 12:05:21 UTC
I've cleaned up postfixadmin and have the changes sitting in my checkout. As keeping it that way is a PITA with CVS, I'm gonna commit it in three days if pva/web-apps don't tell me otherwise.
Comment 6 Agostino Sarubbo gentoo-dev 2012-06-26 12:25:41 UTC
Thanks mabi.


Arches, please test and mark stable:                                                                                                                                                
=www-apps/postfixadmin-2.3.5                                                                                                                                                       
Target KEYWORDS : "amd64 x86"
Comment 7 Agostino Sarubbo gentoo-dev 2012-06-26 17:40:44 UTC
amd64 stable
Comment 8 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-07-06 08:41:29 UTC
x86 stable. Last arch.
Comment 9 Agostino Sarubbo gentoo-dev 2012-07-07 09:03:56 UTC
@security, please vote.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2012-08-14 05:45:51 UTC
Thanks, folks. GLSA Vote: yes.
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-14 16:01:14 UTC
YES too, request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-09-27 12:26:11 UTC
This issue was resolved and addressed in
 GLSA 201209-18 at http://security.gentoo.org/glsa/glsa-201209-18.xml
by GLSA coordinator Sean Amoss (ackle).