Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 52434
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 52434 depends on: Show dependency tree
Bug 52434 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-05-30 03:53 0000 
Another XSS vulnerability is reported on FD. Fixed in SM CVS with comment:

"Fixed XSS vulnarability spotted by "Roman Medina" after a very
thorough research of the SquirrelMail source. I was impressed."

http://cvs.sf.net/viewcvs.py/squirrelmail/squirrelmail/functions/mime.php

New release of SM should be out shortly according to:

http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt

------- Comment #1 From Martin Holzer (RETIRED) 2004-05-30 12:21:52 0000 ------- 

*** This bug has been marked as a duplicate of 49675 ***

------- Comment #2 From Martin Holzer (RETIRED) 2004-05-30 12:23:22 0000 ------- 
really another (new one)

------- Comment #3 From gen2daniel 2004-05-30 12:40:54 0000 ------- 
www.squirrelmail.org :
"ANNOUNCE: SquirrelMail 1.4.3 Released
May 30, 2004 by Jonathan Angliss
 	We are pleased to announce the release of SquirrelMail 1.4.3. This is a very important release as there was a number of XSS issues uncovered, and resolved. Many thanks to Eyal Udassin, Roman Medina and others for reporting the issues. As the previous release contained issues, it is STRONGLY advised that all users should upgrade to the latest release.

This release contains a number of bug fixes (including security based issues), and some minor user interface tweaks."

------- Comment #4 From Rajiv Aaron Manglani 2004-05-30 14:50:25 0000 ------- 
yup this is a new XSS vulnerability found in 1.4.3_rc1, fixed in 1.4.3.
<http://squirrelmail.org/changelog.php> says:

Version 1.4.3 - CVS
-------------------
  - Fix form functions default parameter.
  - Disabled Korean extra functions, because they don't provide all required
    options and message composition is broken.
  - Added Basque translation support.
  - Fixed XSS vulnarability in content-type display in the attachment area
    of read_body.php discovered by Roman Medina.



also note that squirrelmail has moved from net-mail to mail-client.

------- Comment #5 From Jeremy Huddleston (RETIRED) 2004-05-30 20:42:38 0000 ------- 
in x86.
ppc and sparc need to add 1.4.3 to stable before we can release GLSA.  alpha should also consider marking this stable as we bombed their last stable version with the last security fix, but AFAIK it's not neccessary for releaseing the GLSA.

1.4.3_rc1 -> 1.4.3 (webapp-apache)
1.4.3_rc1-r1 -> 1.4.3-r1 (webapp)

------- Comment #6 From Sune Kloppenborg Jeppesen 2004-05-31 00:07:41 0000 ------- 
GLSA drafted and reviewed by krispykringle and concordes. Ready to ship when
marked stable on ppc and sparc.

------- Comment #7 From Thierry Carrez (RETIRED) 2004-05-31 02:52:32 0000 ------- 
Setting back Product/Component as this is not GLSA-ready yet (waiting for
stable).

------- Comment #8 From Seemant Kulleen (RETIRED) 2004-05-31 09:23:12 0000 ------- 
*** Bug 52524 has been marked as a duplicate of this bug. ***

------- Comment #9 From Jason Wever (RETIRED) 2004-05-31 17:16:44 0000 ------- 
Stable on sparc.

------- Comment #10 From Bryan Østergaard (RETIRED) 2004-06-02 02:27:18 0000 ------- 
Stable on alpha.

------- Comment #11 From Greg Watson (linuxkrn) 2004-06-03 13:40:17 0000 ------- 
UPDATE:
The SquirrelMail 1.4.3 Release contains a serious memory exhausting bug. Please be patient and wait until we released version 1.4.3a (To be expected soon) or download a fixed version of compose.php Rev 1.319.2.35 from CVS and replace the compose.php file in the src directory.

------- Comment #12 From Greg Watson (linuxkrn) 2004-06-03 13:42:48 0000 ------- 
2nd part that didn't get pasted...

The SquirrelMail development team are pleased to announce the release of 1.4.3a. This release contains a minor bug fix that seemed to have caused some issues with users in replying to mail. This release also contains numerous XSS fixes from the 1.4.3 release.

------- Comment #13 From Thierry Carrez (RETIRED) 2004-06-04 00:56:42 0000 ------- 
Hmmm... We should probably wait for a 1.4.3a ebuild before releasing this glsa.
Jeremy: sorry to bother you again :)

------- Comment #14 From Tuan Van (RETIRED) 2004-06-06 13:47:27 0000 ------- 
squirrelmail-1.3.1 and squirrelmail-1.3.1-r1 already have a patch for "memory
exhausting bug". See bug #52656. IMHO, I don't think we need to bump.

------- Comment #15 From Thierry Carrez (RETIRED) 2004-06-07 00:49:31 0000 ------- 
The patch has been added after the ebuild version was released. People that
upgraded between May 31 and June 2 will still get an unpatched version, so I
would still recommend a bump... Waiting for eradicator's opinion on this ?

------- Comment #16 From Martin Holzer (RETIRED) 2004-06-07 01:04:31 0000 ------- 
just see http://www.gentoo.org/doc/en/policy.xml

Versioning and revision bumps 

Package revision numbers should be incremented by Gentoo Linux developers when the ebuild has changed to the point where users would want to upgrade. Typically, this is the case when fixes are made to an ebuild that affect the resultant installed files, but the ebuild uses the same source tarball as the previous release. If you make an internal, stylistic change to the ebuild that does not change any of the installed files, then there is no need to bump the revision number. Likewise, if you fix a compilation problem in the ebuild that was affecting some users, there is no need to bump the revision number, since those for whom it worked perfectly would see no benefit in installing a new revision, and those who experienced the problem do not have the package installed (since compilation failed) and thus have no need for the new revision number to force an upgrade. A revision bump is also not necessary if a minority of users will be affected and the package has a nontrivial average compilation time; use your best judgement in these circumstances.

------- Comment #17 From Jeremy Huddleston (RETIRED) 2004-06-07 18:56:21 0000 ------- 
yes, a bump should occur when the memory-exhaustion bug is fixed.  I've been
away since Thursday, so I'm looking at this now.

------- Comment #18 From Jeremy Huddleston (RETIRED) 2004-06-07 19:09:00 0000 ------- 
ok... i wasn't aware that the patch that I included fixed an exaustive memory
bug.   I just thought it fixed double messages in a reply (which seemed trivial
ebough to me not to bump).  In any event, 1.4.3a is out now, and I'll be making
an ebuild for that in a few... we should not release the GLSA until that is
ready.

------- Comment #19 From Jeremy Huddleston (RETIRED) 2004-06-07 20:10:07 0000 ------- 
1.4.3a is now in portage and needs to be marked stable by ppc and sparc.

------- Comment #20 From Jason Wever (RETIRED) 2004-06-08 21:32:16 0000 ------- 
Stable on sparc.

------- Comment #21 From Thierry Carrez (RETIRED) 2004-06-14 09:28:21 0000 ------- 
ppc, please mark mail-client/squirrelmail-1.4.3a stable...

------- Comment #22 From Luca Barbato 2004-06-14 10:57:22 0000 ------- 
Marked ppc

------- Comment #23 From Thierry Carrez (RETIRED) 2004-06-14 11:41:59 0000 ------- 
Thanks ! Ready for GLSA

------- Comment #24 From Thierry Carrez (RETIRED) 2004-06-15 12:00:58 0000 ------- 
GLSA 200406-08
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug