From the oss-security posting at $URL: > > MHonArc, a Perl mail-to-HTML converter, failed to > properly escape certain HTML sequences. A remote > attacker could provide a specially-crafted email > message and trick the local user to convert it > into HTML format. Subsequent preview of such > message might potentially execute arbitrary HTML > or scripting code (XSS). > There does not appear to be an upstream fix yet.
Two CVEs have been assigned for these issues. Denial of Service: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1677 XSS: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4524 Upstream has released 2.6.17, although they recommend updating to 2.6.18. http://www.mhonarc.org/#whatsnew
CVE-2010-4524 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4524): Cross-site scripting (XSS) vulnerability in lib/mhtxthtml.pl in MHonArc 2.6.16 allows remote attackers to inject arbitrary web script or HTML via a malformed start tag and end tag for a SCRIPT element, as demonstrated by <scr<body>ipt> and </scr<body>ipt> sequences.
Added 2.6.18 to the tree. Note that I am not familiar with mhonarc's usage, so I can't help on anything major.
(In reply to comment #3) > Added 2.6.18 to the tree. Note that I am not familiar with mhonarc's usage, so > I can't help on anything major. > Don't close security bugs.
Thanks, folks. Arches, please test and mark stable: =net-mail/mhonarc-2.6.18 Target keywords : "alpha amd64 sparc x86"
amd64 done
Are those warnings expected? It seems that they would make this package break: * Messages for package net-mail/mhonarc-2.6.18: * QA: File contains a temporary path /var/tmp/portage/net-mail/mhonarc-2.6.18/image/usr/bin/mha-dbedit * QA: File contains a temporary path /var/tmp/portage/net-mail/mhonarc-2.6.18/image/usr/bin/mha-decode * QA: File contains a temporary path /var/tmp/portage/net-mail/mhonarc-2.6.18/image/usr/bin/mhonarc * QA: File contains a temporary path /var/tmp/portage/net-mail/mhonarc-2.6.18/image/usr/bin/mha-dbrecover
I saw those, but am uncertain how to correct. They exist in the .16 versions, too. I'm only tagged as the maintainer because I played with mhonarc back before Gentoo had proper mailing lists setup. Never really got into truly understanding the package.
x86 stable
Stable on alpha.
sparc stable
Thanks, everyone. GLSA Vote: no.
no too, and closing.
