Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 270671 (CVE-2009-1381)

Summary: mail-client/squirrelmail <1.4.19 Fix for CVE-2009-1579 was incomplete (CVE-2009-1381)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: net-mail+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C1 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2009-05-21 07:53:43 UTC
The Red Hat Security Response Team discovered that the fix for CVE-2009-1579 applied in 1.4.18 was incomplete. 1.4.19 will be released today with a complete patch.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-05-21 19:03:57 UTC
ANNOUNCE: SquirrelMail 1.4.19 Released
May 21, 2009 by Thijs Kinkhorst
 	The security fix to map_yp_alias in 1.4.18 turned out to be incomplete. We also experienced some regressions in the updated filter plugin. Both are addressed in this new release 1.4.19 which contains a few other small fixes aswell. If you do not use map_yp_alias or the filters plugin there's no urgent need to upgrade now if you already installed 1.4.18. 
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2009-05-22 11:56:37 UTC
1.4.19 is in CVS.

Candidate for stabilization:

=mail-client/squirrelmail-1.4.19
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-24 17:08:09 UTC
CVE-2009-1381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1381):
  The map_yp_alias function in functions/imap_general.php in
  SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other
  operating systems and versions, allows remote attackers to execute
  arbitrary commands via shell metacharacters in a username string that
  is used by the ypmatch program.  NOTE: this issue exists because of
  an incomplete fix for CVE-2009-1579.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-24 17:12:11 UTC
Arches, please test and mark stable:
=mail-client/squirrelmail-1.4.19
Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Comment 5 Markus Meier gentoo-dev 2009-05-24 20:16:09 UTC
amd64/x86 stable
Comment 6 Tiago Cunha (RETIRED) gentoo-dev 2009-05-24 20:53:07 UTC
sparc stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-05-25 16:01:36 UTC
ppc64 done
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-05-25 16:01:43 UTC
ppc done
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2009-06-02 17:26:05 UTC
Stable on alpha.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-03 18:19:14 UTC
GLSA request filed.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-13 22:16:21 UTC
GLSA 201001-08, thanks everyone.