Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 329863 (CVE-2010-2813)

Summary: <mail-client/squirrelmail-1.4.21 XSS vulnerability (CVE-2010-2813)
Product: Gentoo Security Reporter: Eray Aslan <eras>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: atoth, eike, net-mail+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://squirrelmail.org/index.php
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Eray Aslan gentoo-dev 2010-07-26 06:02:19 UTC 
The SquirrelMail Team is pleased to announce the release of
SquirrelMail version 1.4.21.  This is primarily a maintenance release
which addresses a smattering of small issues and adds some fine-tuning
of recent changes.  It also closes two relatively low-risk security
issues.

Before this release, for environments with highly active users, the
number of security tokens could have bloated user session (and
preference) files to an unacceptable size, hurting overall
responsiveness.  This release scales back the default validity period
of security tokens from 30 days to two days, which should fix this
problem in most cases.  The administrator is always free to change
this value by specifying $max_token_age_days in
config/config_local.php.

There are also fixes for minor issues related to header folding,
faster and more resilient display of encoded subjects, quoting of
encoded addresses upon reply, provision of a subject when using
forward-as-attachment, and a few other tidbits.

This release also includes fixes for two low-risk  vulnerabilities.
The first, CVE-2010-1637, allows authenticated users to use the Mail
Fetch plugin as a network/port/DNS scanner.  The second,
CVE-2010-2813, poses a denial-of-service risk when passwords
containing 8-bit characters are used to log in.  While we characterize
these issues as fairly low risk, it is  nevertheless recommended that
users of previous versions of SquirrelMail upgrade at their earliest
convenience.


Reproducible: Always
Comment 1 Eray Aslan gentoo-dev 2010-07-26 06:03:12 UTC 
Renaming squirrelmail-1.4.20.ebuild works.
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-12 21:07:24 UTC 
Routing security bug to security.
Comment 3 Attila Tóth 2010-08-12 21:10:51 UTC 
CVE-2009-2964 has been already covered: see bug #281580.
However CVE-2010-2813 must be taken care of.
A version bump is necessary and it seems to be straightforward.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-03 22:30:47 UTC 
CVE-2010-2813 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2813):
  functions/imap_general.php in SquirrelMail before 1.4.21 does not
  properly handle 8-bit characters in passwords, which allows remote
  attackers to cause a denial of service (disk consumption) by making
  many IMAP login attempts with different usernames, leading to the
  creation of many preferences files.
Comment 5 Rolf Eike Beer archtester 2010-09-18 18:13:50 UTC 
Can someone please finally fix this? There is nothing to do as to copy the .20 ebuild to .21, runs fine here (x86) since some weeks.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-22 21:32:02 UTC 
CVE-2009-2964 was handled in 281580 already.
Comment 7 Attila Tóth 2010-09-23 08:43:01 UTC 
(In reply to comment #6)
> CVE-2009-2964 was handled in 281580 already.
> 

What about CVE-2010-2813?
Comment 8 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-09-23 15:59:43 UTC 
(In reply to comment #7) 
> What about CVE-2010-2813?
 
That is handled in *this* bug, see the Summary. :)

Since multiple people have said that a rename works...
+*squirrelmail-1.4.21 (23 Sep 2010)
+
+  23 Sep 2010; Jeremy Olexa <darkside@gentoo.org>
+  +squirrelmail-1.4.21.ebuild:
+  (non maintainer commit) Version bump for security bug 329863
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 17:46:53 UTC 
*PING* to net-mail.
Comment 10 Eray Aslan gentoo-dev 2010-11-21 18:51:07 UTC 
Pong?  Security's turn to call for stabilization?
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 19:04:17 UTC 
Whoops, too many tabs open, looking failure.

Arches, please test and mark stable:
=mail-client/squirrelmail-1.4.21
Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Comment 12 Agostino Sarubbo gentoo-dev 2010-11-21 20:07:22 UTC 
amd64 ok
Comment 13 Thomas Kahle (RETIRED) gentoo-dev 2010-11-22 10:04:06 UTC 
x86 done. Thanks everyone.
Comment 14 Markos Chandras (RETIRED) gentoo-dev 2010-11-22 20:30:47 UTC 
amd64 done. Thanks Agostino
Comment 15 Brent Baude (RETIRED) gentoo-dev 2010-11-24 20:21:25 UTC 
ppc done
Comment 16 Brent Baude (RETIRED) gentoo-dev 2010-11-24 20:27:03 UTC 
ppc64 done
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2010-11-27 11:20:24 UTC 
alpha/sparc stable
Comment 18 Tim Sammut (RETIRED) gentoo-dev 2010-11-29 19:28:47 UTC 
GLSA Vote: no
Comment 19 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-29 20:36:16 UTC 
GLSA vote: NO, too. Closing noglsa.