Bug 349563 (CVE-2010-1677)

Summary:	<net-mail/mhonarc-2.6.18: Denial of Service and Cross-site Scripting Vulnerabilities (CVE-2010-{1677,4524})
Product:	Gentoo Security	Reporter:	Tim Sammut (RETIRED) <underling>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	infra-bugs, kumba
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.openwall.com/lists/oss-security/2010/12/22/4
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---

Description Tim Sammut (RETIRED) gentoo-dev

2010-12-24 04:01:12 UTC

From the oss-security posting at $URL:

> 
> MHonArc, a Perl mail-to-HTML converter, failed to
> properly escape certain HTML sequences. A remote
> attacker could provide a specially-crafted email
> message and trick the local user to convert it
> into HTML format. Subsequent preview of such
> message might potentially execute arbitrary HTML
> or scripting code (XSS).
> 

There does not appear to be an upstream fix yet.

Comment 1 Tim Sammut (RETIRED) gentoo-dev

2011-01-11 04:53:15 UTC

Two CVEs have been assigned for these issues.

Denial of Service:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1677

XSS:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4524

Upstream has released 2.6.17, although they recommend updating to 2.6.18.

http://www.mhonarc.org/#whatsnew

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2011-01-21 11:15:36 UTC

CVE-2010-4524 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4524):
  Cross-site scripting (XSS) vulnerability in lib/mhtxthtml.pl in
  MHonArc 2.6.16 allows remote attackers to inject arbitrary web script
  or HTML via a malformed start tag and end tag for a SCRIPT element,
  as demonstrated by <scr<body>ipt> and </scr<body>ipt> sequences.

Comment 3 Joshua Kinard gentoo-dev

2011-02-13 11:21:49 UTC

Added 2.6.18 to the tree.  Note that I am not familiar with mhonarc's usage, so I can't help on anything major.

Comment 4 Jeremy Olexa (darkside) (RETIRED) archtester

2011-02-13 13:45:15 UTC

(In reply to comment #3)
> Added 2.6.18 to the tree.  Note that I am not familiar with mhonarc's usage, so
> I can't help on anything major.
> 

Don't close security bugs.

Comment 5 Tim Sammut (RETIRED) gentoo-dev

2011-02-13 15:10:44 UTC

Thanks, folks.

Arches, please test and mark stable:
=net-mail/mhonarc-2.6.18
Target keywords : "alpha amd64 sparc x86"

Comment 6 Markos Chandras (RETIRED) gentoo-dev

2011-02-13 18:56:14 UTC

amd64 done

Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-02-14 11:39:34 UTC

Are those warnings expected? It seems that they would make this package break:

 * Messages for package net-mail/mhonarc-2.6.18:

 * QA: File contains a temporary path /var/tmp/portage/net-mail/mhonarc-2.6.18/image/usr/bin/mha-dbedit
 * QA: File contains a temporary path /var/tmp/portage/net-mail/mhonarc-2.6.18/image/usr/bin/mha-decode
 * QA: File contains a temporary path /var/tmp/portage/net-mail/mhonarc-2.6.18/image/usr/bin/mhonarc
 * QA: File contains a temporary path /var/tmp/portage/net-mail/mhonarc-2.6.18/image/usr/bin/mha-dbrecover

Comment 8 Joshua Kinard gentoo-dev

2011-02-14 21:14:23 UTC

I saw those, but am uncertain how to correct.  They exist in the .16 versions, too.  I'm only tagged as the maintainer because I played with mhonarc back before Gentoo had proper mailing lists setup.  Never really got into truly understanding the package.

Comment 9 Christian Faulhammer (RETIRED) gentoo-dev

2011-02-25 23:35:11 UTC

x86 stable

Comment 10 Tobias Klausmann (RETIRED) gentoo-dev

2011-02-26 19:53:35 UTC

Stable on alpha.

Comment 11 Raúl Porcel (RETIRED) gentoo-dev

2011-03-05 16:46:39 UTC

sparc stable

Comment 12 Tim Sammut (RETIRED) gentoo-dev

2011-03-05 21:22:34 UTC

Thanks, everyone.

GLSA Vote: no.

Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev

2011-10-08 21:42:38 UTC

no too, and closing.