Summary: | mail-client/squirrelmail: XSS issues (CAN-2005-1769) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Thierry Carrez (RETIRED) <koon> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | minor | CC: | eradicator, gentoo, net-mail+disabled, rajiv | ||||||||
Priority: | High | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Other | ||||||||||
URL: | http://prdownloads.sourceforge.net/squirrelmail/sqm-144-xss.patch | ||||||||||
Whiteboard: | B4 [glsa] jaervosz | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Attachments: |
|
Description
Thierry Carrez (RETIRED)
![]() Created attachment 61134 [details, diff]
sqm-144-xss.patch
Tentative patch from upstream, applies on 1.4.4-release
Cc-ing eradicator so that he gets ready to patch on disclosure date. eradicator: please do not commit anything in Portage until this is made public. Created attachment 61189 [details, diff]
sqm-144-xss.patch
New patch version from Squirrelmail team
Created attachment 61245 [details, diff]
sqm-144-xss.patch
Updated patch.
Now public -> opening. Eradicator please bump. *** Bug 96223 has been marked as a duplicate of this bug. *** The patch breaks addressbook for me: PHP Parse error: parse error, unexpected '=' in /webmail/src/addressbook.php on line 346 (In reply to comment #7) This works: @@ -343,6 +343,7 @@ /* Get and sort address list */ $alist = $abook->list_addr(); if(!is_array($alist)) { + $abook_error = htmlspecialchars($abook_error); plain_error_message($abook->error, $color); exit; } Note the underscore instead of a dash. Adding the net-mail herd. eradicator/net-mail : please bump (see comment #8) eradicator is away. Acting on behalf of net-mail herd, bumped with patch from http://prdownloads.sourceforge.net/squirrelmail/sqm-144-xss.patch which fixed the line mentioned in comment #8. All keywords dropped to ~arch. Thx Tuan, I informed upstream about the problem a few days ago. Now back to stable marking. Stable on SPARC. Stable on ppc. Almost ready for GLSA decision, I vote YES. stable on amd64:
squirrelmail-1.4.4-r1.ebuild
39c39
< KEYWORDS="~alpha ~amd64 ppc sparc ~x86"
---
> KEYWORDS="~alpha amd64 ppc sparc ~x86"
note that x86 is still testing
stable on x86. This one is ready for GLSA decision. I vote YES too. GLSA 200506-19 *** Bug 96795 has been marked as a duplicate of this bug. *** |