Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 269567 (CVE-2009-1578) - <mail-client/squirrelmail-1.4.18: Multiple vulnerabilities (CVE-2009-{1578,1579,1580,1581})
Summary: <mail-client/squirrelmail-1.4.18: Multiple vulnerabilities (CVE-2009-{1578,15...
Status: RESOLVED FIXED
Alias: CVE-2009-1578
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.squirrelmail.org/security/
Whiteboard: C1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-12 16:15 UTC by Alex Legler (RETIRED)
Modified: 2010-01-13 22:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-12 16:15:52 UTC
CVE-2009-1578: Multiple XSS vunlerabilities in (1) functions/global.php and (2) contrib/decrypt_headers.php.

CVE-2009-1579: Remote arbitrary command injection in functions/imap_general.php "when SquirrelMail was configured to use the example "map_yp_alias" username mapping functionality".

CVE-2009-1580: Session fixation vulnerability

CVE-2009-1581: XSS via CSS positioning parameters in functions/mime.php.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-12 16:17:01 UTC
Remedy: Update to 1.4.18.
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2009-05-12 17:36:36 UTC
(In reply to comment #1)
> Remedy: Update to 1.4.18.
> 

did so.

Candidate for stabilization:

=mail-client/squirrelmail-1.4.18
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-12 17:57:44 UTC
Arches, please test and mark stable:
=mail-client/squirrelmail-1.4.18
Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-13 06:46:10 UTC
!!! dodoc: AUTHORS does not exist
!!! dodoc: COPYING does not exist
!!! dodoc: ChangeLog does not exist
!!! dodoc: INSTALL does not exist
!!! dodoc: ReleaseNotes does not exist
!!! dodoc: UPGRADE does not exist
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-13 07:06:36 UTC
x86 stable
Comment 6 Richard Freeman gentoo-dev 2009-05-13 13:32:03 UTC
amd64 stable
Comment 7 Tobias Klausmann gentoo-dev 2009-05-13 17:23:20 UTC
Stable on alpha.
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-15 09:18:26 UTC
CVE-2009-1578 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1578):
  Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail
  before 1.4.18 allow remote attackers to inject arbitrary web script
  or HTML via vectors involving (1) certain encrypted strings in e-mail
  headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and
  (3) the query string (aka QUERY_STRING).

CVE-2009-1579 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1579):
  The map_yp_alias function in functions/imap_general.php in
  SquirrelMail before 1.4.18 allows remote attackers to execute
  arbitrary commands via shell metacharacters in a username string that
  is used by the ypmatch program.

CVE-2009-1580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1580):
  Session fixation vulnerability in SquirrelMail before 1.4.18 allows
  remote attackers to hijack web sessions via a crafted cookie.

CVE-2009-1581 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1581):
  functions/mime.php in SquirrelMail before 1.4.18 does not protect the
  application's content from Cascading Style Sheets (CSS) positioning
  in HTML e-mail messages, which allows remote attackers to spoof the
  user interface, and conduct cross-site scripting (XSS) and phishing
  attacks, via a crafted message.

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2009-05-15 16:24:23 UTC
(In reply to comment #4)
> !!! dodoc: AUTHORS does not exist
> !!! dodoc: COPYING does not exist
> !!! dodoc: ChangeLog does not exist
> !!! dodoc: INSTALL does not exist
> !!! dodoc: ReleaseNotes does not exist
> !!! dodoc: UPGRADE does not exist
> 
fixed
Comment 10 Tiago Cunha (RETIRED) gentoo-dev 2009-05-15 16:59:05 UTC
Done by josejx for ppc and ppc64.
Comment 11 Tiago Cunha (RETIRED) gentoo-dev 2009-05-15 17:04:01 UTC
sparc stable
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2009-05-15 17:10:34 UTC
and 1.4.17 removed. ready for glsa.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-13 22:16:15 UTC
GLSA 201001-08, thanks everyone.