Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 52434 - mail-client/squirrelmail-1.4.3 fixes new XSS vulnerability
Summary: mail-client/squirrelmail-1.4.3 fixes new XSS vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
: 52524 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-05-30 03:53 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2011-10-30 22:37 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-05-30 03:53:42 UTC
Another XSS vulnerability is reported on FD. Fixed in SM CVS with comment:

"Fixed XSS vulnarability spotted by "Roman Medina" after a very
thorough research of the SquirrelMail source. I was impressed."

http://cvs.sf.net/viewcvs.py/squirrelmail/squirrelmail/functions/mime.php

New release of SM should be out shortly according to:

http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
Comment 1 Martin Holzer (RETIRED) gentoo-dev 2004-05-30 12:21:52 UTC

*** This bug has been marked as a duplicate of 49675 ***
Comment 2 Martin Holzer (RETIRED) gentoo-dev 2004-05-30 12:23:22 UTC
really another (new one)
Comment 3 gen2daniel 2004-05-30 12:40:54 UTC
www.squirrelmail.org :
"ANNOUNCE: SquirrelMail 1.4.3 Released
May 30, 2004 by Jonathan Angliss
 	We are pleased to announce the release of SquirrelMail 1.4.3. This is a very important release as there was a number of XSS issues uncovered, and resolved. Many thanks to Eyal Udassin, Roman Medina and others for reporting the issues. As the previous release contained issues, it is STRONGLY advised that all users should upgrade to the latest release.

This release contains a number of bug fixes (including security based issues), and some minor user interface tweaks."
Comment 4 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-05-30 14:50:25 UTC
yup this is a new XSS vulnerability found in 1.4.3_rc1, fixed in 1.4.3.
<http://squirrelmail.org/changelog.php> says:

Version 1.4.3 - CVS
-------------------
  - Fix form functions default parameter.
  - Disabled Korean extra functions, because they don't provide all required
    options and message composition is broken.
  - Added Basque translation support.
  - Fixed XSS vulnarability in content-type display in the attachment area
    of read_body.php discovered by Roman Medina.



also note that squirrelmail has moved from net-mail to mail-client.
Comment 5 Jeremy Huddleston (RETIRED) gentoo-dev 2004-05-30 20:42:38 UTC
in x86.
ppc and sparc need to add 1.4.3 to stable before we can release GLSA.  alpha should also consider marking this stable as we bombed their last stable version with the last security fix, but AFAIK it's not neccessary for releaseing the GLSA.

1.4.3_rc1 -> 1.4.3 (webapp-apache)
1.4.3_rc1-r1 -> 1.4.3-r1 (webapp)
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-05-31 00:07:41 UTC
GLSA drafted and reviewed by krispykringle and concordes. Ready to ship when marked stable on ppc and sparc.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-05-31 02:52:32 UTC
Setting back Product/Component as this is not GLSA-ready yet (waiting for stable).
Comment 8 Seemant Kulleen (RETIRED) gentoo-dev 2004-05-31 09:23:12 UTC
*** Bug 52524 has been marked as a duplicate of this bug. ***
Comment 9 Jason Wever (RETIRED) gentoo-dev 2004-05-31 17:16:44 UTC
Stable on sparc.
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2004-06-02 02:27:18 UTC
Stable on alpha.
Comment 11 Greg Watson (linuxkrn) 2004-06-03 13:40:17 UTC
UPDATE:
The SquirrelMail 1.4.3 Release contains a serious memory exhausting bug. Please be patient and wait until we released version 1.4.3a (To be expected soon) or download a fixed version of compose.php Rev 1.319.2.35 from CVS and replace the compose.php file in the src directory. 
Comment 12 Greg Watson (linuxkrn) 2004-06-03 13:42:48 UTC
2nd part that didn't get pasted...

The SquirrelMail development team are pleased to announce the release of 1.4.3a. This release contains a minor bug fix that seemed to have caused some issues with users in replying to mail. This release also contains numerous XSS fixes from the 1.4.3 release.  
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-06-04 00:56:42 UTC
Hmmm... We should probably wait for a 1.4.3a ebuild before releasing this glsa.
Jeremy: sorry to bother you again :)
Comment 14 Tuan Van (RETIRED) gentoo-dev 2004-06-06 13:47:27 UTC
squirrelmail-1.3.1 and squirrelmail-1.3.1-r1 already have a patch for "memory exhausting bug". See bug #52656. IMHO, I don't think we need to bump.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-06-07 00:49:31 UTC
The patch has been added after the ebuild version was released. People that upgraded between May 31 and June 2 will still get an unpatched version, so I would still recommend a bump... Waiting for eradicator's opinion on this ?
Comment 16 Martin Holzer (RETIRED) gentoo-dev 2004-06-07 01:04:31 UTC
just see http://www.gentoo.org/doc/en/policy.xml

Versioning and revision bumps 

Package revision numbers should be incremented by Gentoo Linux developers when the ebuild has changed to the point where users would want to upgrade. Typically, this is the case when fixes are made to an ebuild that affect the resultant installed files, but the ebuild uses the same source tarball as the previous release. If you make an internal, stylistic change to the ebuild that does not change any of the installed files, then there is no need to bump the revision number. Likewise, if you fix a compilation problem in the ebuild that was affecting some users, there is no need to bump the revision number, since those for whom it worked perfectly would see no benefit in installing a new revision, and those who experienced the problem do not have the package installed (since compilation failed) and thus have no need for the new revision number to force an upgrade. A revision bump is also not necessary if a minority of users will be affected and the package has a nontrivial average compilation time; use your best judgement in these circumstances. 
Comment 17 Jeremy Huddleston (RETIRED) gentoo-dev 2004-06-07 18:56:21 UTC
yes, a bump should occur when the memory-exhaustion bug is fixed.  I've been away since Thursday, so I'm looking at this now.
Comment 18 Jeremy Huddleston (RETIRED) gentoo-dev 2004-06-07 19:09:00 UTC
ok... i wasn't aware that the patch that I included fixed an exaustive memory bug.   I just thought it fixed double messages in a reply (which seemed trivial ebough to me not to bump).  In any event, 1.4.3a is out now, and I'll be making an ebuild for that in a few... we should not release the GLSA until that is ready.
Comment 19 Jeremy Huddleston (RETIRED) gentoo-dev 2004-06-07 20:10:07 UTC
1.4.3a is now in portage and needs to be marked stable by ppc and sparc.
Comment 20 Jason Wever (RETIRED) gentoo-dev 2004-06-08 21:32:16 UTC
Stable on sparc.
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2004-06-14 09:28:21 UTC
ppc, please mark mail-client/squirrelmail-1.4.3a stable...
Comment 22 Luca Barbato gentoo-dev 2004-06-14 10:57:22 UTC
Marked ppc
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2004-06-14 11:41:59 UTC
Thanks ! Ready for GLSA
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2004-06-15 12:00:58 UTC
GLSA 200406-08