Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 616700 (CVE-2017-7692) - mail-client/squirrelmail: Remote Code Execution
Summary: mail-client/squirrelmail: Remote Code Execution
Status: RESOLVED FIXED
Alias: CVE-2017-7692
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-27 04:48 UTC by Michael Boyle
Modified: 2019-04-26 02:47 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
squirrelmail-1.4.23_pre20170502.ebuild new ebuild for latest stable (squirrelmail-1.4.23_pre20170502.ebuild,5.42 KB, text/plain)
2017-05-02 12:33 UTC, Chris Henhawke
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Boyle 2017-04-27 04:48:07 UTC
SquirrelMail is affected by a critical Remote Code Execution vulnerability
which stems from insufficient escaping of user-supplied data when
SquirrelMail has been configured with Sendmail as the main transport.
An authenticated attacker may be able to exploit the vulnerability
to execute arbitrary commands on the target and compromise the remote
system.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2017-04-27 05:04:46 UTC
Is anyone maintaining SquirrelMail anymore? Or should we drop the package from Distro?
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2017-04-28 06:24:05 UTC
Email sent to gentoo-dev to see if anyone wants to maintain it.
Original Email to the net-mail team inquiring about this package on 4/14/17.
Comment 3 Chris Henhawke 2017-05-02 12:33:37 UTC
Created attachment 471494 [details]
squirrelmail-1.4.23_pre20170502.ebuild new ebuild for latest stable

I have attached an ebuild which appears to install cleanly, it is my understanding that it should no longer be vulnerable.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-02 17:01:15 UTC
(In reply to Chris Henhawke from comment #3)
> Created attachment 471494 [details]
> squirrelmail-1.4.23_pre20170502.ebuild new ebuild for latest stable
> 
> I have attached an ebuild which appears to install cleanly, it is my
> understanding that it should no longer be vulnerable.

Chris,Squirrelmail currently has no maintainer. We are about to drop it from the tree. Are you interested in becoming a proxy maintainer for it?
Comment 5 Chris Henhawke 2017-05-02 17:09:27 UTC
(In reply to Yury German from comment #4)
> Chris,Squirrelmail currently has no maintainer. We are about to drop it from
> the tree. Are you interested in becoming a proxy maintainer for it?

While I do use the package, and it would be sad to see it go, I don't think I would be able to maintain it for the distro.  My apologies.
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-05-17 18:39:45 UTC
# Thomas Deutschmann <whissi@gentoo.org> (17 May 2017)
# Unpatched security vulnerability per bug #616700
# Removal in 30 days.
mail-client/squirrelmail
Comment 7 Philippe Chaintreuil 2017-05-18 13:30:33 UTC
Should send an e-mail to the gentoo-proxy-maint list to see if anyone there wants to step up.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2017-06-03 07:12:02 UTC
(In reply to Philippe Chaintreuil from comment #7)
> Should send an e-mail to the gentoo-proxy-maint list to see if anyone there
> wants to step up.

This was already sent to gentoo-dev list. No one wanted to pick up on it, in 30 days.
Comment 9 Michael 'veremitz' Everitt 2017-06-17 19:40:57 UTC
Seems to be active development going on http://snapshots.squirrelmail.org/ . Given the level of activity, I don't mind proxying for this if the submitted ebuild is ok for a Pull-Request.

Giving it 7 days from post, if you can hold out for that long, blueknight? Will pm you on IRC for ACK :)
Comment 10 Harry Holt 2017-06-30 11:09:07 UTC
I can help! 

Need squirrelmail in Gentoo... how do we get the ebuild back in?
Comment 11 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-07-01 09:30:01 UTC
If someone is truly interested in maintaining this (and just talking about it every 2 weeks), feel free to take it via proxy-maint [1]. Note that there's already bug #621234 where someone requested maintaining it but it hasn't progressed at all.

Also note that the existing ebuild won't do, and you will be requested to fix the QA issues with it (e.g. missing error handling).

[1]:https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers


commit d229371435c05ea46d79bd2172c69887888e9634
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: Sat Jul 1 11:09:49 2017
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: Sat Jul 1 11:19:48 2017

    mail-client/squirrelmail: Remove last-rited pkg, #611422
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 20:29:18 UTC
This issue was resolved and addressed in
 GLSA 201709-13 at https://security.gentoo.org/glsa/201709-13
by GLSA coordinator Aaron Bauman (b-man).