Martijn Brinkers discovered that Squirrelmail contains several cross site scripting attacks, most by URL manipulation, and some by sending a specially crafted HTML email. This will be made public on Wednesday, June 15th 2005
Created attachment 61134 [details, diff] sqm-144-xss.patch Tentative patch from upstream, applies on 1.4.4-release
Cc-ing eradicator so that he gets ready to patch on disclosure date. eradicator: please do not commit anything in Portage until this is made public.
Created attachment 61189 [details, diff] sqm-144-xss.patch New patch version from Squirrelmail team
Created attachment 61245 [details, diff] sqm-144-xss.patch Updated patch.
Now public -> opening. Eradicator please bump.
*** Bug 96223 has been marked as a duplicate of this bug. ***
The patch breaks addressbook for me: PHP Parse error: parse error, unexpected '=' in /webmail/src/addressbook.php on line 346
(In reply to comment #7) This works: @@ -343,6 +343,7 @@ /* Get and sort address list */ $alist = $abook->list_addr(); if(!is_array($alist)) { + $abook_error = htmlspecialchars($abook_error); plain_error_message($abook->error, $color); exit; } Note the underscore instead of a dash.
Adding the net-mail herd. eradicator/net-mail : please bump (see comment #8)
eradicator is away. Acting on behalf of net-mail herd, bumped with patch from http://prdownloads.sourceforge.net/squirrelmail/sqm-144-xss.patch which fixed the line mentioned in comment #8. All keywords dropped to ~arch.
Thx Tuan, I informed upstream about the problem a few days ago. Now back to stable marking.
Stable on SPARC.
Stable on ppc.
Almost ready for GLSA decision, I vote YES.
stable on amd64: squirrelmail-1.4.4-r1.ebuild 39c39 < KEYWORDS="~alpha ~amd64 ppc sparc ~x86" --- > KEYWORDS="~alpha amd64 ppc sparc ~x86" note that x86 is still testing
stable on x86.
This one is ready for GLSA decision.
I vote YES too.
GLSA 200506-19
*** Bug 96795 has been marked as a duplicate of this bug. ***