Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 95937 - mail-client/squirrelmail: XSS issues (CAN-2005-1769)
Summary: mail-client/squirrelmail: XSS issues (CAN-2005-1769)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa] jaervosz
: 96223 96795 (view as bug list)
Depends on:
Reported: 2005-06-13 02:05 UTC by Thierry Carrez (RETIRED)
Modified: 2005-06-22 16:23 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

sqm-144-xss.patch (sqm-144-xss.patch,23.44 KB, patch)
2005-06-13 02:05 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff
sqm-144-xss.patch (sqm-144-xss.patch,25.48 KB, patch)
2005-06-14 01:52 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff
sqm-144-xss.patch (sqm-144-xss.patch,25.02 KB, patch)
2005-06-14 21:11 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-06-13 02:05:05 UTC
Martijn Brinkers discovered that Squirrelmail contains several cross site scripting attacks, most by URL manipulation, and some by sending a specially crafted HTML email.

This will be made public on Wednesday, June 15th 2005
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-06-13 02:05:55 UTC
Created attachment 61134 [details, diff]

Tentative patch from upstream, applies on 1.4.4-release
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-06-13 02:08:29 UTC
Cc-ing eradicator so that he gets ready to patch on disclosure date.
eradicator: please do not commit anything in Portage until this is made public.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-06-14 01:52:48 UTC
Created attachment 61189 [details, diff]

New patch version from Squirrelmail team
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-14 21:11:54 UTC
Created attachment 61245 [details, diff]

Updated patch.
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-15 21:58:06 UTC
Now public -> opening. 
Eradicator please bump. 
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-15 21:59:09 UTC
*** Bug 96223 has been marked as a duplicate of this bug. ***
Comment 7 Jakub Moc (RETIRED) gentoo-dev 2005-06-16 01:04:30 UTC
The patch breaks addressbook for me:

 PHP Parse error:  parse error, unexpected '=' in /webmail/src/addressbook.php
on line 346
Comment 8 Jakub Moc (RETIRED) gentoo-dev 2005-06-16 01:12:52 UTC
(In reply to comment #7)

This works:

@@ -343,6 +343,7 @@
     /* Get and sort address list */
     $alist = $abook->list_addr();
     if(!is_array($alist)) {
+        $abook_error = htmlspecialchars($abook_error);
         plain_error_message($abook->error, $color);

Note the underscore instead of a dash.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-06-16 10:09:57 UTC
Adding the net-mail herd.

eradicator/net-mail : please bump (see comment #8)
Comment 10 Tuan Van (RETIRED) gentoo-dev 2005-06-18 08:27:41 UTC
eradicator is away. Acting on behalf of net-mail herd, bumped with patch from which fixed
the line mentioned in comment #8. All keywords dropped to ~arch.
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-18 08:38:00 UTC
Thx Tuan, I informed upstream about the problem a few days ago. Now back to 
stable marking. 
Comment 12 Jason Wever (RETIRED) gentoo-dev 2005-06-18 12:47:59 UTC
Stable on SPARC.
Comment 13 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-06-18 13:12:22 UTC
Stable on ppc.
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-19 01:35:17 UTC
Almost ready for GLSA decision, I vote YES. 
Comment 15 Simon Stelling (RETIRED) gentoo-dev 2005-06-19 02:24:26 UTC
stable on amd64:

< KEYWORDS="~alpha ~amd64 ppc sparc ~x86"
> KEYWORDS="~alpha amd64 ppc sparc ~x86"

note that x86 is still testing
Comment 16 Tuan Van (RETIRED) gentoo-dev 2005-06-19 11:24:45 UTC
stable on x86.
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-19 12:01:55 UTC
This one is ready for GLSA decision. 
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-06-19 12:06:27 UTC
I vote YES too.
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-21 13:45:44 UTC
GLSA 200506-19 
Comment 20 Tuan Van (RETIRED) gentoo-dev 2005-06-22 16:23:09 UTC
*** Bug 96795 has been marked as a duplicate of this bug. ***