[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

upload squirrelmail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello.

I've prepared security update for squirrelmail. Please review and
upload. Debdiff is attached. I've tested new build against given
POC[1]. I am not sure about lintian warning (which was already there)
/license-problem-non-free-RFC/.


Thanks
Abhijith PA

[1 - https://sourceforge.net/p/squirrelmail/bugs/2831/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAluIAEAACgkQhj1N8u2c
KO9/Mg/6A7P/CiHscu8RVyvTM5Xh6SwXXZY6dFVkXvWEhh7hD4/KYyfE+QrTpiDU
jA6usWx+eyV68ydHP6HsHvxCjBpEQ9cMYv4zQppNBTD32IV93SNZXJvMHgrR2QnZ
mGopyNAb4596eJzOMQGr/xy+quTEr9DG34ZKBTKMcR0W6ermcnRle3MWf9fFtW8r
HKGv9c4X/PxNLRrVgbA4LeTxgqObtzXhFJsfwtqjhLUGw6i7MusgzeJDlSR6JQfs
g/zHfnRASVk1qdxb5gpbgN5bG6c16dmOQ7DgHKIhCa8fqY3wDMyY/PWQq9WAXhte
7AbebJBHGR3zgGHZYeEQ2ObSEVtTH8bJjSkzxa+AdJtwnEEaDh1VxFwKJztt8Lh1
AntcNltGh8+nk4vxKlPfd+N+i74I8/S8UOJaXYL02fYVJovL7g2A98+InFfeZHqh
BkrgQ8dabZtVP4HXuwktgOlKhKIzTtsZqEWqoyQUXLQ7YzfXsUE6h4S87TvByyDD
bqxvtusGlr7b+0MNNj/6qNb3aVTafd9XxGITI1tUl/uMLRWwsvMauPdX4yNEAw4n
rcaivZsUChqXf1LiSpi0LcUireriTu5aj6oC2IbZSuE4AnDY2lLmT0lbRhgS7Jp9
59c3ZmaDky6Ryr1+Q3uroSOveNRcA1p0tUJd0BzHnWB0biuMiTA=
=KZP2
-----END PGP SIGNATURE-----

diff -Nru squirrelmail-1.4.23~svn20120406/debian/changelog squirrelmail-1.4.23~svn20120406/debian/changelog
--- squirrelmail-1.4.23~svn20120406/debian/changelog	2018-04-07 15:24:43.000000000 +0200
+++ squirrelmail-1.4.23~svn20120406/debian/changelog	2018-08-25 18:36:19.000000000 +0200
@@ -1,3 +1,12 @@
+squirrelmail (2:1.4.23~svn20120406-2+deb8u3) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix for several XSS vulnerabilities CVE-2018-14950 CVE-2018-14951
+    CVE-2018-14952 CVE-2018-14953 CVE-2018-14954 CVE-2018-14955
+    (Closes: #905023)
+
+ -- Abhijith PA <abhijith@disroot.org>  Sat, 25 Aug 2018 22:06:19 +0530
+
 squirrelmail (2:1.4.23~svn20120406-2+deb8u2) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2018-14950-55.patch squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2018-14950-55.patch
--- squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2018-14950-55.patch	1970-01-01 01:00:00.000000000 +0100
+++ squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2018-14950-55.patch	2018-08-25 18:36:19.000000000 +0200
@@ -0,0 +1,49 @@
+Description: Fix for various XSS
+ Multiple XSS vulnerabilities in the mail message display page
+ (functions/mime.php),the function HTML can not filter some special tags. This 
+ patch Completely remove inline svg content, animate, form, math, param tags and
+ filter URL with xlink:href, action, formaction, to. 
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://sourceforge.net/p/squirrelmail/bugs/_discuss/thread/e2d32eb3/72f1/attachment/squirrelmail-fix-xss-sf-bug-2831.diff
+Bug: https://sourceforge.net/p/squirrelmail/bugs/2831/
+Bug-Debian: https://bugs.debian.org/905023
+Last-Update: 2018-08-25
+
+Index: squirrelmail-1.4.23~svn20120406/functions/mime.php
+===================================================================
+--- squirrelmail-1.4.23~svn20120406.orig/functions/mime.php
++++ squirrelmail-1.4.23~svn20120406/functions/mime.php
+@@ -1668,7 +1668,8 @@ function sq_fixatts($tagname,
+         /**
+          * Use white list based filtering on attributes which can contain url's
+          */
+-        else if ($attname == 'href' || $attname == 'src' || $attname == 'background') {
++        else if ($attname == 'href' || $attname == 'src' || $attname == 'background' || $attname == 'xlink:href' ||
++                $attname == 'action' || $attname == 'formaction' || $attname == 'to') {
+             sq_fix_url($attname, $attvalue, $message, $id, $mailbox);
+             $attary{$attname} = $attvalue;
+         }
+@@ -2311,7 +2312,11 @@ function magicHTML($body, $id, $message,
+             "frame",
+             "iframe",
+             "plaintext",
+-            "marquee"
++            "marquee",
++            "animate",
++            "form",
++            "math",
++            "param"
+             );
+ 
+     $rm_tags_with_content = Array(
+@@ -2321,7 +2326,8 @@ function magicHTML($body, $id, $message,
+             "title",
+             "frameset",
+             "xmp",
+-            "xml"
++            "xml",
++            "svg"
+             );
+ 
+     $self_closing_tags =  Array(
diff -Nru squirrelmail-1.4.23~svn20120406/debian/patches/series squirrelmail-1.4.23~svn20120406/debian/patches/series
--- squirrelmail-1.4.23~svn20120406/debian/patches/series	2018-04-07 15:24:43.000000000 +0200
+++ squirrelmail-1.4.23~svn20120406/debian/patches/series	2018-08-25 18:36:19.000000000 +0200
@@ -3,3 +3,4 @@
 php54_htmlspecialchars
 CVE-2017-7692.patch
 CVE-2018-8741.patch
+CVE-2018-14950-55.patch
Reply to: