upload squirrelmail
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello.
I've prepared security update for squirrelmail. Please review and
upload. Debdiff is attached. I've tested new build against given
POC[1]. I am not sure about lintian warning (which was already there)
/license-problem-non-free-RFC/.
Thanks
Abhijith PA
[1 - https://sourceforge.net/p/squirrelmail/bugs/2831/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAluIAEAACgkQhj1N8u2c
KO9/Mg/6A7P/CiHscu8RVyvTM5Xh6SwXXZY6dFVkXvWEhh7hD4/KYyfE+QrTpiDU
jA6usWx+eyV68ydHP6HsHvxCjBpEQ9cMYv4zQppNBTD32IV93SNZXJvMHgrR2QnZ
mGopyNAb4596eJzOMQGr/xy+quTEr9DG34ZKBTKMcR0W6ermcnRle3MWf9fFtW8r
HKGv9c4X/PxNLRrVgbA4LeTxgqObtzXhFJsfwtqjhLUGw6i7MusgzeJDlSR6JQfs
g/zHfnRASVk1qdxb5gpbgN5bG6c16dmOQ7DgHKIhCa8fqY3wDMyY/PWQq9WAXhte
7AbebJBHGR3zgGHZYeEQ2ObSEVtTH8bJjSkzxa+AdJtwnEEaDh1VxFwKJztt8Lh1
AntcNltGh8+nk4vxKlPfd+N+i74I8/S8UOJaXYL02fYVJovL7g2A98+InFfeZHqh
BkrgQ8dabZtVP4HXuwktgOlKhKIzTtsZqEWqoyQUXLQ7YzfXsUE6h4S87TvByyDD
bqxvtusGlr7b+0MNNj/6qNb3aVTafd9XxGITI1tUl/uMLRWwsvMauPdX4yNEAw4n
rcaivZsUChqXf1LiSpi0LcUireriTu5aj6oC2IbZSuE4AnDY2lLmT0lbRhgS7Jp9
59c3ZmaDky6Ryr1+Q3uroSOveNRcA1p0tUJd0BzHnWB0biuMiTA=
=KZP2
-----END PGP SIGNATURE-----
diff -Nru squirrelmail-1.4.23~svn20120406/debian/changelog squirrelmail-1.4.23~svn20120406/debian/changelog
--- squirrelmail-1.4.23~svn20120406/debian/changelog 2018-04-07 15:24:43.000000000 +0200
+++ squirrelmail-1.4.23~svn20120406/debian/changelog 2018-08-25 18:36:19.000000000 +0200
@@ -1,3 +1,12 @@
+squirrelmail (2:1.4.23~svn20120406-2+deb8u3) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * Fix for several XSS vulnerabilities CVE-2018-14950 CVE-2018-14951
+ CVE-2018-14952 CVE-2018-14953 CVE-2018-14954 CVE-2018-14955
+ (Closes: #905023)
+
+ -- Abhijith PA <abhijith@disroot.org> Sat, 25 Aug 2018 22:06:19 +0530
+
squirrelmail (2:1.4.23~svn20120406-2+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2018-14950-55.patch squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2018-14950-55.patch
--- squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2018-14950-55.patch 1970-01-01 01:00:00.000000000 +0100
+++ squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2018-14950-55.patch 2018-08-25 18:36:19.000000000 +0200
@@ -0,0 +1,49 @@
+Description: Fix for various XSS
+ Multiple XSS vulnerabilities in the mail message display page
+ (functions/mime.php),the function HTML can not filter some special tags. This
+ patch Completely remove inline svg content, animate, form, math, param tags and
+ filter URL with xlink:href, action, formaction, to.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://sourceforge.net/p/squirrelmail/bugs/_discuss/thread/e2d32eb3/72f1/attachment/squirrelmail-fix-xss-sf-bug-2831.diff
+Bug: https://sourceforge.net/p/squirrelmail/bugs/2831/
+Bug-Debian: https://bugs.debian.org/905023
+Last-Update: 2018-08-25
+
+Index: squirrelmail-1.4.23~svn20120406/functions/mime.php
+===================================================================
+--- squirrelmail-1.4.23~svn20120406.orig/functions/mime.php
++++ squirrelmail-1.4.23~svn20120406/functions/mime.php
+@@ -1668,7 +1668,8 @@ function sq_fixatts($tagname,
+ /**
+ * Use white list based filtering on attributes which can contain url's
+ */
+- else if ($attname == 'href' || $attname == 'src' || $attname == 'background') {
++ else if ($attname == 'href' || $attname == 'src' || $attname == 'background' || $attname == 'xlink:href' ||
++ $attname == 'action' || $attname == 'formaction' || $attname == 'to') {
+ sq_fix_url($attname, $attvalue, $message, $id, $mailbox);
+ $attary{$attname} = $attvalue;
+ }
+@@ -2311,7 +2312,11 @@ function magicHTML($body, $id, $message,
+ "frame",
+ "iframe",
+ "plaintext",
+- "marquee"
++ "marquee",
++ "animate",
++ "form",
++ "math",
++ "param"
+ );
+
+ $rm_tags_with_content = Array(
+@@ -2321,7 +2326,8 @@ function magicHTML($body, $id, $message,
+ "title",
+ "frameset",
+ "xmp",
+- "xml"
++ "xml",
++ "svg"
+ );
+
+ $self_closing_tags = Array(
diff -Nru squirrelmail-1.4.23~svn20120406/debian/patches/series squirrelmail-1.4.23~svn20120406/debian/patches/series
--- squirrelmail-1.4.23~svn20120406/debian/patches/series 2018-04-07 15:24:43.000000000 +0200
+++ squirrelmail-1.4.23~svn20120406/debian/patches/series 2018-08-25 18:36:19.000000000 +0200
@@ -3,3 +3,4 @@
php54_htmlspecialchars
CVE-2017-7692.patch
CVE-2018-8741.patch
+CVE-2018-14950-55.patch
Reply to: