--- Begin Message ---
Hi,
I worked on the squirrelmail RCE in CVE-2017-7692. It affects only
sendmail, but still seems like something that could impact other MTAs
and should be fixed. I haven't investigated exim in details, but it
could be exploitable there as well.
The patch is trivial and backports easily to the Debian packages.
I have a package smoke-tested (it installs and i can send mail with it,
didn't test the exploit tho) ready to upload to LTS - should I wait for
the secteam to do a coordinated release in jessie?
I can also just upload to jessie if you give me the go.
Let me know,
A.
diff -Nru squirrelmail-1.4.23~svn20120406/debian/changelog squirrelmail-1.4.23~svn20120406/debian/changelog
--- squirrelmail-1.4.23~svn20120406/debian/changelog 2012-12-20 14:45:19.000000000 -0500
+++ squirrelmail-1.4.23~svn20120406/debian/changelog 2017-04-22 16:33:55.000000000 -0400
@@ -1,3 +1,11 @@
+squirrelmail (2:1.4.23~svn20120406-2+deb7u1) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS Security Team.
+ * CVE-2017-7692: post-authentication remote code execution via a
+ sendmail.cf file
+
+ -- Antoine Beaupré <anarcat@debian.org> Sat, 22 Apr 2017 16:33:55 -0400
+
squirrelmail (2:1.4.23~svn20120406-2) unstable; urgency=medium
* Add patch from upstream to cope with changed behaviour of
diff -Nru squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2017-7692.patch squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2017-7692.patch
--- squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2017-7692.patch 1969-12-31 19:00:00.000000000 -0500
+++ squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2017-7692.patch 2017-04-22 16:33:55.000000000 -0400
@@ -0,0 +1,16 @@
+Origin: http://www.openwall.com/lists/oss-security/2017/04/19/6
+
+--- a/class/deliver/Deliver_SendMail.class.php
++++ b/class/deliver/Deliver_SendMail.class.php
+@@ -95,9 +95,9 @@ class Deliver_SendMail extends Deliver {
+ $envelopefrom = trim($from->mailbox.'@'.$from->host);
+ $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom);
+ // save executed command for future reference
+- $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";
++ $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . escapeshellarg($envelopefrom);
+ // open process handle for writing
+- $stream = popen(escapeshellcmd($this->sendmail_command), "w");
++ $stream = popen($this->sendmail_command, "w");
+ return $stream;
+ }
+
diff -Nru squirrelmail-1.4.23~svn20120406/debian/patches/series squirrelmail-1.4.23~svn20120406/debian/patches/series
--- squirrelmail-1.4.23~svn20120406/debian/patches/series 2012-12-20 14:56:44.000000000 -0500
+++ squirrelmail-1.4.23~svn20120406/debian/patches/series 2017-04-22 16:23:50.000000000 -0400
@@ -1,3 +1,4 @@
debian-specifics
php54_session_unregister
php54_htmlspecialchars
+CVE-2017-7692.patch
--- End Message ---