squirrelmail patch ready for upload?

[anarcat@orangeseeds.org (Antoine Beaupré)]

I sent this to the security team to see if we could coordinate a release
of squirrelmail between wheezy and jessie. Unfortunately, we weren't
able to complete the process before my vacations, so I throw this patch
back in the pool.

Hopefully someone here can pick this up! :) Please do coordinate with
the security team as the code is the same in jessie and wheezy...

A.

-- 
Growth for the sake of growth is the ideology of the cancer cell.
                        - Edward Abbey

--- Begin Message ---

• To: team@security.debian.org
• Subject: coordinated squirrelmail release?
• From: anarcat@orangeseeds.org (Antoine Beaupré)
• Date: Sat, 22 Apr 2017 17:10:54 -0400
• Message-id: <87wpac6tcx.fsf@curie.anarc.at>

Hi,

I worked on the squirrelmail RCE in CVE-2017-7692. It affects only
sendmail, but still seems like something that could impact other MTAs
and should be fixed. I haven't investigated exim in details, but it
could be exploitable there as well.

The patch is trivial and backports easily to the Debian packages.

I have a package smoke-tested (it installs and i can send mail with it,
didn't test the exploit tho) ready to upload to LTS - should I wait for
the secteam to do a coordinated release in jessie?

I can also just upload to jessie if you give me the go.

Let me know,

A.

diff -Nru squirrelmail-1.4.23~svn20120406/debian/changelog squirrelmail-1.4.23~svn20120406/debian/changelog
--- squirrelmail-1.4.23~svn20120406/debian/changelog	2012-12-20 14:45:19.000000000 -0500
+++ squirrelmail-1.4.23~svn20120406/debian/changelog	2017-04-22 16:33:55.000000000 -0400
@@ -1,3 +1,11 @@
+squirrelmail (2:1.4.23~svn20120406-2+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2017-7692: post-authentication remote code execution via a
+    sendmail.cf file
+
+ -- Antoine Beaupré <anarcat@debian.org>  Sat, 22 Apr 2017 16:33:55 -0400
+
 squirrelmail (2:1.4.23~svn20120406-2) unstable; urgency=medium
 
   * Add patch from upstream to cope with changed behaviour of
diff -Nru squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2017-7692.patch squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2017-7692.patch
--- squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2017-7692.patch	1969-12-31 19:00:00.000000000 -0500
+++ squirrelmail-1.4.23~svn20120406/debian/patches/CVE-2017-7692.patch	2017-04-22 16:33:55.000000000 -0400
@@ -0,0 +1,16 @@
+Origin: http://www.openwall.com/lists/oss-security/2017/04/19/6
+
+--- a/class/deliver/Deliver_SendMail.class.php
++++ b/class/deliver/Deliver_SendMail.class.php
+@@ -95,9 +95,9 @@ class Deliver_SendMail extends Deliver {
+         $envelopefrom = trim($from->mailbox.'@'.$from->host);
+         $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom);
+         // save executed command for future reference
+-        $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";
++        $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . escapeshellarg($envelopefrom);
+         // open process handle for writing
+-        $stream = popen(escapeshellcmd($this->sendmail_command), "w");
++        $stream = popen($this->sendmail_command, "w");
+         return $stream;
+     }
+ 
diff -Nru squirrelmail-1.4.23~svn20120406/debian/patches/series squirrelmail-1.4.23~svn20120406/debian/patches/series
--- squirrelmail-1.4.23~svn20120406/debian/patches/series	2012-12-20 14:56:44.000000000 -0500
+++ squirrelmail-1.4.23~svn20120406/debian/patches/series	2017-04-22 16:23:50.000000000 -0400
@@ -1,3 +1,4 @@
 debian-specifics
 php54_session_unregister
 php54_htmlspecialchars
+CVE-2017-7692.patch

--- End Message ---