[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: FWD: Squirrelmail XSS + SQL security bug?



I must add the following comments:
- On May'04, I contacted Sam and some of the SquirrelMail developpers
regarding several security bugs in SquirrelMail (one of them being new
-present in all SM versions- and other being old *but present in Woody*
package). After exchanging various mails with both, I lost communication
with Sam (:-?). I also notified security@. As I told to Matt (privately) I
haven't seen any Debian security advisory from that. He pointed me to a
bug correction page but no public announce was made by means of Debian
Security Team. Which criteria does Debian have to publish security
advisories?
- Only SquirrelMail developpers fixed the bug and nobody from Debian
contacted me to ask for more info (if it was really needed) or tell me
that the bug was fixed/unresolved in Debian. No response in that sense
(Matt briefly answered some direct questions I did but no particular
response to my advisory or the bug itself was provided). As a courtesy,
when somebody reports a security bug, the minimun action to be taken is to
notify him/her of fixes. I haven't received any notification on this.
- Matt has said in this thread that he'd have fixed some bugs if SM would
have provided more precise info. Well, I do _not_ represent SM at all, but
I disclosed in a _detailed way_ several bugs:
[RS-2004-1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
- I must also say that Marc and SM devel. team 's response was
professional and efficient. They notified me when they fixed the bug and
they publicly gave me credit in SM's page. Nevertheless, I'm not quite
happy with Debian in that sense. I'm currently using patched SM 1.5.0 for
tarball since I discovered the bugs with international packages (yes, it
should be downloaded apart from the main.tgz and merge accordingly; this
is the reason why unstable .deb package was broken regarding
internalization).
- I have just performed a search and found:
http://packages.debian.org/changelogs/pool/main/s/squirrelmail/squirrelmail_1.4.3a-0.1/changelog
1.4.3a indeed fixes all security holes discovered, included the one I
reported. I didn't read it in the changelog: no security fixes info is
included here!! 1.5.0 from Unstable was vulnerable (yes, all Debian users
still using 1.5.0 .deb package ARE vulnerable). I think it should be noted
in the changelog so that users could evaluate the need to "upgrade" its
.deb package to 1.4.3a (IMHO, highly recommendable; 1.4.3a is stable and
secure).
- I don't know whether or not the old XSS bugs which I reported to affect
Debian Woody (read RS-2004-1) are still uncovered. I'm afraid it is...

I don't want some kind of flame-war. Please, take this mail as a
constructive response.

Regards,
-Román


> On Mon, Jul 05, 2004 at 01:38:45PM -0700, Matt Zimmerman wrote:
>> On Mon, Jul 05, 2004 at 12:05:23PM -0700, adam-debian-security@gmi.com
>> wrote:
>>
>> > Long ago and far away, I sent this message to security@, and a small
>> > amount of conversation occured, but I never heard back from Sam
>> Johnston
>> > or Matt Zimmerman (the two parties present in the discussion in
>> addition
>> > to myself), and I've sent a total of two messages since then to no
>> avail.
>> > I'm guessing they are both quite busy and unable to get to it, so I
>> > thought I would ask here in case the discussion occured elsewhere and
>> I
>> > missed it.
>>
>> You did receive responses.  In fact, I have in front of me right now at
>> a
>> copy of a message from you where you quote _both_ my reply and Sam
>> Johnston's.  What would you hope to gain by misrepresenting the
>> situation?
>
> You're right; I apologize.  I had a serious brain misfire, I was worried
> about sending that without your permission, but instead I made it sound
> like I'd received no response.  I apologize a second time.  Furthermore, I
> should have been more clear about why I was concerned --- it looked to me
> that the initial discussion hadn't gotten to more than discussion.  And
> now it is fairly clear to me that there are (as I expected) other issues
> existing with regard to squirrelmail developers that I don't know.  I did,
> however, send followup messages on 3 June and 29 June to which I have not
> received a response, and that is why I contacted debian-security@.  That
> said, we have had intermittent power problems, so it is possible that the
> responses were never delivered, and therefore I will apologize in advance
> if that is the case.
>
> -----quote original discussion----
>
> Date: Wed, 26 May 2004 17:05:55 +1000
> From: Sam Johnston <samj@aos.net.au>
> To: Matt Zimmerman <mdz@debian.org>
> CC: Adam Morley <adam@gmi.com>
> Subject: Re: Squirrelmail XSS + SQL security bug?
>
> Matt Zimmerman wrote:
>
>>On Sat, May 22, 2004 at 08:13:48AM -0700, Adam Morley wrote:
>>
>>
>>
>>>I noticed recently that squirrelmail released a new version to fix a few
>>>bugs in its code base:
>>>
>>>http://sourceforge.net/mailarchive/forum.php?thread_id=4199060&forum_id=1988
>>>http://www.securityfocus.com/bid/10246/
>>>
>>>But I haven't seen anything from Debian --- and I'm wondering where
>>>exactly I should ask the question, "Is Debian's squirrelmail vulnerable
>>> to
>>>this?"  I noticed a debian-security, but its listed as a "Developer"
>>>mailing list on lists.debian.org, and -user doesn't seem like a place I
>>>should go for security information (or is it?).
>>>
>>>I read the FAQ, but that wasn't helpful in this case (or maybe I'm
>>> missing
>>>something!) --- it strikes me that it was not immediately obvious to me,
>>> a
>>>new user of Debian, where to go to find out about a possible security
>>>problem, that may or may not affect Debian.  Am I to always assume the
>>>Security Team will never "miss" a security update?  Or is there a forum
>>>where this should be directed?
>>>
>>>
>>
>>In general, inquiries like this should go to the security team and the
>>package maintainer (CCed).
>>
>>At this time the best answer I have is that squirrelmail in stable
>> contains
>>at least some of the bugs, but more investigation is needed.
>>
>>Sam: can you assist with this?
>>
>>
> Yes. Thanks Adam.
>
> Courtesy Marc Groot Koercamp:
>
> Regarding 1.4.3 and the debian release policy, I do not understand how
> debian can think that 1.2.6 is stable and safe. There have been many
> security related fixes since the 1.2.6 release and we never explained in
> release notes what the specific fixes were. By stating that Debian
> backports security fixes to 1.2.6. I get curious how they do that. Do they
> follow every cvs commit? Did you know that working with a php version with
> register globals = off is seen as insecure? SquirrelMail 1.2.6 cannot work
> with the register globals = off setting. SquirrelMail 1.4.x and 1.2.8
> works with register globals - off.
>
> Don't get me wrong, I do understand that customers don't like to update
> packages every 3 month, but even Redhat ships newer SquirrelMail versions.
>
>
> What is your take on this?
>
> Sam
>
> --
> Sam Johnston, Director
> Australian Online Solutions
> 1300 132 809
>
> -----end quote------
>
> -----beging quote-------
> Date: Thu, 3 Jun 2004 23:54:32 -0700
>
> [snip]
>> What is your take on this?
>
> I wasn't sure if this was directed at me, but since I haven't heard
> anything
> I thought I'd chime in.  I know I need the newer squirrelmail and will
> probably stop using the Debian package for that reason, at least unless
> I hear otherwise at some point.  I find it rather disconcerting that the
> Squirrelmail team recommended a release candidate as "stable" software
> in order to fix the problem.  Granted, new stable is out, but. . .
>
> I constantly wish that patches for security fixes would be released on
> some sort of long-lived stable branch by open source projects, but I'm
> guessing that's too much work and not exciting.  I am amazed at how
> Debian does this, and sometimes wonder if something doesn't get missed,
> so I will follow this conversation quite closely.
>
> Thanks for maintaining such a easily maintained distro,
>
> --
> adam
>
> --------end quote-------
>
> --------begin quote-----
> Date: Tue, 29 Jun 2004 11:59:20 -0700
>
> [snip]
>> What is your take on this?
>
> Hi,
>
> I've heard nothing more on this --- is something still happening?  Or ?
>
>>
>> Sam
>>
>> --
>> Sam Johnston, Director
>> Australian Online Solutions
>> 1300 132 809
>>
>
> --
> adam
>
> --------end quote------
>
>>
>> > Effectively, I'm questioning the version of squirrelmail included with
>> > woody, as it is quite old, and theoretically contains vulnerabilities.
>>
>> Debian's stable release is quite old, and there is nothing that the
>> Security
>> Team can do about that.  Let's confine our discussion to
>> vulnerabilities.
>
> I am under the impression, since there has been no update to the Debian
> woody squirrelmail package since the 1.4.3 release of squirrelmail (which
> was released rather hurridly and in very shoddy form --- they issued a
> release candidate as a security fix!  exceedingly annoying!  and then the
> actual stable release was broken!), that the Debian woody version is
> vulnerable to the issues listed at:
>
> http://sourceforge.net/mailarchive/forum.php?thread_id=4199060&forum_id=1988
>
> That is my primary concern.
>
>>
>> > I'd like to know whether it is indeed audited separate from the
>> current,
>> > "secure" version of squirrelmail, as I maintain the current version
>> > instead of the Debian version --- because the debian version
>> supposedly
>> > contains some of the security bugs.
>>
>> Refer to DSA 191-1, DSA 191-2 and DSA 220-1 for examples of past bugs
>> fixed
>> in the squirrelmail package in woody.  Let me assure you, it is no
>> pleasure
>> to support a project like squirrelmail, where new cross-site scripting
>> bugs
>> are discovered on a regular basis (the past three release announcements
>> mention XSS bugs), and at least one of the upstream developers (Marc
>> Groot
>> Koercamp) demonstrates outright hostility toward the Security Team's
>> efforts
>> to support squirrelmail for Debian users.
>
> This makes sense to me.  I'm actually rather impressed with how timely
> security updates for Debian are.
>
>>
>> It is very time-consuming work to assess these vulnerabilities and
>> backport
>> fixes for them.  When the upstream developers refuse to provide details
>> of
>> the vulnerabilities, and instead try to force a new upstream release on
>> us,
>> this creates _much_ more work for the security team, who are already
>> overloaded volunteers.  The fact that the squirrelmail 1.4.3 release
>> turned
>> out to have a critical bug which caused it to be recalled by the
>> developers
>> further emphasizes the problems with upstream's security procedures.
>
> Actually, the fix wasn't even the release version; it was a release
> candidate, which is even worse.  It made me want to stop using
> squirrelmail.
>
>>
>> If anyone can provide precise details of the vulnerabilities fixed in
>> 1.4.3-RC1, 1.4.3 and 1.4.3a (yes, all three are said to have contained
>> some
>> unknown number of security fixes to unknown parts of the code), or
>> convince
>> squirrelmail upstream to provide such details, then that would provide
>> some
>> hope for its support in Debian stable.
>
> I must ask the question: is there a method for removing security support
> and marking a package as so in the Debian project?  It sounds like, if the
> lead with Thijs Kinkhorst does not work out, there needs to be a way to
> mark packages (like squirrelmail) as known (or suspected) to be insecure,
> and unsupportable, as removing them from stable would require updating cd
> images, changing the distro, etc.  This is the only idea that I get off
> the top of my head.
>
> Again, Matt, sorry about the brain misfire, and I apologize again.  Thanks
> for all your hard work!
>
> --
> adam
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>




Reply to: