[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: FWD: Squirrelmail XSS + SQL security bug?

On Tue, Jul 06, 2004 at 10:48:46AM +0200, Rom?n Medina wrote:
> I must add the following comments:

> - On May'04, I contacted Sam and some of the SquirrelMail developpers
> regarding several security bugs in SquirrelMail (one of them being new
> -present in all SM versions- and other being old *but present in Woody*
> package). After exchanging various mails with both, I lost communication
> with Sam (:-?). I also notified security@. As I told to Matt (privately) I
> haven't seen any Debian security advisory from that. He pointed me to a
> bug correction page but no public announce was made by means of Debian
> Security Team. Which criteria does Debian have to publish security
> advisories?

Sam, could you please forward you incoming mail about security issues to
someone who has more time to look into it?

> - Only SquirrelMail developpers fixed the bug and nobody from Debian
> contacted me to ask for more info (if it was really needed) or tell me
> that the bug was fixed/unresolved in Debian. No response in that sense
> (Matt briefly answered some direct questions I did but no particular
> response to my advisory or the bug itself was provided). As a courtesy,
> when somebody reports a security bug, the minimun action to be taken is to
> notify him/her of fixes. I haven't received any notification on this.

> - Matt has said in this thread that he'd have fixed some bugs if SM would
> have provided more precise info. Well, I do _not_ represent SM at all, but
> I disclosed in a _detailed way_ several bugs:
> [RS-2004-1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt

This wasn't reported in the Debian BTS.

> - I must also say that Marc and SM devel. team 's response was
> professional and efficient. They notified me when they fixed the bug and
> they publicly gave me credit in SM's page. Nevertheless, I'm not quite
> happy with Debian in that sense. I'm currently using patched SM 1.5.0 for
> tarball since I discovered the bugs with international packages (yes, it
> should be downloaded apart from the main.tgz and merge accordingly; this
> is the reason why unstable .deb package was broken regarding
> internalization).

True, a reported and meanwhile fixed bug.

> - I have just performed a search and found:
> http://packages.debian.org/changelogs/pool/main/s/squirrelmail/squirrelmail_1.4.3a-0.1/changelog
> 1.4.3a indeed fixes all security holes discovered, included the one I
> reported. I didn't read it in the changelog: no security fixes info is
> included here!! 1.5.0 from Unstable was vulnerable (yes, all Debian users
> still using 1.5.0 .deb package ARE vulnerable). I think it should be noted
> in the changelog so that users could evaluate the need to "upgrade" its
> .deb package to 1.4.3a (IMHO, highly recommendable; 1.4.3a is stable and
> secure).

I (the person uploading that version) was not aware of this, partly
because you didn't file a bug in the BTS about this. Note however that
the upstream changelog does mention:

  - Fixed XSS vulnarability in content-type display in the attachment
	area of read_body.php discovered by Roman Medina.

Since I didn't realize these issues might still also be in the 1.5.0
package, I didn't separately mention that in the Debian changelog, nor
set urgency to high (and make more haste with the upload...)

> - I don't know whether or not the old XSS bugs which I reported to affect
> Debian Woody (read RS-2004-1) are still uncovered. I'm afraid it is...

Thanks for the direct pointer, I assume you did contact
team@security.debian.org about this?

Also, statements like this won't help you very much if you want a
serious resonse:

| Please, learn the lesson and repeat with me: "Debian stable software
| is not always as secure as we usually thought". Oddly enough, Debian
| unstable was free of these bugs :-)

But Debian unstable keeps getting lots of other bugs, so is often no
alternative :)

If Debian isn't notified of security bugs, they can't fix them. Weird
that you here claim unstable was free of these bugs, while above you
claim Debian unstable _had_ these bugs at the time of your advisory. So,
which one of the two is it? Or are there more issues involved than the
ones detailed in RS-2004-1?

> I don't want some kind of flame-war. Please, take this mail as a
> constructive response.

My constructive tips in return are:
- once security bugs are made public, file them in the Debian BTS with
  tag security and (if only in woody) tag woody, and severity serious
  (for RS-2004-1, I'll do so myself in a minute)
- Draw Debian QA's attention via debian-qa@lists.debian.org (public
  mailinglist) to it if it doesn't seem to get fixed in a timely matter
  or there is no maintainer response at all, and/or the security team's
  attention if this vulnerability is still unfixed in woody)
- If they are not yet public, contact the Debian security team with
  precise references and possibly patches/fixes
- Since I'm a PHP developer and use squirrelmail too, you might also in
  this case try to mail me these specific details if you believe
  squirrelmail in woody is still vulnerable of some issues.
- Refrain from flamebait if you're not interested in a flame-war ;-)

Hope this helps,

Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)

Reply to: