Bug 20703

Summary: squirrelmail new security issue CVE-2017-7692
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, herman.viaene, mageia, sysadmin-bugs, zombie_ryushu
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Source RPM: squirrelmail-1.4.22-12.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-04-19 16:25:28 CEST 
A security issue in squirrelmail has been announced today (April 19):
http://openwall.com/lists/oss-security/2017/04/19/6

The patch is included in that message and has been added in Mageia 5 and Cauldron SVN (and pushed in Cauldron).

Giuseppe, do the other patches you added in Cauldron also need to be added to the Mageia 5 package?  If so, please add them.
Comment 1 David Walser 2017-04-20 03:45:35 CEST 
Apparently CVE-2017-5181 was also assigned for this vulnerability:
http://openwall.com/lists/oss-security/2017/04/19/7
Comment 2 Nicolas Lécureuil 2017-04-21 22:35:25 CEST 
Synched with cauldron.

src.rpm: squirrelmail-1.4.22-12.2.mga5

Assignee: ghibomgx => qa-bugs
CC: (none) => mageia

Comment 3 David Walser 2017-04-22 16:52:28 CEST 
Advisory:
========================

Updated squirrelmail packages fix security vulnerability:

Squirrelmail version 1.4.22 (and probably prior) is vulnerable to a remote code
execution vulnerability because it fails to sanitize a string before passing it
to a popen call. It's possible to exploit this vulnerability to execute
arbitrary shell commands on the remote server (CVE-2017-7692).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7692
http://openwall.com/lists/oss-security/2017/04/19/6
========================

Updated packages in core/updates_testing:
========================
squirrelmail-1.4.22-12.2.mga5
squirrelmail-poutils-1.4.22-12.2.mga5
squirrelmail-cyrus-1.4.22-12.2.mga5
squirrelmail-ar-1.4.22-12.2.mga5
squirrelmail-bg-1.4.22-12.2.mga5
squirrelmail-bn-india-1.4.22-12.2.mga5
squirrelmail-bn-bangladesh-1.4.22-12.2.mga5
squirrelmail-ca-1.4.22-12.2.mga5
squirrelmail-cs-1.4.22-12.2.mga5
squirrelmail-cy-1.4.22-12.2.mga5
squirrelmail-da-1.4.22-12.2.mga5
squirrelmail-de-1.4.22-12.2.mga5
squirrelmail-el-1.4.22-12.2.mga5
squirrelmail-es-1.4.22-12.2.mga5
squirrelmail-et-1.4.22-12.2.mga5
squirrelmail-eu-1.4.22-12.2.mga5
squirrelmail-fa-1.4.22-12.2.mga5
squirrelmail-fi-1.4.22-12.2.mga5
squirrelmail-fo-1.4.22-12.2.mga5
squirrelmail-fr-1.4.22-12.2.mga5
squirrelmail-fy-1.4.22-12.2.mga5
squirrelmail-he-1.4.22-12.2.mga5
squirrelmail-hr-1.4.22-12.2.mga5
squirrelmail-hu-1.4.22-12.2.mga5
squirrelmail-id-1.4.22-12.2.mga5
squirrelmail-is-1.4.22-12.2.mga5
squirrelmail-it-1.4.22-12.2.mga5
squirrelmail-ja-1.4.22-12.2.mga5
squirrelmail-ko-1.4.22-12.2.mga5
squirrelmail-lt-1.4.22-12.2.mga5
squirrelmail-ms-1.4.22-12.2.mga5
squirrelmail-nb-1.4.22-12.2.mga5
squirrelmail-nl-1.4.22-12.2.mga5
squirrelmail-nn-1.4.22-12.2.mga5
squirrelmail-pl-1.4.22-12.2.mga5
squirrelmail-pt-1.4.22-12.2.mga5
squirrelmail-ro-1.4.22-12.2.mga5
squirrelmail-ru-1.4.22-12.2.mga5
squirrelmail-sk-1.4.22-12.2.mga5
squirrelmail-sl-1.4.22-12.2.mga5
squirrelmail-sr-1.4.22-12.2.mga5
squirrelmail-sv-1.4.22-12.2.mga5
squirrelmail-tr-1.4.22-12.2.mga5
squirrelmail-ug-1.4.22-12.2.mga5
squirrelmail-uk-1.4.22-12.2.mga5
squirrelmail-vi-1.4.22-12.2.mga5
squirrelmail-zh_CN-1.4.22-12.2.mga5
squirrelmail-zh_TW-1.4.22-12.2.mga5
squirrelmail-ka-1.4.22-12.2.mga5
squirrelmail-km-1.4.22-12.2.mga5
squirrelmail-lv-1.4.22-12.2.mga5
squirrelmail-mk-1.4.22-12.2.mga5
squirrelmail-ta-1.4.22-12.2.mga5

from squirrelmail-1.4.22-12.2.mga5.src.rpm
Dave Hodgins 2017-04-24 01:39:00 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Herman Viaene 2017-04-26 20:11:43 CEST 
MGA5-64 on Lenovo B50 KDE
No installation issues.
I can call squirrelmail-conf as root, but setting up is something for someone with experience with mail systems.

CC: (none) => herman.viaene

Comment 5 Dave Hodgins 2017-05-01 06:27:07 CEST 
Testing on Mageia 5 i586

Getting imap working with dovecot ...
# urpmi dovecot
# systemctl start dovecot.service

As user dave
$ mkdir mail
$ mkdir mail/.imap
$ mkdir mail/.imap/INBOX
$ touch mail/.imap/INBOX/dovecot.index
$ touch mail/.imap/INBOX/dovecot.index.cache
$ touch mail/.imap/INBOX/dovecot.index.log

As root
# cd cd /home/dave/mail/.imap/INBOX/
# chgrp mail *

Then send a mail to dave from root.

# urpmi squirrelmail
# systemctl restart httpd.service

login at https://i5v.hodgins.homeip.net/squirrelmail/src/login.php
Confirm messages can be read and sent.

Install the update, which gets the message ...
      1/1: squirrelmail          warning: /etc/squirrelmail/plugins/avelsieve_config.php created as /etc/squirrelmail/plugins/avelsieve_config.php.rpmnew
#####################################################################################################
Merging changes between "/etc/squirrelmail/plugins/avelsieve_config.php" and "/etc/squirrelmail/plugins/avelsieve_config.php.rpmnew"...failed - orphaned options detected.

# systemctl restart httpd.service

Confirm squirrrelmail still working.

Whiteboard: advisory => advisory MGA5-32-OK

Comment 6 Dave Hodgins 2017-05-01 06:38:16 CEST 
Same testing on Mageia 5 x86_64 ok. Validating the update.

Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2017-05-01 21:48:57 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0121.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 8 David Walser 2017-05-15 04:06:40 CEST 
*** Bug 20854 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu