| Summary: | mhonarc before 2.6.19 vulnerable to PHP code injection | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Rémi Verschelde <rverschelde> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, lewyssmith, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | advisory MGA5-64-OK | ||
| Source RPM: | mhonarc-2.6.18-6.mga5 | CVE: | |
| Status comment: | |||
|
Description
Rémi Verschelde
2017-05-09 08:20:14 CEST
Fixed in Cauldron, mhonarc-2.6.19-1.mga5 pushed to core/updates_testing. Thanks to Frédéric Buclin for noticing this vulnerability. Advisory: ========= Updated mhonarc package fixes security vulnerability MHonArc before 2.6.19 is vulnerable to PHP code injection via commentized subjects. This update fixes it. References: - https://www.mhonarc.org/MHonArc/CHANGES RPMs in core/updates_testing: ============================= mhonarc-2.6.19-1.mga5 SRPMs in core/updates_testing: ============================== mhonarc-2.6.19-1.mga5 Assignee:
bugsquad =>
qa-bugs Decreasing severity as upstream only recommends to upgrade *asap* to 2.6.18 (which we have), and treat 2.6.19 as a less urgent bugfix: https://www.mhonarc.org/ Testing: mhonarc's only reverse dependency is sympa, so testing sympa's archives should be sufficient. The update candidate is deployed on our infra, so if our archives on ml.mageia.org still work, that might be enough testing to validate. Severity:
critical =>
major MGA5-32 on Asus A6000VM Xfce No installation issues Trying to setup sympa on this old slow machine is too much. Tried access to ml.mageia.org , I can login there, but when I click e.g."Quality Assurance" I get "50 Gateway Timeout". CC:
(none) =>
herman.viaene > Tried access to ml.mageia.org , I can login there, but when I click e.g."Quality
> Assurance" I get "50 Gateway Timeout".
Indeed, ml.mageia.org is having some troubles since a couple of weeks. It's not related to this mhonarc update, but it doesn't help validating it :)
The ML website is kind of working now, and I could confirm that the archives work as expected: https://ml.mageia.org/l/arc/dev/
Dave Hodgins
2017-05-11 20:52:55 CEST
Whiteboard:
(none) =>
advisory Before testing 64-bit, some backround. "MHonArc provides HTML mail archiving with index, mail thread linking, etc;" "MHonArc supports MH mail folders and UUCP/Unix mailbox files, so the term "mail folder" represents the MH mail folder or mailbox file to process." That 'MH' matters. From the earlier test, it includes Opera mail; Claws also. https://www.mhonarc.org/MHonArc/doc/mhonarc.html is a handy reference index page. "MHonArc creates the following files after processing the mail folders: maillist.html: The main index file containing links to all mail messages converted. Messages are listed with subjects and who the messages are from. All messages are listed by the date. threads.html: The file listing messages by threads. msg*.html: HTML versions of the mail messages, where * represents a message number from 0 to the number of message processed minus 1. .mhonarc.db (or mhonarc.db under Windows): This database file contains archive information and resource settings for MHonArc to perform further updates. Other: If messages contain attachments, other files may be created for images, videos, binaries, etc. By default, all files created are put into the current working directory. You can control the location of archive files by using the -outdir option." $ mhonarc -help shows good info. But not man mhonarc. https://bugs.mageia.org/show_bug.cgi?id=3997 is where it was tested before - stand-alone. Current (pre-update) release is 2.6.18-6. CC:
(none) =>
lewyssmith Testing M5x64 BEFORE the update Installed just mhonarc version above. To play with it directly, you need to specify the right path parameter for the mailbox messages. I think the number of trailing /*s should reflect the level of nesting in the mailbox. Thanks Dave for this invaluable pointer: https://bugs.mageia.org/show_bug.cgi?id=3997#c3 It produces at least one output file per message (msg + attachments), rather than a concatenated archive. So be ready for hundred or thousands files in the output directory, as per Comment 6. Tried first with Opera, which stores messages in a date heirarchy per account:- $ mhonarc -output tmp/mh .opera/mail/store/account1/*/*/*/* All those /*s were necessary! Lots of Perl errors, it ends: Writing tmp/mh/maillist.html ... Writing tmp/mh/threads.html ... Writing database ... 2683 new messages 2683 total messages but the result pages: tmp/mh/maillist.html tmp/mh/threads.html looked correct in a browser, and when followed. Cleared the output directory: $ rm -f tmp/mh/* Then with Claws-mail, whose message organisation is per defined directory:- $ mhonarc -outdir tmp/mh /mnt/common/mail/* Perhaps it needed a 2nd /* as I have that level of nesting; I did not check those sub-directories' content. Again lots of Perl errors, but the results were similar to above, and looked correct. Cleared the output directory. $ rm -f tmp/mh/* AFTER update to: mhonarc-2.6.19-1.mga5 Opera: $ mhonarc -outdir tmp/mh ~/.opera/mail/store/account1/*/*/*/* The result pages & messages in tmp/mh/ looked good, cleared it: Claws-mail: $ mhonarc -outdir tmp/mh /mnt/common/mail/* The result pages & messages in tmp/mh/ looked good, cleared it: In both tests, there were no Perl errors; so that is an improvement. Giving this the OK. @Herman: do you want to have another go with a local mailbox? Use a special output directory to facilitate clearing it. It is really easy once you get the mailbox parameter right. Whiteboard:
advisory =>
advisory MGA5-64-OK AFAICS is claws-mail an e-mail client, so I set it up to connect to my gmail account. Made sure there are 5 mails in the inbox and the at CLI:
$ mhonarc -outdir tmp/mh .claws-mail/*
This is MHonArc v2.6.19, Perl 5.020001 linux
Converting messages to tmp/mh
Reading .claws-mail/accountrc .
Warning: Could not parse date for message
Message-Id: <f8ebbea3e29702b9486a6708c2ac9cc6@NO-ID-FOUND.mhonarc.org>
Date:
and 9 more like these, then:
Reading .claws-mail/messagesearch_history
Reading .claws-mail/mimetmp
Reading .claws-mail/newscache
Reading .claws-mail/quicksearch_history
Reading .claws-mail/summarysearch_adv_history
Reading .claws-mail/summary_searchbody_history
Reading .claws-mail/summarysearch_from_history
Reading .claws-mail/summarysearch_subject_history
Reading .claws-mail/summarysearch_to_history
Reading .claws-mail/tagsdb
Reading .claws-mail/tagsrc .
Warning: Could not parse date for message
Message-Id: <393ea2153743b4c03b6484472e8b5739@NO-ID-FOUND.mhonarc.org>
Date:
Reading .claws-mail/tempfolder
Reading .claws-mail/tmp
Reading .claws-mail/toolbar_main.xml .
Warning: Could not parse date for message
Message-Id: <9ad78fd2ca1d044df31fae85c55f4640@NO-ID-FOUND.mhonarc.org>
Date:
Reading .claws-mail/uidl
Writing mail ............
Writing tmp/mh/maillist.html ...
Writing tmp/mh/threads.html ...
Writing database ...
12 new messages
12 total messages
But the files created do not show or refer to the messages, but the setup and log of the operations.
Note: /mnt/common/mail/ does not exist here.
It has been tested successfully on our ml.mageia.org over the last 10 days, so it's good to validate. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0141.html Resolution:
(none) =>
FIXED |