Bug 22793

Summary: squirrelmail new security issue CVE-2018-8741
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, mageia, marja11, sysadmin-bugs, tmb
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO mga6-64-ok mga5-64-ok
Source RPM: squirrelmail-1.4.22-15.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-03-17 17:50:40 CET 
A security issue in squirrelmail has been announced and assigned a CVE:
http://openwall.com/lists/oss-security/2018/03/17/3

There are two different proposed patches linked from this message:
http://openwall.com/lists/oss-security/2018/03/17/2

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-17 17:50:46 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-03-17 17:55:52 CET 
It seems you're the registered maintainer ;-)

Assignee: bugsquad => luigiwalser
CC: (none) => marja11

Comment 2 Marc Krämer 2018-03-24 15:32:20 CET 
@David: should I do the patch?
On my opinion this is not very critical, but should be fixed, if the filename is user provided.
As far as I can see only Deliver.php is affected. The fix is quite straight forward.

CC: (none) => mageia

Comment 3 David Walser 2018-03-24 15:49:19 CET 
Sure, go for it.  Thanks!
Marc Krämer 2018-03-24 15:51:14 CET

Assignee: luigiwalser => mageia

Comment 4 Marc Krämer 2018-03-25 14:03:38 CEST 
Suggested advisory:
========================

Updated squirrelmail packages fix security vulnerabilities:
Filenames of attachment files are not sanitized, so attackers could read  	arbitrary files.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8741
http://openwall.com/lists/oss-security/2018/03/17/2
========================

Updated packages in core/updates_testing:
========================
Note, since the packages 5/6 are the same, it is suffient to test one of them
mga5:
squirrelmail-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-poutils-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-cyrus-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-ar-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-bg-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-bn-india-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-bn-bangladesh-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-ca-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-cs-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-cy-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-da-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-de-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-el-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-es-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-et-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-eu-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-fa-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-fi-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-fo-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-fr-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-fy-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-he-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-hr-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-hu-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-id-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-is-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-it-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-ja-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-ko-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-lt-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-ms-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-nb-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-nl-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-nn-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-pl-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-pt-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-ro-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-ru-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-sk-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-sl-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-sr-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-sv-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-tr-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-ug-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-uk-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-vi-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-zh_CN-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-zh_TW-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-ka-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-km-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-lv-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-mk-1.4.22-12.3.mga5.noarch.rpm
squirrelmail-ta-1.4.22-12.3.mga5.noarch.rpm

mga6:
squirrelmail-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-poutils-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-cyrus-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-ar-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-bg-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-bn-india-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-bn-bangladesh-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-ca-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-cs-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-cy-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-da-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-de-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-el-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-es-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-et-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-eu-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-fa-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-fi-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-fo-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-fr-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-fy-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-he-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-hr-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-hu-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-id-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-is-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-it-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-ja-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-ko-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-lt-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-ms-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-nb-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-nl-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-nn-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-pl-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-pt-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-ro-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-ru-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-sk-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-sl-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-sr-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-sv-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-tr-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-ug-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-uk-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-vi-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-zh_CN-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-zh_TW-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-ka-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-km-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-lv-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-mk-1.4.22-15.1.mga6.noarch.rpm
squirrelmail-ta-1.4.22-15.1.mga6.noarch.rpm


Source RPMs: 
squirrelmail-1.4.22-12.3.mga5.src.rpm
squirrelmail-1.4.22-15.1.mga6.src.rpm
Marc Krämer 2018-03-25 14:03:54 CEST

Assignee: mageia => qa-bugs

Thomas Backlund 2018-03-25 22:36:12 CEST

CC: (none) => tmb
Version: Cauldron => 6
Whiteboard: MGA6TOO => MGA5TOO

Comment 5 Lewis Smith 2018-03-27 16:15:30 CEST 
Background.
 http://squirrelmail.org/docs/admin/admin.html
 http://squirrelmail.org/docs/user/user.html
Have good documentation. Note that this is an *IMAP* product. It is just an e-mail client, but I was unsure from the admin manual whether the mail server has to be on the same host, or remote possible; the previous test includes the former:
 https://bugs.mageia.org/show_bug.cgi?id=20703#c5
has good instructions - thanks Dave.
Comment 6 Brian Rockwell 2018-03-30 00:11:04 CEST 
mga6-64

$ uname -a
Linux localhost 4.14.25-desktop-1.mga6 #1 SMP Fri Mar 9 19:48:35 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux



I followed Dave's instructions.

Installed dovecot

Getting imap working with dovecot ...
# urpmi dovecot
# systemctl start dovecot.service

As user brian
$ mkdir mail
$ mkdir mail/.imap
$ mkdir mail/.imap/INBOX
$ touch mail/.imap/INBOX/dovecot.index
$ touch mail/.imap/INBOX/dovecot.index.cache
$ touch mail/.imap/INBOX/dovecot.index.log

As root
# cd /home/brian/mail/.imap/INBOX/
# chgrp mail *

Here is where I deviated.

I created another user on the system named b2, because I have no imagination

set up the user directories for b2 as shown above.

Installed the squirrelmail modules, then rebooted the VM.

I login into squirrelmail from a browser:  127.0.0.1/squirrelmail

------------

Use your b2 linux user-id and password to log in.

Send an Email to your regular user-id.

------------

Log in: http://127.0.0.1/squirrelmail/src/login.php

user your regular user-id and password

------------

If it works like mine - you now have an Email in your inbox.


Works as designed.

CC: (none) => brtians1

Brian Rockwell 2018-03-30 00:11:55 CEST

Whiteboard: MGA5TOO => MGA5TOO mga6-64-ok

Comment 7 Brian Rockwell 2018-03-30 03:33:14 CEST 
$ uname -a
Linux localhost 4.4.114-desktop-1.mga5 #1 SMP Wed Jan 31 19:24:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

The following 35 packages are going to be installed:

- apache-2.4.10-16.7.mga5.x86_64
- apache-mod_php-5.6.34-1.mga5.x86_64
- dovecot-2.2.13-5.6.mga5.x86_64
- lib64c-client0-2007f-6.mga5.x86_64
- lib64php5_common5-5.6.34-1.mga5.x86_64
- lib64postfix1-2.10.3-5.mga5.x86_64
- php-cli-5.6.34-1.mga5.x86_64
- php-ctype-5.6.34-1.mga5.x86_64
- php-dom-5.6.34-1.mga5.x86_64
- php-filter-5.6.34-1.mga5.x86_64
- php-ftp-5.6.34-1.mga5.x86_64
- php-gettext-5.6.34-1.mga5.x86_64
- php-hash-5.6.34-1.mga5.x86_64
- php-imap-5.6.34-1.mga5.x86_64
- php-ini-5.6.34-1.mga5.x86_64
- php-json-5.6.34-1.mga5.x86_64
- php-ldap-5.6.34-1.mga5.x86_64
- php-openssl-5.6.34-1.mga5.x86_64
- php-pear-1.9.5-8.mga5.noarch
- php-pear-DB-1.8.2-1.mga5.noarch
- php-posix-5.6.34-1.mga5.x86_64
- php-session-5.6.34-1.mga5.x86_64
- php-suhosin-0.9.37.1-1.mga5.x86_64
- php-sysvsem-5.6.34-1.mga5.x86_64
- php-sysvshm-5.6.34-1.mga5.x86_64
- php-timezonedb-2016.6-1.mga5.x86_64
- php-tokenizer-5.6.34-1.mga5.x86_64
- php-xml-5.6.34-1.mga5.x86_64
- php-xmlreader-5.6.34-1.mga5.x86_64
- php-xmlwriter-5.6.34-1.mga5.x86_64
- php-zlib-5.6.34-1.mga5.x86_64
- poppassd-ceti-1.8.5-9.mga5.x86_64
- postfix-2.10.3-5.mga5.x86_64
- squirrelmail-1.4.22-12.3.mga5.noarch
- webserver-base-2.0-8.mga5.x86_64

38MB of additional disk space will be used.

9.3MB of packages will be retrieved.

Is it ok to continue?


I also installed the poutils and cypress.

Followed routine listed above.  Working as designed.

Whiteboard: MGA5TOO mga6-64-ok => MGA5TOO mga6-64-ok mga5-64-ok

Comment 8 claire robinson 2018-03-30 17:14:33 CEST 
Beat me to it, well done Brian. Validating. CVE added to advisory and uploaded.

Keywords: (none) => advisory, has_procedure, validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2018-03-31 00:21:09 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0188.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED