As mentioned in the CHANGELOG of mhonarc [0], version 2.6.19 fixes: "commentized subjects allow PHP code injection" This vulnerability somehow stayed under our radar. It's only reverse dependency is sympa, which we use for our mailing lists, which were therefore vulnerable up to now (at the time of this writing mhonarc-2.6.19-1.mga5 is installed on our infra, fixing this issue). [0] https://www.mhonarc.org/MHonArc/CHANGES
Fixed in Cauldron, mhonarc-2.6.19-1.mga5 pushed to core/updates_testing. Thanks to Frédéric Buclin for noticing this vulnerability. Advisory: ========= Updated mhonarc package fixes security vulnerability MHonArc before 2.6.19 is vulnerable to PHP code injection via commentized subjects. This update fixes it. References: - https://www.mhonarc.org/MHonArc/CHANGES RPMs in core/updates_testing: ============================= mhonarc-2.6.19-1.mga5 SRPMs in core/updates_testing: ============================== mhonarc-2.6.19-1.mga5
Assignee: bugsquad => qa-bugs
Decreasing severity as upstream only recommends to upgrade *asap* to 2.6.18 (which we have), and treat 2.6.19 as a less urgent bugfix: https://www.mhonarc.org/ Testing: mhonarc's only reverse dependency is sympa, so testing sympa's archives should be sufficient. The update candidate is deployed on our infra, so if our archives on ml.mageia.org still work, that might be enough testing to validate.
Severity: critical => major
MGA5-32 on Asus A6000VM Xfce No installation issues Trying to setup sympa on this old slow machine is too much. Tried access to ml.mageia.org , I can login there, but when I click e.g."Quality Assurance" I get "50 Gateway Timeout".
CC: (none) => herman.viaene
> Tried access to ml.mageia.org , I can login there, but when I click e.g."Quality > Assurance" I get "50 Gateway Timeout". Indeed, ml.mageia.org is having some troubles since a couple of weeks. It's not related to this mhonarc update, but it doesn't help validating it :)
The ML website is kind of working now, and I could confirm that the archives work as expected: https://ml.mageia.org/l/arc/dev/
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
Before testing 64-bit, some backround. "MHonArc provides HTML mail archiving with index, mail thread linking, etc;" "MHonArc supports MH mail folders and UUCP/Unix mailbox files, so the term "mail folder" represents the MH mail folder or mailbox file to process." That 'MH' matters. From the earlier test, it includes Opera mail; Claws also. https://www.mhonarc.org/MHonArc/doc/mhonarc.html is a handy reference index page. "MHonArc creates the following files after processing the mail folders: maillist.html: The main index file containing links to all mail messages converted. Messages are listed with subjects and who the messages are from. All messages are listed by the date. threads.html: The file listing messages by threads. msg*.html: HTML versions of the mail messages, where * represents a message number from 0 to the number of message processed minus 1. .mhonarc.db (or mhonarc.db under Windows): This database file contains archive information and resource settings for MHonArc to perform further updates. Other: If messages contain attachments, other files may be created for images, videos, binaries, etc. By default, all files created are put into the current working directory. You can control the location of archive files by using the -outdir option." $ mhonarc -help shows good info. But not man mhonarc. https://bugs.mageia.org/show_bug.cgi?id=3997 is where it was tested before - stand-alone. Current (pre-update) release is 2.6.18-6.
CC: (none) => lewyssmith
Testing M5x64 BEFORE the update Installed just mhonarc version above. To play with it directly, you need to specify the right path parameter for the mailbox messages. I think the number of trailing /*s should reflect the level of nesting in the mailbox. Thanks Dave for this invaluable pointer: https://bugs.mageia.org/show_bug.cgi?id=3997#c3 It produces at least one output file per message (msg + attachments), rather than a concatenated archive. So be ready for hundred or thousands files in the output directory, as per Comment 6. Tried first with Opera, which stores messages in a date heirarchy per account:- $ mhonarc -output tmp/mh .opera/mail/store/account1/*/*/*/* All those /*s were necessary! Lots of Perl errors, it ends: Writing tmp/mh/maillist.html ... Writing tmp/mh/threads.html ... Writing database ... 2683 new messages 2683 total messages but the result pages: tmp/mh/maillist.html tmp/mh/threads.html looked correct in a browser, and when followed. Cleared the output directory: $ rm -f tmp/mh/* Then with Claws-mail, whose message organisation is per defined directory:- $ mhonarc -outdir tmp/mh /mnt/common/mail/* Perhaps it needed a 2nd /* as I have that level of nesting; I did not check those sub-directories' content. Again lots of Perl errors, but the results were similar to above, and looked correct. Cleared the output directory. $ rm -f tmp/mh/* AFTER update to: mhonarc-2.6.19-1.mga5 Opera: $ mhonarc -outdir tmp/mh ~/.opera/mail/store/account1/*/*/*/* The result pages & messages in tmp/mh/ looked good, cleared it: Claws-mail: $ mhonarc -outdir tmp/mh /mnt/common/mail/* The result pages & messages in tmp/mh/ looked good, cleared it: In both tests, there were no Perl errors; so that is an improvement. Giving this the OK. @Herman: do you want to have another go with a local mailbox? Use a special output directory to facilitate clearing it. It is really easy once you get the mailbox parameter right.
Whiteboard: advisory => advisory MGA5-64-OK
AFAICS is claws-mail an e-mail client, so I set it up to connect to my gmail account. Made sure there are 5 mails in the inbox and the at CLI: $ mhonarc -outdir tmp/mh .claws-mail/* This is MHonArc v2.6.19, Perl 5.020001 linux Converting messages to tmp/mh Reading .claws-mail/accountrc . Warning: Could not parse date for message Message-Id: <f8ebbea3e29702b9486a6708c2ac9cc6@NO-ID-FOUND.mhonarc.org> Date: and 9 more like these, then: Reading .claws-mail/messagesearch_history Reading .claws-mail/mimetmp Reading .claws-mail/newscache Reading .claws-mail/quicksearch_history Reading .claws-mail/summarysearch_adv_history Reading .claws-mail/summary_searchbody_history Reading .claws-mail/summarysearch_from_history Reading .claws-mail/summarysearch_subject_history Reading .claws-mail/summarysearch_to_history Reading .claws-mail/tagsdb Reading .claws-mail/tagsrc . Warning: Could not parse date for message Message-Id: <393ea2153743b4c03b6484472e8b5739@NO-ID-FOUND.mhonarc.org> Date: Reading .claws-mail/tempfolder Reading .claws-mail/tmp Reading .claws-mail/toolbar_main.xml . Warning: Could not parse date for message Message-Id: <9ad78fd2ca1d044df31fae85c55f4640@NO-ID-FOUND.mhonarc.org> Date: Reading .claws-mail/uidl Writing mail ............ Writing tmp/mh/maillist.html ... Writing tmp/mh/threads.html ... Writing database ... 12 new messages 12 total messages But the files created do not show or refer to the messages, but the setup and log of the operations. Note: /mnt/common/mail/ does not exist here.
It has been tested successfully on our ml.mageia.org over the last 10 days, so it's good to validate.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0141.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED