A security issue in squirrelmail has been announced and assigned a CVE: http://openwall.com/lists/oss-security/2018/03/17/3 There are two different proposed patches linked from this message: http://openwall.com/lists/oss-security/2018/03/17/2 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
It seems you're the registered maintainer ;-)
Assignee: bugsquad => luigiwalserCC: (none) => marja11
@David: should I do the patch? On my opinion this is not very critical, but should be fixed, if the filename is user provided. As far as I can see only Deliver.php is affected. The fix is quite straight forward.
CC: (none) => mageia
Sure, go for it. Thanks!
Assignee: luigiwalser => mageia
Suggested advisory: ======================== Updated squirrelmail packages fix security vulnerabilities: Filenames of attachment files are not sanitized, so attackers could read arbitrary files. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8741 http://openwall.com/lists/oss-security/2018/03/17/2 ======================== Updated packages in core/updates_testing: ======================== Note, since the packages 5/6 are the same, it is suffient to test one of them mga5: squirrelmail-1.4.22-12.3.mga5.noarch.rpm squirrelmail-poutils-1.4.22-12.3.mga5.noarch.rpm squirrelmail-cyrus-1.4.22-12.3.mga5.noarch.rpm squirrelmail-ar-1.4.22-12.3.mga5.noarch.rpm squirrelmail-bg-1.4.22-12.3.mga5.noarch.rpm squirrelmail-bn-india-1.4.22-12.3.mga5.noarch.rpm squirrelmail-bn-bangladesh-1.4.22-12.3.mga5.noarch.rpm squirrelmail-ca-1.4.22-12.3.mga5.noarch.rpm squirrelmail-cs-1.4.22-12.3.mga5.noarch.rpm squirrelmail-cy-1.4.22-12.3.mga5.noarch.rpm squirrelmail-da-1.4.22-12.3.mga5.noarch.rpm squirrelmail-de-1.4.22-12.3.mga5.noarch.rpm squirrelmail-el-1.4.22-12.3.mga5.noarch.rpm squirrelmail-es-1.4.22-12.3.mga5.noarch.rpm squirrelmail-et-1.4.22-12.3.mga5.noarch.rpm squirrelmail-eu-1.4.22-12.3.mga5.noarch.rpm squirrelmail-fa-1.4.22-12.3.mga5.noarch.rpm squirrelmail-fi-1.4.22-12.3.mga5.noarch.rpm squirrelmail-fo-1.4.22-12.3.mga5.noarch.rpm squirrelmail-fr-1.4.22-12.3.mga5.noarch.rpm squirrelmail-fy-1.4.22-12.3.mga5.noarch.rpm squirrelmail-he-1.4.22-12.3.mga5.noarch.rpm squirrelmail-hr-1.4.22-12.3.mga5.noarch.rpm squirrelmail-hu-1.4.22-12.3.mga5.noarch.rpm squirrelmail-id-1.4.22-12.3.mga5.noarch.rpm squirrelmail-is-1.4.22-12.3.mga5.noarch.rpm squirrelmail-it-1.4.22-12.3.mga5.noarch.rpm squirrelmail-ja-1.4.22-12.3.mga5.noarch.rpm squirrelmail-ko-1.4.22-12.3.mga5.noarch.rpm squirrelmail-lt-1.4.22-12.3.mga5.noarch.rpm squirrelmail-ms-1.4.22-12.3.mga5.noarch.rpm squirrelmail-nb-1.4.22-12.3.mga5.noarch.rpm squirrelmail-nl-1.4.22-12.3.mga5.noarch.rpm squirrelmail-nn-1.4.22-12.3.mga5.noarch.rpm squirrelmail-pl-1.4.22-12.3.mga5.noarch.rpm squirrelmail-pt-1.4.22-12.3.mga5.noarch.rpm squirrelmail-ro-1.4.22-12.3.mga5.noarch.rpm squirrelmail-ru-1.4.22-12.3.mga5.noarch.rpm squirrelmail-sk-1.4.22-12.3.mga5.noarch.rpm squirrelmail-sl-1.4.22-12.3.mga5.noarch.rpm squirrelmail-sr-1.4.22-12.3.mga5.noarch.rpm squirrelmail-sv-1.4.22-12.3.mga5.noarch.rpm squirrelmail-tr-1.4.22-12.3.mga5.noarch.rpm squirrelmail-ug-1.4.22-12.3.mga5.noarch.rpm squirrelmail-uk-1.4.22-12.3.mga5.noarch.rpm squirrelmail-vi-1.4.22-12.3.mga5.noarch.rpm squirrelmail-zh_CN-1.4.22-12.3.mga5.noarch.rpm squirrelmail-zh_TW-1.4.22-12.3.mga5.noarch.rpm squirrelmail-ka-1.4.22-12.3.mga5.noarch.rpm squirrelmail-km-1.4.22-12.3.mga5.noarch.rpm squirrelmail-lv-1.4.22-12.3.mga5.noarch.rpm squirrelmail-mk-1.4.22-12.3.mga5.noarch.rpm squirrelmail-ta-1.4.22-12.3.mga5.noarch.rpm mga6: squirrelmail-1.4.22-15.1.mga6.noarch.rpm squirrelmail-poutils-1.4.22-15.1.mga6.noarch.rpm squirrelmail-cyrus-1.4.22-15.1.mga6.noarch.rpm squirrelmail-ar-1.4.22-15.1.mga6.noarch.rpm squirrelmail-bg-1.4.22-15.1.mga6.noarch.rpm squirrelmail-bn-india-1.4.22-15.1.mga6.noarch.rpm squirrelmail-bn-bangladesh-1.4.22-15.1.mga6.noarch.rpm squirrelmail-ca-1.4.22-15.1.mga6.noarch.rpm squirrelmail-cs-1.4.22-15.1.mga6.noarch.rpm squirrelmail-cy-1.4.22-15.1.mga6.noarch.rpm squirrelmail-da-1.4.22-15.1.mga6.noarch.rpm squirrelmail-de-1.4.22-15.1.mga6.noarch.rpm squirrelmail-el-1.4.22-15.1.mga6.noarch.rpm squirrelmail-es-1.4.22-15.1.mga6.noarch.rpm squirrelmail-et-1.4.22-15.1.mga6.noarch.rpm squirrelmail-eu-1.4.22-15.1.mga6.noarch.rpm squirrelmail-fa-1.4.22-15.1.mga6.noarch.rpm squirrelmail-fi-1.4.22-15.1.mga6.noarch.rpm squirrelmail-fo-1.4.22-15.1.mga6.noarch.rpm squirrelmail-fr-1.4.22-15.1.mga6.noarch.rpm squirrelmail-fy-1.4.22-15.1.mga6.noarch.rpm squirrelmail-he-1.4.22-15.1.mga6.noarch.rpm squirrelmail-hr-1.4.22-15.1.mga6.noarch.rpm squirrelmail-hu-1.4.22-15.1.mga6.noarch.rpm squirrelmail-id-1.4.22-15.1.mga6.noarch.rpm squirrelmail-is-1.4.22-15.1.mga6.noarch.rpm squirrelmail-it-1.4.22-15.1.mga6.noarch.rpm squirrelmail-ja-1.4.22-15.1.mga6.noarch.rpm squirrelmail-ko-1.4.22-15.1.mga6.noarch.rpm squirrelmail-lt-1.4.22-15.1.mga6.noarch.rpm squirrelmail-ms-1.4.22-15.1.mga6.noarch.rpm squirrelmail-nb-1.4.22-15.1.mga6.noarch.rpm squirrelmail-nl-1.4.22-15.1.mga6.noarch.rpm squirrelmail-nn-1.4.22-15.1.mga6.noarch.rpm squirrelmail-pl-1.4.22-15.1.mga6.noarch.rpm squirrelmail-pt-1.4.22-15.1.mga6.noarch.rpm squirrelmail-ro-1.4.22-15.1.mga6.noarch.rpm squirrelmail-ru-1.4.22-15.1.mga6.noarch.rpm squirrelmail-sk-1.4.22-15.1.mga6.noarch.rpm squirrelmail-sl-1.4.22-15.1.mga6.noarch.rpm squirrelmail-sr-1.4.22-15.1.mga6.noarch.rpm squirrelmail-sv-1.4.22-15.1.mga6.noarch.rpm squirrelmail-tr-1.4.22-15.1.mga6.noarch.rpm squirrelmail-ug-1.4.22-15.1.mga6.noarch.rpm squirrelmail-uk-1.4.22-15.1.mga6.noarch.rpm squirrelmail-vi-1.4.22-15.1.mga6.noarch.rpm squirrelmail-zh_CN-1.4.22-15.1.mga6.noarch.rpm squirrelmail-zh_TW-1.4.22-15.1.mga6.noarch.rpm squirrelmail-ka-1.4.22-15.1.mga6.noarch.rpm squirrelmail-km-1.4.22-15.1.mga6.noarch.rpm squirrelmail-lv-1.4.22-15.1.mga6.noarch.rpm squirrelmail-mk-1.4.22-15.1.mga6.noarch.rpm squirrelmail-ta-1.4.22-15.1.mga6.noarch.rpm Source RPMs: squirrelmail-1.4.22-12.3.mga5.src.rpm squirrelmail-1.4.22-15.1.mga6.src.rpm
Assignee: mageia => qa-bugs
CC: (none) => tmbVersion: Cauldron => 6Whiteboard: MGA6TOO => MGA5TOO
Background. http://squirrelmail.org/docs/admin/admin.html http://squirrelmail.org/docs/user/user.html Have good documentation. Note that this is an *IMAP* product. It is just an e-mail client, but I was unsure from the admin manual whether the mail server has to be on the same host, or remote possible; the previous test includes the former: https://bugs.mageia.org/show_bug.cgi?id=20703#c5 has good instructions - thanks Dave.
mga6-64 $ uname -a Linux localhost 4.14.25-desktop-1.mga6 #1 SMP Fri Mar 9 19:48:35 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux I followed Dave's instructions. Installed dovecot Getting imap working with dovecot ... # urpmi dovecot # systemctl start dovecot.service As user brian $ mkdir mail $ mkdir mail/.imap $ mkdir mail/.imap/INBOX $ touch mail/.imap/INBOX/dovecot.index $ touch mail/.imap/INBOX/dovecot.index.cache $ touch mail/.imap/INBOX/dovecot.index.log As root # cd /home/brian/mail/.imap/INBOX/ # chgrp mail * Here is where I deviated. I created another user on the system named b2, because I have no imagination set up the user directories for b2 as shown above. Installed the squirrelmail modules, then rebooted the VM. I login into squirrelmail from a browser: 127.0.0.1/squirrelmail ------------ Use your b2 linux user-id and password to log in. Send an Email to your regular user-id. ------------ Log in: http://127.0.0.1/squirrelmail/src/login.php user your regular user-id and password ------------ If it works like mine - you now have an Email in your inbox. Works as designed.
CC: (none) => brtians1
Whiteboard: MGA5TOO => MGA5TOO mga6-64-ok
$ uname -a Linux localhost 4.4.114-desktop-1.mga5 #1 SMP Wed Jan 31 19:24:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux The following 35 packages are going to be installed: - apache-2.4.10-16.7.mga5.x86_64 - apache-mod_php-5.6.34-1.mga5.x86_64 - dovecot-2.2.13-5.6.mga5.x86_64 - lib64c-client0-2007f-6.mga5.x86_64 - lib64php5_common5-5.6.34-1.mga5.x86_64 - lib64postfix1-2.10.3-5.mga5.x86_64 - php-cli-5.6.34-1.mga5.x86_64 - php-ctype-5.6.34-1.mga5.x86_64 - php-dom-5.6.34-1.mga5.x86_64 - php-filter-5.6.34-1.mga5.x86_64 - php-ftp-5.6.34-1.mga5.x86_64 - php-gettext-5.6.34-1.mga5.x86_64 - php-hash-5.6.34-1.mga5.x86_64 - php-imap-5.6.34-1.mga5.x86_64 - php-ini-5.6.34-1.mga5.x86_64 - php-json-5.6.34-1.mga5.x86_64 - php-ldap-5.6.34-1.mga5.x86_64 - php-openssl-5.6.34-1.mga5.x86_64 - php-pear-1.9.5-8.mga5.noarch - php-pear-DB-1.8.2-1.mga5.noarch - php-posix-5.6.34-1.mga5.x86_64 - php-session-5.6.34-1.mga5.x86_64 - php-suhosin-0.9.37.1-1.mga5.x86_64 - php-sysvsem-5.6.34-1.mga5.x86_64 - php-sysvshm-5.6.34-1.mga5.x86_64 - php-timezonedb-2016.6-1.mga5.x86_64 - php-tokenizer-5.6.34-1.mga5.x86_64 - php-xml-5.6.34-1.mga5.x86_64 - php-xmlreader-5.6.34-1.mga5.x86_64 - php-xmlwriter-5.6.34-1.mga5.x86_64 - php-zlib-5.6.34-1.mga5.x86_64 - poppassd-ceti-1.8.5-9.mga5.x86_64 - postfix-2.10.3-5.mga5.x86_64 - squirrelmail-1.4.22-12.3.mga5.noarch - webserver-base-2.0-8.mga5.x86_64 38MB of additional disk space will be used. 9.3MB of packages will be retrieved. Is it ok to continue? I also installed the poutils and cypress. Followed routine listed above. Working as designed.
Whiteboard: MGA5TOO mga6-64-ok => MGA5TOO mga6-64-ok mga5-64-ok
Beat me to it, well done Brian. Validating. CVE added to advisory and uploaded.
Keywords: (none) => advisory, has_procedure, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0188.html
Status: NEW => RESOLVEDResolution: (none) => FIXED