Bug 23366 - squirrelmail several new XSS security issues (CVE-2018-1495[0-5])
Summary: squirrelmail several new XSS security issues (CVE-2018-1495[0-5])
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-07-29 19:36 CEST by David Walser
Modified: 2019-12-27 19:41 CET (History)
7 users (show)

See Also:
Source RPM: squirrelmail-1.4.23-0.svn20180505.1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-07-29 19:36:16 CEST
Hanno Böck has posted patches for XSS and PHP issues:
http://openwall.com/lists/oss-security/2018/07/26/2
David Walser 2018-07-29 19:36:39 CEST

CC: (none) => mageia
Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-07-31 15:18:48 CEST
You're the registered maintainer, David ;-)

CC: (none) => marja11
Assignee: bugsquad => luigiwalser

Comment 2 Marc Krämer 2018-07-31 16:21:39 CEST
@David: I've had a look into the fixes. Do you still use squirrelmail?
From my perspektive, I would say, we can apply these changes.
Comment 3 David Walser 2018-07-31 17:47:45 CEST
Hi Marc.  I don't think I've used it in 16 years.  You can apply the fixes if you don't mind.
Marc Krämer 2018-07-31 18:26:53 CEST

Assignee: luigiwalser => mageia

Comment 4 Marc Krämer 2018-07-31 18:31:07 CEST
Suggested advisory:
========================
Updated squirrelmail packages fix XSS-security vulnerability:
It was discovered that some special tags have not been filtered accordingly which can be used for an XSS-attack.

References:
https://sourceforge.net/p/squirrelmail/bugs/2831/
========================

Updated packages in core/updates_testing:
========================
squirrelmail-1.4.22-15.2.mga6
squirrelmail-poutils-1.4.22-15.2.mga6
squirrelmail-cyrus-1.4.22-15.2.mga6
squirrelmail-ar-1.4.22-15.2.mga6
squirrelmail-bg-1.4.22-15.2.mga6
squirrelmail-bn-india-1.4.22-15.2.mga6
squirrelmail-bn-bangladesh-1.4.22-15.2.mga6
squirrelmail-ca-1.4.22-15.2.mga6
squirrelmail-cs-1.4.22-15.2.mga6
squirrelmail-cy-1.4.22-15.2.mga6
squirrelmail-da-1.4.22-15.2.mga6
squirrelmail-de-1.4.22-15.2.mga6
squirrelmail-el-1.4.22-15.2.mga6
squirrelmail-es-1.4.22-15.2.mga6
squirrelmail-et-1.4.22-15.2.mga6
squirrelmail-eu-1.4.22-15.2.mga6
squirrelmail-fa-1.4.22-15.2.mga6
squirrelmail-fi-1.4.22-15.2.mga6
squirrelmail-fo-1.4.22-15.2.mga6
squirrelmail-fr-1.4.22-15.2.mga6
squirrelmail-fy-1.4.22-15.2.mga6
squirrelmail-he-1.4.22-15.2.mga6
squirrelmail-hr-1.4.22-15.2.mga6
squirrelmail-hu-1.4.22-15.2.mga6
squirrelmail-id-1.4.22-15.2.mga6
squirrelmail-is-1.4.22-15.2.mga6
squirrelmail-it-1.4.22-15.2.mga6
squirrelmail-ja-1.4.22-15.2.mga6
squirrelmail-ko-1.4.22-15.2.mga6
squirrelmail-lt-1.4.22-15.2.mga6
squirrelmail-ms-1.4.22-15.2.mga6
squirrelmail-nb-1.4.22-15.2.mga6
squirrelmail-nl-1.4.22-15.2.mga6
squirrelmail-nn-1.4.22-15.2.mga6
squirrelmail-pl-1.4.22-15.2.mga6
squirrelmail-pt-1.4.22-15.2.mga6
squirrelmail-ro-1.4.22-15.2.mga6
squirrelmail-ru-1.4.22-15.2.mga6
squirrelmail-sk-1.4.22-15.2.mga6
squirrelmail-sl-1.4.22-15.2.mga6
squirrelmail-sr-1.4.22-15.2.mga6
squirrelmail-sv-1.4.22-15.2.mga6
squirrelmail-tr-1.4.22-15.2.mga6
squirrelmail-ug-1.4.22-15.2.mga6
squirrelmail-uk-1.4.22-15.2.mga6
squirrelmail-vi-1.4.22-15.2.mga6
squirrelmail-zh_CN-1.4.22-15.2.mga6
squirrelmail-zh_TW-1.4.22-15.2.mga6
squirrelmail-ka-1.4.22-15.2.mga6
squirrelmail-km-1.4.22-15.2.mga6
squirrelmail-lv-1.4.22-15.2.mga6
squirrelmail-mk-1.4.22-15.2.mga6
squirrelmail-ta-1.4.22-15.2.mga6

Source RPMs: 
squirrelmail-1.4.22-15.2.mga6.src.rpm
Marc Krämer 2018-07-31 18:31:21 CEST

Assignee: mageia => qa-bugs

Thomas Backlund 2018-08-03 09:16:36 CEST

CC: (none) => tmb
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 5 Herman Viaene 2018-08-11 12:12:26 CEST
MGA6-32 MATE in Dutch on IBM Thinkpad R50e
At installation I expected that selecting squirrelmail this would draw in the nl language pack automatically as other packages do. I had to do it manually, but even then squirrelmail displays in pure English.
Googling learned me that I had to change the Display preferences in the squirrelmail "Options" page.
Followed Brian'lead in bug 22793 Comment 6.
Created an additional user squitest on the system, initiated the folders and files on this and my regular user as shown, and I have been able to send and reply mail between these two users.
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK
Keywords: (none) => has_procedure

Comment 6 Brian Rockwell 2018-08-25 18:02:38 CEST
mga6-64 xfce in US English on VBOX

Installed as per instructions in  bug 22793 Comment 6.

created new user and Emailed back and forth in local host.

Working as far as I can tell.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => brtians1

Comment 7 Thomas Andrews 2018-08-28 14:49:04 CEST
With OKs in both arches, this looks good to go to me. Validating. Suggested advisory in comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2018-08-31 21:46:47 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2018-08-31 23:13:10 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0357.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2019-12-23 22:13:16 CET
These got CVE-2018-1495[0-5]:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CVXTYMZ35IC5KPNMAE6BWAQWURMX7KZO/

Summary: squirrelmail several new XSS security issues => squirrelmail several new XSS security issues (CVE-2018-1495[0-5])

Comment 10 Marc Krämer 2019-12-27 13:57:59 CET
@David: there is only some development in svn, but no real releases! I suggest switching to an updated svn version (at least for mga7) and maybe drop this package for mga8.
Comment 11 David Walser 2019-12-27 15:09:18 CET
I think we already have the latest security fixes, but it would make sense to update to the same svn snapshot that Fedora did (in Cauldron).  I appreciate your help in maintaining this one.  Since we lost our roundcubemail maintainer, this has actually been our only maintained webmail package.
Comment 12 Marc Krämer 2019-12-27 19:22:24 CET
since roundcube is php too, I can maintain this. Squirrel is very simple. Roundcube is a more modern mail frontend.
Comment 13 David Walser 2019-12-27 19:41:31 CET
I know squirrelmail is not very active, but I guess enough people out there still care about it with these security issues getting fixed.  The only remaining concern is whether it continues to work with new versions of PHP.  I guess we'll see.

Note You need to log in before you can comment on or make changes to this bug.