|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2005-0104: missing squirrelmail fixes... | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Marcus Meissner <meissner> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | CVE-2005-0104: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2004-0519:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) | ||
| Found By: | Other | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 97882 | ||
| Attachments: |
missed-xss-fixes.tar.bz2
compose-1.319.2.25.diff |
||
Due to http://www.squirrelmail.org/security/issue/2005-01-14 we are not affected: Affected Versions: 1.4.3-RC1 - 1.4.4-RC1 We only ship 1.4.2 and 1.4.1 ;) adjusting header. christoph has spotted some other missing issues. http://www.squirrelmail.org/security/issue/2004-05-01 is still open This is probably fixed (sm143a-xss.diff), I'm waiting for comfirmation from the authors. The sm143a-xss.diff fixes CAN-2004-1036 and squirrelmail-1.4.2-secfix3.diff fixes CAN-2004-0520. I am still investigating the CAN-2004-0519. Created attachment 42578 [details]
missed-xss-fixes.tar.bz2
I have found quite a few missed xss fixes in the cvs logs that fix the
CAN-2004-0519 and other issues (the authors are unable to track down the
resolution for the CAN-2004-0519). Two of the fixes are actualy reverted
(making even current quirrelmail-1.4.5 vulnerable?), the mailbox_display.php
and compose.php, could you please provide a working fix?
Created attachment 42693 [details]
compose-1.319.2.25.diff
I missed the patch that backs out the change to compose.php
Marian, the security team is confused... Can you please specify: - Are our update packages in a mess and missing patches or having incorrect ones? - Is the upstream package in a mess? Please enlighten us. Upstream contains many xss fixes that we don't include yet, according to squirrelmail developpers they fix CAN-2004-0519 plus some reports without a CAN number. The patches are in the first attachment (the tarball misses one patch, so the patch is in the second attachment, and contains one redundant that we allready have (the webmail-1.92.2.8.diff is CAN-2005-0104)). Two of the fixes that we are missing (compose-1.319.2.24.diff and mailbox_display-1.321.2.19.diff) are backed out in the upstream as they mess the things up. So I think there are two semi-public xss bugs in the squirrelmail without an upstream fix available. The best way to handle this is IMHO to release the available fixes now, and then fix the remaining two bugs, in coordination with the developers. If the missing ones are needed and only got lost by accident then lets just include them. I guess upstream will just reintruce them in their cvs, right? That way we should get away with one update. If it turns out wrong we'd need a second one which we would need to do anyways. They are intentionaly reverted or commented, they fix the vulnerability, but the squirrelmail doesn't work then (too much encoding I guess). I have resolved issues with all missing patches except the two, now waiting for input from the developers. As I got no response from the develooppers yet, I asked a friend that is php expert to look into this, and in his opinion one of the reverted fixes (compose.php) is fixed by a later patch, and the second (mailbox_display.php) have never been and is not xss bug. I'm going to retest and submit the packages. fixes submited SM-Tracker-2056 updates released, thanks! CVE-2005-0104: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) |
This fix seems to be missing from our squirrelmail package.. Marian, can you check and confirm please? - Security: Added hook for Preferences Backend to resolve potential insecure file inclusions. [CAN-2005-0075]