Debian Bug report logs - #301561
RM: openwebmail -- RoQA; RC bugs, vulnerable code

Package: ftp.debian.org; Maintainer for ftp.debian.org is Debian FTP Master <ftpmaster@ftp-master.debian.org>;

Reported by: Sergio Rua <srua@debian.org>

Date: Sat, 26 Mar 2005 20:18:08 UTC

Severity: normal

Done: Debian Archive Maintenance <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#301561; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Sergio Rua <srua@debian.org>:
New Bug report received and forwarded. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sergio Rua <srua@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: O: openwebmail
Date: Sat, 26 Mar 2005 15:01:56 +0000
Package: wnpp
Severity: normal

I'm orphaing this package because I have no gpg key at the present and I'm not
be able to get a new one. I hope somebody else can take care of the package.


-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-hanover
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)



Changed Bug title. Request was from Chris Sacca <csacca@thecsl.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#301561; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Romain Beauxis <beauxir5@cti.ecp.fr>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #12 received at 301561@bugs.debian.org (full text, mbox):

From: Romain Beauxis <beauxir5@cti.ecp.fr>
To: 301561@bugs.debian.org
Subject: New package ready!
Date: Fri, 22 Apr 2005 14:59:58 +0200
[Message part 1 (text/plain, inline)]
Hi!

I made a new package for openwebmail, using the last upstream source and 
trying to close all the bugs I could.

As it is a complex package, I think it should be reviewed and tested, but the 
main work is done, I hope!

The package can be found there:
deb-src http://www.cti.ecp.fr/~beauxir5/debian/ source/


Romain
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title. Request was from Andrew Pollock <apollock@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#301561; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Andrew Pollock <apollock@debian.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #19 received at 301561@bugs.debian.org (full text, mbox):

From: Andrew Pollock <apollock@debian.org>
To: Matej Vela <vela@debian.org>
Cc: debian-qa@lists.debian.org, 301561@bugs.debian.org
Subject: Re: Should we just remove openwebmail?
Date: Sun, 1 May 2005 21:10:54 +1000
retitle 301561 "RM: openwebmail -- RoQA; RC bugs, vulnerable code"
reassign 301561 ftp.debian.org
thanks

On Fri, Apr 29, 2005 at 12:07:06PM +0200, Matej Vela wrote:
> On Thu, Apr 28, 2005 at 11:20:22PM +1000, Andrew Pollock wrote:
> > openwebmail is orphaned, but has only been so for 32 days.
> > 
> > That said, it's got security issues, and hasn't been part of a stable
> > release.
> > 
> > So I'm personally inclined not to let it linger for a while on the grounds
> > that it's got security issues, and just get it the hell out of the archive.
> > It's not like Debian's short of webmail packages.
> > 
> > That said, a non-DD has prepared an updated package as of a week ago, but no
> > one has sponsored it yet.
> > 
> > Just wondering what peoples' thoughts are?
> 
> I took a look at the current upstream version (2.51).
> 
>  * cgi-bin/openwebmail/modules/tool.pl: Upstream no longer uses completely
>    predictable temporary filenames, but the race condition between checking
>    whether a file exists and actually opening it is still there.
> 
>  * cgi-bin/openwebmail/openwebmail-abook.pl: The user can execute arbitrary
>    commands by passing "file=; ... |" to addrviewatt().
> 
>  * cgi-bin/openwebmail/openwebmail-folder.pl: The user can execute arbitrary
>    commands by passing "folder=; ... |" to downloadfolder().
> 
>  * cgi-bin/openwebmail/openwebmail-webdisk.pl: If the user has FTP access
>    and uploads a file named "; ... |", editfile() and downloadfile() will
>    execute the command.
> 
>  * cgi-bin/openwebmail/openwebmail-webdisk.pl: The user can execute
>    arbitrary commands by uploading a URL in the form "http://foo/; ...".
> 
> I stopped looking at this point.  The code is rife with vulnerabilities, and
> needs to be audited line by line; I'm not sure this is likely anytime soon.
> I think we should remove it.  (It can always be added back if it's fixed.)
> 

That's good enough reason for me.

regards

Andrew



Changed Bug title. Request was from Andrew Pollock <apollock@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `wnpp' to `ftp.debian.org'. Request was from Andrew Pollock <apollock@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Debian Archive Maintenance <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Sergio Rua <srua@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 301561-close@bugs.debian.org (full text, mbox):

From: Debian Archive Maintenance <ftpmaster@ftp-master.debian.org>
To: 301561-close@bugs.debian.org
Subject: Bug#301561: fixed
Date: Tue, 03 May 2005 16:18:03 -0400
We believe that the bug you reported is now fixed; the following
package(s) have been removed from unstable:

openwebmail |    2.41-10 | source, all

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive (ftp-master.debian.org) and will not propagate to any
mirrors (ftp.debian.org included) until the next cron.daily run at the
earliest.

Packages are never removed from testing by hand.  Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 301561@bugs.debian.org.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Jeroen van Wolffelaar (the ftpmaster behind the curtain)



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 21:15:28 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.