Debian Bug report logs - #317094
SquirrelMail $_POST variable handling vulnerability [CAN-2005-2095]

version graph

Package: squirrelmail; Maintainer for squirrelmail is Jeroen van Wolffelaar <jeroen@wolffelaar.nl>; Source for squirrelmail is src:squirrelmail.

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Wed, 6 Jul 2005 08:18:01 UTC

Severity: grave

Tags: etch, fixed-upstream, sarge, security, sid

Found in versions 1.4.4-6, 2:1.4.4-5

Fixed in version squirrelmail/2:1.4.4-6

Done: Thijs Kinkhorst <kink@squirrelmail.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#317094; Package squirrelmail. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
New Bug report received and forwarded. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: submit@bugs.debian.org
Subject: SquirrelMail $_POST variable handling vulnerability [CAN-2005-2095]
Date: Wed, 06 Jul 2005 10:11:20 +0200
[Message part 1 (text/plain, inline)]
Package: squirrelmail
Version: 1.4.4-6
Severity: grave
Tags: security fixed-upstream sarge etch sid

[I've submitted this a couple of days ago but it never arrived in the
BTS for some reason]


A vulnerability has been discovered in the handling of the $_POST
variable in a specific part of SquirrelMail. This potentially allows for
setting other people's preferences and possibly reading them, writing
files at any location writable for www-data and cross site scripting.

Upstream is preparing a new release that addresses this issue, which is
known as CAN-2005-2095.

A patch from upstream has been applied and is awaiting review by Jeroen
and the secuirty team. Possibly the patch has to be changed to
accomodate Debian specific needs (in terms of the number of changes).


Thijs
[signature.asc (application/pgp-signature, attachment)]

Tags added: pending Request was from "www.wolffelaar.nl" <www-data@wolffelaar.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Thijs Kinkhorst <kink@squirrelmail.org>:
Bug#317094. Full text and rfc822 format available.

Message #10 received at 317094-submitter@bugs.debian.org (full text, mbox):

From: "www.wolffelaar.nl" <www-data@wolffelaar.nl>
To: control@bugs.debian.org, 317094-submitter@bugs.debian.org
Subject: Squirrelmail bugs fixed in revision r161
Date: Sat, 09 Jul 2005 11:59:16 +0200
# Fixed in r161 by jeroen
tag 317094 + pending
thanks

These bugs are fixed in revision 161 by jeroen
and will likely get fixed in the next upload.
Log message:
* Work around arbitrary variable injection via extract() [CAN-2005-2095]
  (Closes: #317094)






Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 317094-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 317094-close@bugs.debian.org
Subject: Bug#317094: fixed in squirrelmail 2:1.4.4-6
Date: Wed, 13 Jul 2005 13:32:43 -0400
Source: squirrelmail
Source-Version: 2:1.4.4-6

We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:

squirrelmail_1.4.4-6.diff.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.4-6.diff.gz
squirrelmail_1.4.4-6.dsc
  to pool/main/s/squirrelmail/squirrelmail_1.4.4-6.dsc
squirrelmail_1.4.4-6_all.deb
  to pool/main/s/squirrelmail/squirrelmail_1.4.4-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 317094@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated squirrelmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 09 Jul 2005 11:57:20 +0200
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.4-6
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 squirrelmail - Webmail for nuts
Closes: 314374 317094
Changes: 
 squirrelmail (2:1.4.4-6) stable-security; urgency=high
 .
   * Security fix, hence high urgency.
   * Apply patch provided by upstream to fix several cross site scripting
     flaws [CAN-2005-1769] (Closes: #314374)
   * Work around arbitrary variable injection via extract() [CAN-2005-2095]
     (Closes: #317094)
Files: 
 efd67c242cc9fb591e3ee8456825331d 742 web optional squirrelmail_1.4.4-6.dsc
 30e06c1a6282a0abff142ccbe1b36a0c 23108 web optional squirrelmail_1.4.4-6.diff.gz
 50da6f9a18fe90e5760eb18c3255296c 569772 web optional squirrelmail_1.4.4-6_all.deb
 f50548b6f4f24d28afb5e6048977f4da 575871 web optional squirrelmail_1.4.4.orig.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC0PONW5ql+IAeqTIRArItAJ9ShE4w3upcklKW/dyKcDguCWlMQQCeJdIn
NBlWhi8HRSys8Qbr7Fv0jow=
=JzPZ
-----END PGP SIGNATURE-----




Bug marked as found in version 2:1.4.4-5. Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug submitter from Thijs Kinkhorst <kink@squirrelmail.org> to Thijs Kinkhorst <thijs@debian.org>. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 05:46:32 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:15:34 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.