Debian Bug report logs - #354063
CVE-2006-0377: IMAP injection attempts

version graph

Package: squirrelmail; Maintainer for squirrelmail is Jeroen van Wolffelaar <jeroen@wolffelaar.nl>; Source for squirrelmail is src:squirrelmail.

Reported by: Geoff Crompton <geoff.crompton@strategicdata.com.au>

Date: Thu, 23 Feb 2006 01:03:06 UTC

Severity: important

Tags: fixed-upstream, security

Found in version squirrelmail/2:1.4.4-7

Fixed in versions squirrelmail/2:1.4.6-1, squirrelmail/2:1.4.4-8

Done: Thijs Kinkhorst <kink@squirrelmail.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#354063; Package squirrelmail. Full text and rfc822 format available.

Acknowledgement sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
New Bug report received and forwarded. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Geoff Crompton <geoff.crompton@strategicdata.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2006-0377: IMAP injection attempts
Date: Thu, 23 Feb 2006 11:44:39 +1100
Package: squirrelmail
Version: 2:1.4.4-7
Severity: important

The changelog at http://www.squirrelmail.org/changelog.php says for 1.4.6:

  - Security: Prohibit IMAP injection attempts (reported by Vicente
    Aguilera) [CVE-2006-0377].


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Versions of packages squirrelmail depends on:
ii  apache [httpd]          1.3.33-6sarge1   versatile, high-performance HTTP s
ii  apache-perl [httpd]     1.3.33-6sarge1   versatile, high-performance HTTP s
ii  lighttpd [httpd]        1.4.9-4bpo1      A fast webserver with minimal memo
ii  perl                    5.8.4-8sarge3    Larry Wall's Practical Extraction 
ii  php4                    4:4.3.10-16      server-side, HTML-embedded scripti
ii  squirrelmail-locales    1.4.4-20050308-1 Translations for the SquirrelMail 

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#354063; Package squirrelmail. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #10 received at 354063@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: Geoff Crompton <geoff.crompton@strategicdata.com.au>, 354063@bugs.debian.org
Subject: Re: Bug#354063: CVE-2006-0377: IMAP injection attempts
Date: Thu, 23 Feb 2006 09:22:00 +0100
[Message part 1 (text/plain, inline)]
On Thu, 2006-02-23 at 11:44 +1100, Geoff Crompton wrote:
>   - Security: Prohibit IMAP injection attempts (reported by Vicente
>     Aguilera) [CVE-2006-0377].

Hello Jeff,

Thanks, I'm aware of it. I'm awaiting the 1.4.6 version which is to be
released any moment now.


Thijs

[signature.asc (application/pgp-signature, inline)]

Tags added: security, fixed-upstream Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from www-data <www-data@wolffelaar.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Bug#354063. Full text and rfc822 format available.

Message #17 received at 354063-submitter@bugs.debian.org (full text, mbox):

From: www-data <www-data@wolffelaar.nl>
To: control@bugs.debian.org, 354063-submitter@bugs.debian.org, 354062-submitter@bugs.debian.org, 354064-submitter@bugs.debian.org, 355424-submitter@bugs.debian.org
Subject: Squirrelmail bugs fixed in revision r233
Date: Tue, 07 Mar 2006 15:00:50 +0100
# Fixed in r233 by kink
tag 354063 + pending
tag 354062 + pending
tag 354064 + pending
tag 355424 + pending
thanks

These bugs are fixed in revision 233 by kink
and will likely get fixed in the next upload.
Log message:
  * New upstream release.
  * Includes the following security fixes:
    - Fix IMAP command injection in sqimap_mailbox_select
      with upstream patch. [CVE-2006-0377] (Closes: #354063)
    - Fix possible XSS in MagicHTML, concerning the parsing
      of u\rl and comments in styles. Internet Explorer
      specific. [CVE-2006-0195] (Closes: #354062)
    - Fix possible cross site scripting through the right_main
      parameter of webmail.php. This now uses a whitelist of
      acceptable values. [CVE-2006-0188] (Closes: #354064, #355424)






Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#354063; Package squirrelmail. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #22 received at 354063@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 355424@bugs.debian.org, 354062@bugs.debian.org, 354063@bugs.debian.org, 354064@bugs.debian.org
Cc: team@security.debian.org
Subject: Updated packages available for woody, sarge, sid
Date: Tue, 07 Mar 2006 16:12:31 +0100
[Message part 1 (text/plain, inline)]
Hello all,

I've prepared updated packages for these bugs for oldstable, stable and
unstable. Please find those packages here:
http://www.a-eskwadraat.nl/~kink/squirrelmail/

The unstable packages are awaiting review and upload by Jeroen. Testing
will be updated within a few days after the unstable upload, if no big
problems are found.

Security team: here's a proposed advisory text.

===
Package        : squirrelmail
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE IDs        : CVE-2006-0377 CVE-2006-0195 CVE-2006-0188
Debian Bug     : 354062 354063 354064 355424

Several vulnerabilities have been discovered in Squirrelmail, a
commonly used webmail system.  The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2006-0377

    Vicente Aguilera of Internet Security Auditors, S.L. discovered a
    CRLF injection vulnerability, which allows remote attackers to
    inject arbitrary IMAP commands via newline characters in the mailbox
    parameter of the sqimap_mailbox_select command, aka "IMAP
    injection." There's no known way to exploit this yet.

CVE-2006-0195

    Martijn Brinkers and Scott Hughes discovered an interpretation
    conflict in the MagicHTML filter that allows remote attackers to
    conduct cross-site scripting (XSS) attacks via style sheet
    specifiers with invalid (1) "/*" and "*/" comments, or (2) slashes
    inside the "url" keyword, which is processed by some web browsers
    including Internet Explorer.

CVE-2006-0188

    Martijn Brinkers and Ben Maurer found a flaw in webmail.php that
    allows remote attackers to inject arbitrary web pages into the right
    frame via a URL in the right_frame parameter.

For the old stable distribution (woody) these problems have been fixed in
version 1.2.6-5.

For the stable distribution (sarge) these problems have been fixed in
version 2:1.4.4-8.

For the unstable distribution (sid) these problems have been fixed in
version 2:1.4.6-1.

We recommend that you upgrade your squirrelmail package.
===

I'm glad to hear any comments on the packages.


thanks,
Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#354063; Package squirrelmail. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #27 received at 354063@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: 355424@bugs.debian.org, 354062@bugs.debian.org, 354063@bugs.debian.org, 354064@bugs.debian.org, team@security.debian.org
Subject: Re: Updated packages available for woody, sarge, sid
Date: Tue, 7 Mar 2006 18:54:14 +0100
Thijs Kinkhorst wrote:
> Hello all,
> 
> I've prepared updated packages for these bugs for oldstable, stable and
> unstable. Please find those packages here:
> http://www.a-eskwadraat.nl/~kink/squirrelmail/

Thanks a lot. I did a cursory check and everything looks fine. I'll review
in detail and prepare a DSA tonight or tomorrow.

Cheers,
        Moritz



Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 354063-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 354063-close@bugs.debian.org
Subject: Bug#354063: fixed in squirrelmail 2:1.4.6-1
Date: Fri, 10 Mar 2006 05:17:15 -0800
Source: squirrelmail
Source-Version: 2:1.4.6-1

We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:

squirrelmail_1.4.6-1.diff.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.6-1.diff.gz
squirrelmail_1.4.6-1.dsc
  to pool/main/s/squirrelmail/squirrelmail_1.4.6-1.dsc
squirrelmail_1.4.6-1_all.deb
  to pool/main/s/squirrelmail/squirrelmail_1.4.6-1_all.deb
squirrelmail_1.4.6.orig.tar.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 354063@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated squirrelmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  7 Mar 2006 14:56:06 +0100
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.6-1
Distribution: unstable
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 squirrelmail - Webmail for nuts
Closes: 354062 354063 354064 355424
Changes: 
 squirrelmail (2:1.4.6-1) unstable; urgency=high
 .
   * New upstream release.
   * Includes the following security fixes:
     - Fix IMAP command injection in sqimap_mailbox_select
       with upstream patch. [CVE-2006-0377] (Closes: #354063)
     - Fix possible XSS in MagicHTML, concerning the parsing
       of u\rl and comments in styles. Internet Explorer
       specific. [CVE-2006-0195] (Closes: #354062)
     - Fix possible cross site scripting through the right_main
       parameter of webmail.php. This now uses a whitelist of
       acceptable values. [CVE-2006-0188] (Closes: #354064, #355424)
Files: 
 f982571d61dcbf187c5247eaa3d6bd06 738 web optional squirrelmail_1.4.6-1.dsc
 da9e22416fca21ed0636458641187cdb 599318 web optional squirrelmail_1.4.6.orig.tar.gz
 d91d57f8b7a65c9600d04dea8ca6a227 17984 web optional squirrelmail_1.4.6-1.diff.gz
 7f0cd54f915be5be41f71ddb445fbe8c 594826 web optional squirrelmail_1.4.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Signed by Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

iD8DBQFEEXoHl2uISwgTVp8RAsELAJ0VuUEDG+9SoJcrSMNDRPfY8dWXuwCeOhXM
J7AMhLsHIKuGVdcK3YiSmNY=
=0ZCh
-----END PGP SIGNATURE-----




Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #37 received at 354063-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 354063-close@bugs.debian.org
Subject: Bug#354063: fixed in squirrelmail 2:1.4.4-8
Date: Fri, 10 Mar 2006 09:47:39 -0800
Source: squirrelmail
Source-Version: 2:1.4.4-8

We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:

squirrelmail_1.4.4-8.diff.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.4-8.diff.gz
squirrelmail_1.4.4-8.dsc
  to pool/main/s/squirrelmail/squirrelmail_1.4.4-8.dsc
squirrelmail_1.4.4-8_all.deb
  to pool/main/s/squirrelmail/squirrelmail_1.4.4-8_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 354063@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated squirrelmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  7 Mar 2006 13:08:55 +0100
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.4-8
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 squirrelmail - Webmail for nuts
Closes: 354062 354063 354064 355424
Changes: 
 squirrelmail (2:1.4.4-8) stable-security; urgency=high
 .
   * Fix IMAP command injection in sqimap_mailbox_select
     with upstream patch. [CVE-2006-0377] (Closes: #354063)
   * Fix possible XSS in MagicHTML, concerning the parsing
     of u\rl and comments in styles. Internet Explorer
     specific. [CVE-2006-0195] (Closes: #354062)
   * Fix possible cross site scripting through the right_main
     parameter of webmail.php. This now uses a whitelist of
     acceptable values. [CVE-2006-0188] (Closes: #354064, #355424)
Files: 
 140546ee9c0534419ddcaf3c7e632110 678 web optional squirrelmail_1.4.4-8.dsc
 f50548b6f4f24d28afb5e6048977f4da 575871 web optional squirrelmail_1.4.4.orig.tar.gz
 15ddd8f4db234006a1ac290087640dfc 24654 web optional squirrelmail_1.4.4-8.diff.gz
 2087dcea05cd5e1c4033f15cf120761a 570472 web optional squirrelmail_1.4.4-8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFEDvGxXm3vHE4uyloRAn2ZAJwN1Zs9zK3jMUyh9xRrr4HUtmOQNwCeLy4L
/FHjFyLK/gah37AB2DoXg74=
=Nfw/
-----END PGP SIGNATURE-----




Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #42 received at 354063-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 354063-close@bugs.debian.org
Subject: Bug#354063: fixed in squirrelmail 2:1.4.4-8
Date: Mon, 17 Apr 2006 17:41:38 -0700
Source: squirrelmail
Source-Version: 2:1.4.4-8

We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:

squirrelmail_1.4.4-8.diff.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.4-8.diff.gz
squirrelmail_1.4.4-8.dsc
  to pool/main/s/squirrelmail/squirrelmail_1.4.4-8.dsc
squirrelmail_1.4.4-8_all.deb
  to pool/main/s/squirrelmail/squirrelmail_1.4.4-8_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 354063@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated squirrelmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  7 Mar 2006 13:08:55 +0100
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.4-8
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 squirrelmail - Webmail for nuts
Closes: 354062 354063 354064 355424
Changes: 
 squirrelmail (2:1.4.4-8) stable-security; urgency=high
 .
   * Fix IMAP command injection in sqimap_mailbox_select
     with upstream patch. [CVE-2006-0377] (Closes: #354063)
   * Fix possible XSS in MagicHTML, concerning the parsing
     of u\rl and comments in styles. Internet Explorer
     specific. [CVE-2006-0195] (Closes: #354062)
   * Fix possible cross site scripting through the right_main
     parameter of webmail.php. This now uses a whitelist of
     acceptable values. [CVE-2006-0188] (Closes: #354064, #355424)
Files: 
 140546ee9c0534419ddcaf3c7e632110 678 web optional squirrelmail_1.4.4-8.dsc
 f50548b6f4f24d28afb5e6048977f4da 575871 web optional squirrelmail_1.4.4.orig.tar.gz
 15ddd8f4db234006a1ac290087640dfc 24654 web optional squirrelmail_1.4.4-8.diff.gz
 2087dcea05cd5e1c4033f15cf120761a 570472 web optional squirrelmail_1.4.4-8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFEDvGxXm3vHE4uyloRAn2ZAJwN1Zs9zK3jMUyh9xRrr4HUtmOQNwCeLy4L
/FHjFyLK/gah37AB2DoXg74=
=Nfw/
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 04:42:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:49:26 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.