Debian Bug report logs - #607693
mhonarc: cross-site scripting when converting HTML mails

version graph

Package: mhonarc; Maintainer for mhonarc is Jeff Breidenbach <jab@debian.org>; Source for mhonarc is src:mhonarc.

Reported by: "non customers" <non-customers@operamail.com>

Date: Tue, 21 Dec 2010 03:51:01 UTC

Severity: grave

Tags: patch, security, squeeze-ignore

Found in version mhonarc/2.6.16-1

Fixed in version mhonarc/2.6.18-1

Done: Jeff Breidenbach <jab@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jeff Breidenbach <jab@debian.org>:
Bug#607693; Package mhonarc. (Tue, 21 Dec 2010 03:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "non customers" <non-customers@operamail.com>:
New Bug report received and forwarded. Copy sent to Jeff Breidenbach <jab@debian.org>. (Tue, 21 Dec 2010 03:51:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "non customers" <non-customers@operamail.com>
To: submit@bugs.debian.org
Subject: mhonarc: cross-site scripting when converting HTML mails
Date: Tue, 21 Dec 2010 04:47:21 +0100
[Message part 1 (text/plain, inline)]
Subject: mhonarc: cross-site scripting when converting HTML mails
Package: mhonarc
Version: 2.6.16-1
Severity: important
Tags: security

MHonArc has a cross-site scripting (XSS) security issue when converting HTML
mails with malformed HTML tags of the form "<scr<body>ipt>":

$ mhonarc elsatest.mbox
This is MHonArc v2.6.16, Perl 5.010001 linux
Converting messages to .
Reading elsatest.mbox .

Writing mail .
Writing ./maillist.html ...
Writing ./threads.html ...
Writing database ...
1 new messages
1 total messages
$ cat msg00000.html
<!-- MHonArc v2.6.16 -->
<!--X-Subject: mhonarc test -->

[..]

<!--X-Body-of-Message-->
<script>alert("elsa");</script>


<!--X-Body-of-Message-End-->

[..]

-- System Information:
Debian Release: squeeze/sid
   APT prefers testing
   APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mhonarc depends on:
ii  perl                          5.10.1-16  Larry Wall's Practical Extraction

Versions of packages mhonarc recommends:
ii  perl [libdigest-md5-perl]     5.10.1-16  Larry Wall's Practical Extraction

mhonarc suggests no packages.

-- no debconf information

-- 
non-customers crew | http://rock-madrid.com/


-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com

[elsatest.mbox (application/octet-stream, attachment)]

Severity set to 'grave' from 'important' Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Wed, 22 Dec 2010 01:45:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Breidenbach <jab@debian.org>:
Bug#607693; Package mhonarc. (Wed, 22 Dec 2010 05:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeff Breidenbach <jab@debian.org>. (Wed, 22 Dec 2010 05:30:03 GMT) Full text and rfc822 format available.

Message #12 received at 607693@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: oss-security@lists.openwall.com, earl@earlhood.com, 607693@bugs.debian.org
Subject: Re: CVE Request -- MHonArc: Improper escaping of certain HTML sequences (XSS)
Date: Tue, 21 Dec 2010 23:27:46 -0600
[Message part 1 (text/plain, inline)]
Earl Hood wrote:
> With that said, do have an available patch that fixes
> the problem?
> 
> If not, I can look into it during the holiday break to
> get a fix for it.  Note, even if there is a fix for the
> case you provided, there is no 100% guarantee that there
> could be other data input sequences that get by the filter.
> Hence, those concerned about security disable the
> HTML filter:

Attached patch is a quick way to fix it. It increases the processing time 
(it has to run filter() at least twice per message,) but ensures that no 
undesired html is returned (unless one of the existing routines misses 
something.)

What do you think about it?

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
[mhonarc.CVE-2010-4524.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Breidenbach <jab@debian.org>:
Bug#607693; Package mhonarc. (Thu, 23 Dec 2010 23:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeff Breidenbach <jab@debian.org>. (Thu, 23 Dec 2010 23:57:03 GMT) Full text and rfc822 format available.

Message #17 received at 607693@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: 607693@bugs.debian.org
Subject: status for squeeze
Date: Fri, 24 Dec 2010 00:55:02 +0100
[Message part 1 (text/plain, inline)]
user release.debian.org@packages.debian.org
usertag 607693 squeeze-can-defer
kthxbye

Can be fixed through security.d.o if it's not ready by release, so
tagging accordingly.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Joost van Baal <joostvb-debian-bugs-20101225-1@mdcc.cx> to control@bugs.debian.org. (Sat, 25 Dec 2010 06:30:03 GMT) Full text and rfc822 format available.

Added tag(s) squeeze-ignore. Request was from Mehdi Dogguy <mehdi@debian.org> to control@bugs.debian.org. (Sun, 26 Dec 2010 21:36:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Breidenbach <jab@debian.org>:
Bug#607693; Package mhonarc. (Thu, 30 Dec 2010 18:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jeff Breidenbach <jeff@jab.org>:
Extra info received and forwarded to list. Copy sent to Jeff Breidenbach <jab@debian.org>. (Thu, 30 Dec 2010 18:57:05 GMT) Full text and rfc822 format available.

Message #26 received at 607693@bugs.debian.org (full text, mbox):

From: Jeff Breidenbach <jeff@jab.org>
To: non customers <non-customers@operamail.com>, 607693@bugs.debian.org
Subject: Re: Bug#607693: mhonarc: cross-site scripting when converting HTML mails
Date: Thu, 30 Dec 2010 10:55:39 -0800
[Message part 1 (text/plain, inline)]
Based on discussion with Earl so far, I think the correct fix is disabling
HTML mail support by default.
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeff Breidenbach <jab@debian.org>:
Bug#607693; Package mhonarc. (Sun, 02 Jan 2011 00:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jeff Breidenbach <jeff@jab.org>:
Extra info received and forwarded to list. Copy sent to Jeff Breidenbach <jab@debian.org>. (Sun, 02 Jan 2011 00:21:03 GMT) Full text and rfc822 format available.

Message #31 received at 607693@bugs.debian.org (full text, mbox):

From: Jeff Breidenbach <jeff@jab.org>
To: 607693@bugs.debian.org
Subject: Re: Bug#607693: mhonarc: cross-site scripting when converting HTML mails
Date: Sat, 1 Jan 2011 16:19:08 -0800
[Message part 1 (text/plain, inline)]
After extensive discussion, upstream is preparing a new release of mhonarc
(the security and related bug fixes are more extensive than the patch
supplied to Debian). I prefer to ship the new release as the security
update, rather than attempt a backport. Happy to discuss if security team
has any concerns.

-Jeff
[Message part 2 (text/html, inline)]

Reply sent to Jeff Breidenbach <jab@debian.org>:
You have taken responsibility. (Mon, 10 Jan 2011 06:51:10 GMT) Full text and rfc822 format available.

Notification sent to "non customers" <non-customers@operamail.com>:
Bug acknowledged by developer. (Mon, 10 Jan 2011 06:51:10 GMT) Full text and rfc822 format available.

Message #36 received at 607693-close@bugs.debian.org (full text, mbox):

From: Jeff Breidenbach <jab@debian.org>
To: 607693-close@bugs.debian.org
Subject: Bug#607693: fixed in mhonarc 2.6.18-1
Date: Mon, 10 Jan 2011 06:47:09 +0000
Source: mhonarc
Source-Version: 2.6.18-1

We believe that the bug you reported is fixed in the latest version of
mhonarc, which is due to be installed in the Debian FTP archive:

mhonarc_2.6.18-1.diff.gz
  to main/m/mhonarc/mhonarc_2.6.18-1.diff.gz
mhonarc_2.6.18-1.dsc
  to main/m/mhonarc/mhonarc_2.6.18-1.dsc
mhonarc_2.6.18-1_all.deb
  to main/m/mhonarc/mhonarc_2.6.18-1_all.deb
mhonarc_2.6.18.orig.tar.gz
  to main/m/mhonarc/mhonarc_2.6.18.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 607693@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeff Breidenbach <jab@debian.org> (supplier of updated mhonarc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 09 Jan 2011 17:21:45 -0800
Source: mhonarc
Binary: mhonarc
Architecture: source all
Version: 2.6.18-1
Distribution: unstable
Urgency: low
Maintainer: Jeff Breidenbach <jab@debian.org>
Changed-By: Jeff Breidenbach <jab@debian.org>
Description: 
 mhonarc    - Mail to HTML converter
Closes: 332653 517195 528617 607693
Changes: 
 mhonarc (2.6.18-1) unstable; urgency=low
 .
   * New upstream release
     - Security fix for cross site scriping (closes: bug#607693)
     - Fix problem with directory creation (closes: #517195)
     - Fix multibyte character problems (closes: #528617)
     - Fix memory hog problem (closes: #332653)
     - Fix multiple denial of service vulnerabilities
     - Remove minor Debian patches due to upstream incorporation
Checksums-Sha1: 
 c92852da8ca5d7bb62c5f39452c4bca166ac05bf 952 mhonarc_2.6.18-1.dsc
 c5fbb3609c4004563662c20152d5b90317fc52cf 1984873 mhonarc_2.6.18.orig.tar.gz
 bf5651664d029f3af11c7c2fe82464cc3341f8d5 3837 mhonarc_2.6.18-1.diff.gz
 169e81c2bb9f7ae22bbb8cdbe856d195b4e7235b 1928492 mhonarc_2.6.18-1_all.deb
Checksums-Sha256: 
 750ff79f34243b76fe9c753ed2e873c1d4b230c1a52021eb639f1e059a5b9bd2 952 mhonarc_2.6.18-1.dsc
 42759d337c13ff87dbc0bc08774df67156405fbfc10e962f640a65ee9a11aef6 1984873 mhonarc_2.6.18.orig.tar.gz
 95c38bf796fd0162824d7cef8c7abaec428aa5e793dcd9aff88f7e7dc9b0924f 3837 mhonarc_2.6.18-1.diff.gz
 c8bae6d861f35650b4446ab3667ca22341f9b33f2e264f389f405b32d65f42b6 1928492 mhonarc_2.6.18-1_all.deb
Files: 
 285f35efad14653e5e2d74e8ab4560d4 952 mail optional mhonarc_2.6.18-1.dsc
 b65e58fd6d34999493f73efbd8db3c47 1984873 mail optional mhonarc_2.6.18.orig.tar.gz
 0369c30214641c0edb4cbab219137a87 3837 mail optional mhonarc_2.6.18-1.diff.gz
 69724f434b85ebbf6abb55b425a9eff4 1928492 mail optional mhonarc_2.6.18-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk0qqQMACgkQazfo3TSzaFZGBgCfbInjRfkH1MyYieEVd304gC1y
3yIAniZ70anSDSfA73C2W95wv2cbJI9S
=XDL/
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 08:04:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 19:10:51 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.