diff options
| author | maya <maya@pkgsrc.org> | 2017-04-19 17:10:18 +0000 |
|---|---|---|
| committer | maya <maya@pkgsrc.org> | 2017-04-19 17:10:18 +0000 |
| commit | f8e0eb44842a409b20cb31467e6d250a4a5f93aa (patch) | |
| tree | b88164395ca53586bff1a37d126152849cb95752 /mail/squirrelmail | |
| parent | 790ecc8a0124ef858750d083a90e3ab08f0b8978 (diff) | |
| download | pkgsrc-f8e0eb44842a409b20cb31467e6d250a4a5f93aa.tar.gz | |
squirrelmail: patch remote code execution (CVE-2017-7692)
separately escape tainted input before feeding it into popen.
https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html
patch from Filipo Cavallarin@wearesegment, who also found the vulnerability.
bump PKGREVISION
Diffstat (limited to 'mail/squirrelmail')
| -rw-r--r-- | mail/squirrelmail/Makefile | 3 | ||||
| -rw-r--r-- | mail/squirrelmail/distinfo | 3 | ||||
| -rw-r--r-- | mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php | 23 |
3 files changed, 27 insertions, 2 deletions
diff --git a/mail/squirrelmail/Makefile b/mail/squirrelmail/Makefile index f0287888f0b..bcf13f75d3a 100644 --- a/mail/squirrelmail/Makefile +++ b/mail/squirrelmail/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.131 2016/11/17 15:10:07 taca Exp $ +# $NetBSD: Makefile,v 1.132 2017/04/19 17:10:18 maya Exp $ DISTNAME= squirrelmail-webmail-1.4.23pre14605 +PKGREVISION= 1 PKGNAME= ${DISTNAME:S/-webmail//} CATEGORIES= mail www MASTER_SITES= ${MASTER_SITE_LOCAL} diff --git a/mail/squirrelmail/distinfo b/mail/squirrelmail/distinfo index 85ed00531fb..633ee866f3c 100644 --- a/mail/squirrelmail/distinfo +++ b/mail/squirrelmail/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.67 2016/11/17 15:10:07 taca Exp $ +$NetBSD: distinfo,v 1.68 2017/04/19 17:10:18 maya Exp $ SHA1 (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = b0301f777ac5e71b08cd8d718358ce0f3417a21d RMD160 (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = ee9c4d6bd6975f0134797cfc383821368a140542 @@ -8,3 +8,4 @@ SHA1 (patch-aa) = 4ba7ea0a85308816b9dc77c0af3c927359ed1275 SHA1 (patch-ab) = 30bf68c730f20e817fbe81d18bc2a95899ee3fd0 SHA1 (patch-ai) = 1c08904ecf074ff3ba7e6042becc0f0771388b9f SHA1 (patch-ca) = d2e41316b8ecd97b49842eff548219e40e9b163a +SHA1 (patch-class_deliver_Deliver__SendMail.class.php) = 0358ce2445fee73261075226e794054d6ada0150 diff --git a/mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php b/mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php new file mode 100644 index 00000000000..eceb722cbc7 --- /dev/null +++ b/mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php @@ -0,0 +1,23 @@ +$NetBSD: patch-class_deliver_Deliver__SendMail.class.php,v 1.1 2017/04/19 17:10:18 maya Exp $ + +Patch CVE-2017-7692 by separately escaping $envelopefrom +concatenating it with a space before escaping allows for injecting command +parameters. + +From Filippo Cavallarin +https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html + +--- class/deliver/Deliver_SendMail.class.php.orig 2016-01-01 20:04:30.000000000 +0000 ++++ class/deliver/Deliver_SendMail.class.php +@@ -95,9 +95,9 @@ class Deliver_SendMail extends Deliver { + $envelopefrom = trim($from->mailbox.'@'.$from->host); + $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom); + // save executed command for future reference +- $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom"; ++ $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . escapeshellarg($envelopefrom); + // open process handle for writing +- $stream = popen(escapeshellcmd($this->sendmail_command), "w"); ++ $stream = popen($this->sendmail_command, "w"); + return $stream; + } + |