diff options
author | spz <spz@pkgsrc.org> | 2011-01-05 09:45:21 +0000 |
---|---|---|
committer | spz <spz@pkgsrc.org> | 2011-01-05 09:45:21 +0000 |
commit | a1f6f943d322c9c16917ea7032f435335d041a64 (patch) | |
tree | 63424d4c319d248686ad8968e6faf701941c63af /mail | |
parent | 9c040be97600427376f3edb409c695090b2ef943 (diff) | |
download | pkgsrc-a1f6f943d322c9c16917ea7032f435335d041a64.tar.gz |
fixes for CVE-2010-4524 and CVE-2010-1677 taken from the MHonArc cvs
Diffstat (limited to 'mail')
-rw-r--r-- | mail/mhonarc/Makefile | 3 | ||||
-rw-r--r-- | mail/mhonarc/distinfo | 3 | ||||
-rw-r--r-- | mail/mhonarc/patches/patch-ab | 142 |
3 files changed, 146 insertions, 2 deletions
diff --git a/mail/mhonarc/Makefile b/mail/mhonarc/Makefile index 7938a396af0..98164aeb999 100644 --- a/mail/mhonarc/Makefile +++ b/mail/mhonarc/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.29 2010/03/12 12:40:01 obache Exp $ +# $NetBSD: Makefile,v 1.30 2011/01/05 09:45:21 spz Exp $ DISTNAME= MHonArc-2.6.16 PKGNAME= mhonarc-2.6.16 +PKGREVISION= 1 CATEGORIES= mail MASTER_SITES= http://www.mhonarc.org/release/MHonArc/tar/ EXTRACT_SUFX= .tar.bz2 diff --git a/mail/mhonarc/distinfo b/mail/mhonarc/distinfo index 9bf54a7dacf..b74a98d55b6 100644 --- a/mail/mhonarc/distinfo +++ b/mail/mhonarc/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.15 2007/02/28 16:04:16 jwise Exp $ +$NetBSD: distinfo,v 1.16 2011/01/05 09:45:21 spz Exp $ SHA1 (MHonArc-2.6.16.tar.bz2) = 8b803a610805fe736036c3dcd2596e2e416a886b RMD160 (MHonArc-2.6.16.tar.bz2) = 31d6659fabdb00b4d4594eda9f5985bd5f3f33b8 Size (MHonArc-2.6.16.tar.bz2) = 1562490 bytes +SHA1 (patch-ab) = 588a697b7fc22a07ec8974cf7ab06bebf223b799 diff --git a/mail/mhonarc/patches/patch-ab b/mail/mhonarc/patches/patch-ab new file mode 100644 index 00000000000..e2bd1f91061 --- /dev/null +++ b/mail/mhonarc/patches/patch-ab @@ -0,0 +1,142 @@ +$NetBSD: patch-ab,v 1.1 2011/01/05 09:45:21 spz Exp $ + +fixes for CVE-2010-4524 and CVE-2010-1677 taken from the MHonArc cvs + +--- lib/mhtxthtml.pl.orig 2005-05-02 00:04:39.000000000 +0000 ++++ lib/mhtxthtml.pl +@@ -59,6 +59,11 @@ my %special_to_char = ( + ## final filtered HTML messages. Modification is needed so the + ## resulting filtered message is valid HTML. + ## ++## CAUTION: Some of these options can open up a site to attacks. ++## The MIMEFILTERS reference page provide additional ++## information on the risks associated with enabling ++## a given option. ++## + ## Arguments: + ## + ## allowcomments Preserve any comment declarations. Normally +@@ -90,6 +95,8 @@ my %special_to_char = ( + ## and Content-Disposition specifies the data as + ## an attachment, the data is saved to a file + ## with a link to it from the message page. ++## NOTE: This option can expose your site to ++## XSS attacks. + ## + ## disablerelated Disable MHTML processing. + ## +@@ -100,7 +107,7 @@ my %special_to_char = ( + ## subdir Place derived files in a subdirectory + ## + +-# DEVELOPER's NOTE: ++# CAUTION: + # The script stripping code is probably not complete. Since a + # whitelist model is not being used -- because full HTML parsing + # would be required (and possible reliance on non-standard modules) -- +@@ -112,6 +119,25 @@ sub filter { + my($fields, $data, $isdecode, $args) = @_; + $args = '' unless defined $args; + ++ # Bug-32013 (CVE-2010-4524): Invalid tags cause immediate rejection. ++ # Bug-32014 (CVE-2010-1677): Prevents DoS if massively nested. ++ my $allowcom = $args =~ /\ballowcomments\b/i; ++ strip_comments($fields, $data) unless $allowcom; ++ if ($$data =~ /<[^>]*</) { ++ # XXX: This will reject HTML that includes a '<' char in a ++ # comment declaration. Unsure it is worth the hassle ++ # to deal with it. Such scenarios would normally indicate ++ # hand generated HTML vs how most HTML email is generated. ++ # Plus, allowcomments should not be enabled, so they get ++ # removed above. ++ warn qq/\n/, ++ qq/Warning: Invalid HTML detected, rejecting\n/, ++ qq/ Message-Id: <$mhonarc::MHAmsgid>\n/, ++ qq/ Message Subject: /, $fields->{'x-mha-subject'}, qq/\n/, ++ qq/ Message Number: $mhonarc::MHAmsgnum\n/; ++ return undef; ++ } ++ + ## Check if content-disposition should be checked + if ($args =~ /\battachcheck\b/i) { + my($disp, $nameparm, $raw) = +@@ -134,7 +160,6 @@ sub filter { + my $onlycid = $args !~ /\ballownoncidurls\b/i; + my $subdir = $args =~ /\bsubdir\b/i; + my $norelate = $args =~ /\bdisablerelated\b/i; +- my $allowcom = $args =~ /\ballowcomments\b/i; + my $atdir = $subdir ? $mhonarc::MsgPrefix.$mhonarc::MHAmsgnum : ""; + my $tmp; + +@@ -149,6 +174,7 @@ sub filter { + warn qq/\n/, + qq/Warning: Unrecognized character set: $charset\n/, + qq/ Message-Id: <$mhonarc::MHAmsgid>\n/, ++ qq/ Message Subject: /, $fields->{'x-mha-subject'}, qq/\n/, + qq/ Message Number: $mhonarc::MHAmsgnum\n/; + } + +@@ -341,12 +367,13 @@ sub filter { + $$data =~ s/\b$ahref_tmp\b/href/g; + } + ++ ## NOTE: Comment strip moved to top. + ## Check comment declarations: may screw-up mhonarc processing + ## and avoids someone sneaking in SSIs. +- if (!$allowcom) { +- #$$data =~ s/<!(?:--(?:[^-]|-[^-])*--\s*)+>//go; # can crash perl +- $$data =~ s/<!--[^-]+[#X%\$\[]*/<!--/g; # Just mung them (faster) +- } ++# if (!$allowcom) { ++# #$$data =~ s/<!(?:--(?:[^-]|-[^-])*--\s*)+>//go; # can crash perl ++# $$data =~ s/<!--[^-]+[#X%\$\[]*/<!--/g; # Just mung them (faster) ++# } + + ## Prevent comment spam + ## <http://www.google.com/googleblog/2005/01/preventing-comment-spam.html> +@@ -448,4 +475,45 @@ sub dehtmlize_ascii { + + ##--------------------------------------------------------------------------- + ++sub strip_comments { ++ my $fields = shift; # for diagnostics ++ my $data = shift; # ref to text to strip ++ ++ # We avoid using regex since it can lead to performance problems. ++ # We also do not do full SGML-style comment declarations since it ++ # increases parsing complexity. Here, we just remove any ++ # "<!-- ... -->" strings. Although whitespace is allowed between ++ # final "--" and ">", we do not support it. ++ ++ my $n = index($$data, '<!--', 0); ++ if ($n < 0) { ++ # Nothing to do. Good. ++ return $data; ++ } ++ ++ my $ret = ''; ++ while ($n >= 0) { ++ $ret .= substr($$data, 0, $n); ++ substr($$data, 0, $n) = ''; ++ $n = index($$data, '-->', 0); ++ if ($n < 0) { ++ # No end to comment declaration: Warn and strip rest of data. ++ warn qq/\n/, ++ qq/Warning: HTML comment declaration not terminated.\n/, ++ qq/ Message-Id: <$mhonarc::MHAmsgid>\n/, ++ qq/ Message Subject: /, $fields->{'x-mha-subject'}, qq/\n/, ++ qq/ Message Number: $mhonarc::MHAmsgnum\n/; ++ $$data = ''; ++ last; ++ } ++ substr($$data, 0, $n+3) = ''; ++ $n = index($$data, '<!--', 0); ++ } ++ $ret .= $$data; ++ $$data = $ret; ++ $data; ++} ++ ++##--------------------------------------------------------------------------- ++ + 1; |