diff options
-rw-r--r-- | mail/squirrelmail/Makefile | 5 | ||||
-rw-r--r-- | mail/squirrelmail/PLIST | 3 | ||||
-rw-r--r-- | mail/squirrelmail/distinfo | 10 | ||||
-rw-r--r-- | mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php | 23 |
4 files changed, 9 insertions, 32 deletions
diff --git a/mail/squirrelmail/Makefile b/mail/squirrelmail/Makefile index bcf13f75d3a..00ee2445863 100644 --- a/mail/squirrelmail/Makefile +++ b/mail/squirrelmail/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.132 2017/04/19 17:10:18 maya Exp $ +# $NetBSD: Makefile,v 1.133 2017/06/21 15:07:03 taca Exp $ -DISTNAME= squirrelmail-webmail-1.4.23pre14605 -PKGREVISION= 1 +DISTNAME= squirrelmail-webmail-1.4.23pre14688 PKGNAME= ${DISTNAME:S/-webmail//} CATEGORIES= mail www MASTER_SITES= ${MASTER_SITE_LOCAL} diff --git a/mail/squirrelmail/PLIST b/mail/squirrelmail/PLIST index 911b5acb118..dfa584a8dd4 100644 --- a/mail/squirrelmail/PLIST +++ b/mail/squirrelmail/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.40 2015/09/06 12:04:12 taca Exp $ +@comment $NetBSD: PLIST,v 1.41 2017/06/21 15:07:03 taca Exp $ man/man8/squirrelmail-conf.pl.8 share/examples/squirrelmail/data/.htaccess share/examples/squirrelmail/data/index.php @@ -325,6 +325,7 @@ share/squirrelmail/plugins/squirrelspell/js/index.php share/squirrelmail/plugins/squirrelspell/js/init.js share/squirrelmail/plugins/squirrelspell/modules/.htaccess share/squirrelmail/plugins/squirrelspell/modules/WHATISTHIS +share/squirrelmail/plugins/squirrelspell/modules/change_main_options.mod share/squirrelmail/plugins/squirrelspell/modules/check_me.mod share/squirrelmail/plugins/squirrelspell/modules/crypto.mod share/squirrelmail/plugins/squirrelspell/modules/crypto_badkey.mod diff --git a/mail/squirrelmail/distinfo b/mail/squirrelmail/distinfo index 633ee866f3c..30b593c643c 100644 --- a/mail/squirrelmail/distinfo +++ b/mail/squirrelmail/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.68 2017/04/19 17:10:18 maya Exp $ +$NetBSD: distinfo,v 1.69 2017/06/21 15:07:03 taca Exp $ -SHA1 (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = b0301f777ac5e71b08cd8d718358ce0f3417a21d -RMD160 (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = ee9c4d6bd6975f0134797cfc383821368a140542 -SHA512 (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = f884e324c4f89469ef92e0edb16e83930bdcb73d17df659425972a786cd1449531ab40bf4ea5a17fdc97bcfd8a4c26fc80ca68bad2ae54502236dc5b0456967b -Size (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = 558045 bytes +SHA1 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 0b094c86464f0a67948191f8daeb62b35024350b +RMD160 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 3b3d19bcbd0e3c32983707423d91263e3649f26b +SHA512 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = ec428f5a77757d29dd0a8f905210e7f9b527e75a549162d9d2ad2ad2fdfed1c9fa4e399433e656065f24a593d76e14c043a34c0c7fffb03943de94505599a1e0 +Size (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 560901 bytes SHA1 (patch-aa) = 4ba7ea0a85308816b9dc77c0af3c927359ed1275 SHA1 (patch-ab) = 30bf68c730f20e817fbe81d18bc2a95899ee3fd0 SHA1 (patch-ai) = 1c08904ecf074ff3ba7e6042becc0f0771388b9f diff --git a/mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php b/mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php deleted file mode 100644 index eceb722cbc7..00000000000 --- a/mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php +++ /dev/null @@ -1,23 +0,0 @@ -$NetBSD: patch-class_deliver_Deliver__SendMail.class.php,v 1.1 2017/04/19 17:10:18 maya Exp $ - -Patch CVE-2017-7692 by separately escaping $envelopefrom -concatenating it with a space before escaping allows for injecting command -parameters. - -From Filippo Cavallarin -https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html - ---- class/deliver/Deliver_SendMail.class.php.orig 2016-01-01 20:04:30.000000000 +0000 -+++ class/deliver/Deliver_SendMail.class.php -@@ -95,9 +95,9 @@ class Deliver_SendMail extends Deliver { - $envelopefrom = trim($from->mailbox.'@'.$from->host); - $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom); - // save executed command for future reference -- $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom"; -+ $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . escapeshellarg($envelopefrom); - // open process handle for writing -- $stream = popen(escapeshellcmd($this->sendmail_command), "w"); -+ $stream = popen($this->sendmail_command, "w"); - return $stream; - } - |