head	1.2;
access;
symbols
	pkgsrc-2017Q1:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2017.06.21.15.07.03;	author taca;	state dead;
branches;
next	1.1;
commitid	dEc7Z1b2gueYHfWz;

1.1
date	2017.04.19.17.10.18;	author maya;	state Exp;
branches
	1.1.2.1;
next	;
commitid	HmraaSIlEO77paOz;

1.1.2.1
date	2017.04.19.17.10.18;	author bsiegert;	state dead;
branches;
next	1.1.2.2;
commitid	CbbLfiAtCOFzOiOz;

1.1.2.2
date	2017.04.20.18.27.26;	author bsiegert;	state Exp;
branches;
next	;
commitid	CbbLfiAtCOFzOiOz;


desc
@@


1.2
log
@Update squirrelmail to 1.4.23pre14688.

Note: CVE-2017-7692 is already fixed by 1.4.23pre14605nb1.

 - compose_send hook now has $draft flag in hook arguments
 - Fixed insufficient sendmail command argument escaping (thanks
   to Mitchel Sahertian, Beyond Security/Dawid Golunski and Filippo
   Cavallarin for bringing this to our attention). [CVE-2017-7692]
 - Upgraded preferences for the delete_move_next plugin.  Automatic
   user preference updates are included, but note that if your
   installation is new, or all user prefs have been converted from
   "on"/"off" to 0/1 then you can add the following to SquirrelMail's
   config/config_local.php to avoid convertign legacy values over and over:
      $do_not_convert_delete_move_next_legacy_preferences = TRUE;
 - Added ability to control the display of the "Check Spelling"
   button provided by the squirrelspell plugin, which allows
   administrators to offer this plugin but keep it out of the way
   for users who do not want it. Put sqspell_show_button=0 in
   default preferences if it should be hidden by default
@
text
@$NetBSD: patch-class_deliver_Deliver__SendMail.class.php,v 1.1 2017/04/19 17:10:18 maya Exp $

Patch CVE-2017-7692 by separately escaping $envelopefrom
concatenating it with a space before escaping allows for injecting command
parameters.

From Filippo Cavallarin
https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html

--- class/deliver/Deliver_SendMail.class.php.orig	2016-01-01 20:04:30.000000000 +0000
+++ class/deliver/Deliver_SendMail.class.php
@@@@ -95,9 +95,9 @@@@ class Deliver_SendMail extends Deliver {
         $envelopefrom = trim($from->mailbox.'@@'.$from->host);
         $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom);
         // save executed command for future reference
-        $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";
+        $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . escapeshellarg($envelopefrom);
         // open process handle for writing
-        $stream = popen(escapeshellcmd($this->sendmail_command), "w");
+        $stream = popen($this->sendmail_command, "w");
         return $stream;
     }
 
@


1.1
log
@squirrelmail: patch remote code execution (CVE-2017-7692)
separately escape tainted input before feeding it into popen.
https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html

patch from Filipo Cavallarin@@wearesegment, who also found the vulnerability.
bump PKGREVISION
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-class_deliver_Deliver__SendMail.class.php was added on branch pkgsrc-2017Q1 on 2017-04-20 18:27:26 +0000
@
text
@d1 23
@


1.1.2.2
log
@Pullup ticket #5333 - requested by maya
mail/squirrelmail: security fix

Revisions pulled up:
- mail/squirrelmail/Makefile                                    1.132
- mail/squirrelmail/distinfo                                    1.68
- mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php 1.1

---
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Wed Apr 19 17:10:18 UTC 2017

   Modified Files:
           pkgsrc/mail/squirrelmail: Makefile distinfo
   Added Files:
           pkgsrc/mail/squirrelmail/patches:
               patch-class_deliver_Deliver__SendMail.class.php

   Log Message:
   squirrelmail: patch remote code execution (CVE-2017-7692)
   separately escape tainted input before feeding it into popen.
   https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html

   patch from Filipo Cavallarin@@wearesegment, who also found the vulnerability.
   bump PKGREVISION
@
text
@a0 23
$NetBSD: patch-class_deliver_Deliver__SendMail.class.php,v 1.1 2017/04/19 17:10:18 maya Exp $

Patch CVE-2017-7692 by separately escaping $envelopefrom
concatenating it with a space before escaping allows for injecting command
parameters.

From Filippo Cavallarin
https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html

--- class/deliver/Deliver_SendMail.class.php.orig	2016-01-01 20:04:30.000000000 +0000
+++ class/deliver/Deliver_SendMail.class.php
@@@@ -95,9 +95,9 @@@@ class Deliver_SendMail extends Deliver {
         $envelopefrom = trim($from->mailbox.'@@'.$from->host);
         $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom);
         // save executed command for future reference
-        $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";
+        $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . escapeshellarg($envelopefrom);
         // open process handle for writing
-        $stream = popen(escapeshellcmd($this->sendmail_command), "w");
+        $stream = popen($this->sendmail_command, "w");
         return $stream;
     }
 
@