226831 – [PATCH] mail/squirrelmail: update to patch security flaw in attachment processing

Bug 226831 - [PATCH] mail/squirrelmail: update to patch security flaw in attachment processing

Summary: [PATCH] mail/squirrelmail: update to patch security flaw in attachment proces...

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Mathieu Arnold

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-03-21 17:46 UTC by Jesse Smith
Modified:	2018-05-07 10:48 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	uzsolt: maintainer-feedback+ uzsolt: merge-quarterly?

Attachments
Update and security fix for squirrelmail (3.42 KB, text/plain) 2018-03-21 17:46 UTC, Jesse Smith	no flags	Details
Update to 20180404, fix CVE (1.12 KB, patch) 2018-04-04 07:38 UTC, Zsolt Udvari	uzsolt: maintainer-approval+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jesse Smith 2018-03-21 17:46:46 UTC

Created attachment 191714 [details]
Update and security fix for squirrelmail

The Squirrelmail (mail/squirrelmail) port contains a security flaw which could allow users to access files on the server's file system. See CVE-2018-8741 discussed here: http://www.openwall.com/lists/oss-security/2018/03/17/2

The attached patch updates the Squirrelmail port to address the security hole. Basically it just includes the new patch provided by Openwall and bumps the port's revision number.

Comment 1 Zsolt Udvari freebsd_committer

2018-03-21 17:55:13 UTC

I think this patch is correct. Thanks for your work!

Comment 2 Jesse Smith 2018-03-21 18:16:13 UTC

(In reply to Zsolt Udvari from comment #1)

My pleasure. I've now tested the patched package on two servers and it's working ok for me.

Comment 3 Zsolt Udvari freebsd_committer

2018-04-04 07:38:26 UTC

Created attachment 192200 [details]
Update to 20180404, fix CVE

The squirrelmail codebase is updated, see https://sourceforge.net/p/squirrelmail/code/14751 .

Comment 4 Zsolt Udvari freebsd_committer

2018-04-04 07:39:29 UTC

Comment on attachment 191714 [details]
Update and security fix for squirrelmail

The newer patch obsoletes this.

Comment 5 commit-hook freebsd_committer

2018-05-03 12:43:05 UTC

A commit references this bug:

Author: mat
Date: Thu May  3 12:42:48 UTC 2018
New revision: 468923
URL: https://svnweb.freebsd.org/changeset/ports/468923

Log:
  Update to 20180404.

  PR:		226831
  Submitted by:	maintainer
  MFH:		2018Q2
  Security:	CVE-2018-8741
  Sponsored by:	Absolight

Changes:
  head/mail/squirrelmail/Makefile
  head/mail/squirrelmail/distinfo

Comment 6 commit-hook freebsd_committer

2018-05-07 10:48:10 UTC

A commit references this bug:

Author: mat
Date: Mon May  7 10:47:30 UTC 2018
New revision: 469283
URL: https://svnweb.freebsd.org/changeset/ports/469283

Log:
  MFH: r468923

  Update to 20180404.

  PR:		226831
  Submitted by:	maintainer
  Security:	CVE-2018-8741
  Sponsored by:	Absolight

Changes:
_U  branches/2018Q2/
  branches/2018Q2/mail/squirrelmail/Makefile
  branches/2018Q2/mail/squirrelmail/distinfo