Bug 219801

Summary:

mail/squirrelmail, mail/squirrelmail-translations: Update to 20170705 (Also fixes CVE-2017-7692)

Product:

Ports & Packages

Reporter:

Zsolt Udvari <uzsolt>

Component:

Individual Port(s)

Assignee:

Steve Wills <swills>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

koobs, ports-secteam, swills, uzsolt

Priority:

Normal

Keywords:

patch, security

Version:

Latest

Flags:

koobs: maintainer-feedback+
koobs: merge-quarterly+

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
patch	none
translations patch	none
mail/squirrelmail update to 20170705	none
mail/squirrelmail-translations update to 20170705	none

Description Zsolt Udvari freebsd_committer

2017-06-05 11:42:01 UTC

Created attachment 183240 [details]
patch

Simple update.
Take maintainership.

The main fix is:
Fix insufficient sendmail command argument escaping (thanks to Mitchel Sahertian, Maor Shwartz and Dawid Golunski for bringing this to our attention). [CVE-2017-7692]

Comment 1 Zsolt Udvari freebsd_committer

2017-06-05 11:42:29 UTC

Created attachment 183241 [details]
translations patch

Comment 2 Zsolt Udvari freebsd_committer

2017-07-05 11:52:02 UTC

Created attachment 184070 [details]
mail/squirrelmail update to 20170705

* update to newer version.
* includes a patch which solves the bug [1]. Original patch [2] is made by Paul Lesniewski - 2016-01-25.
* fix MASTER_SITES

[1] https://sourceforge.net/p/squirrelmail/bugs/2806/
[2] https://sourceforge.net/p/squirrelmail/bugs/_discuss/thread/feebafb3/f2f7/2c33/attachment/quoted_printable_fix-1.4.x-version_3.diff

Comment 3 Kubilay Kocak freebsd_committer

2017-07-05 12:21:37 UTC

@Zsolt That you for your contribution. 

Could you please obsolete outdated versions of patches (if there are any). This can either be done when uploading a new attachment or by going to Attachment -> Details -> Edit Details -> [x] Obsolete

If the two attachments are to be both committed, please combine them into a single svn diff, OR if they should be committed separately (for example, one per port), please update the descriptions so that is clear. Example:

Attachment 1 [details]: category/port1: Update to blah
Attachment 2 [details]: category/port2: Translation blah

Please also confirm whether or not the latest patch (attachment 184070 [details]) also (continues to) resolve the CVE-2017-7692 mentioned in comment 0

Comment 4 Zsolt Udvari freebsd_committer

2017-07-05 13:35:24 UTC

Created attachment 184072 [details]
mail/squirrelmail-translations update to 20170705

Comment 5 Zsolt Udvari freebsd_committer

2017-07-05 13:52:25 UTC

@Kubilay: I hope the patch comments are clear.

The patches belong different ports (mail/squirrelmail and mail/squirrelmail-translations). The squirrelmail-translations patch shouldn't be the first because it requires fresh squirrelmail (check its RUN_DEPENDS). I don't know in this case they can/should be one svn-diff or not.

The CVE-2017-7692 fix is resolved with the newest patch too because this fix is solved in the official source code (check commit [1]) and doesn't need plus patch by FreeBSD.

[1] https://sourceforge.net/p/squirrelmail/code/14649/

Comment 6 Kubilay Kocak freebsd_committer

2017-07-07 00:40:55 UTC

Thank you for clarifying

Comment 7 Kubilay Kocak freebsd_committer

2017-07-26 02:54:16 UTC

Ping ports-secteam

Comment 8 commit-hook freebsd_committer

2017-08-22 17:26:02 UTC

A commit references this bug:

Author: swills
Date: Tue Aug 22 17:25:10 UTC 2017
New revision: 448570
URL: https://svnweb.freebsd.org/changeset/ports/448570

Log:
  mail/squirrelmail: Update to 20170705

  While here, give maintainership to submitter

  PR:		219801
  Submitted by:	Zsolt Udvari <uzsolt@uzsolt.hu>
  MFH:		2017Q3
  Security:	e1de77e8-c45e-48d7-8866-5a6f943046de

Changes:
  head/mail/squirrelmail/Makefile
  head/mail/squirrelmail/distinfo
  head/mail/squirrelmail/files/patch-functions__i18n.php
  head/mail/squirrelmail/files/patch-functions_strings.php
  head/mail/squirrelmail/pkg-plist

Comment 9 commit-hook freebsd_committer

2017-08-22 17:27:06 UTC

A commit references this bug:

Author: swills
Date: Tue Aug 22 17:26:08 UTC 2017
New revision: 448571
URL: https://svnweb.freebsd.org/changeset/ports/448571

Log:
  mail/squirrelmail-translations: Update to 20170705

  While here, give maintainership to submitter

  PR:		219801
  Submitted by:	Zsolt Udvari <uzsolt@uzsolt.hu>

Changes:
  head/mail/squirrelmail-translations/Makefile
  head/mail/squirrelmail-translations/distinfo

Comment 10 commit-hook freebsd_committer

2017-08-22 17:27:08 UTC

A commit references this bug:

Author: swills
Date: Tue Aug 22 17:26:42 UTC 2017
New revision: 448572
URL: https://svnweb.freebsd.org/changeset/ports/448572

Log:
  MFH: r448570

  mail/squirrelmail: Update to 20170705

  While here, give maintainership to submitter

  PR:		219801
  Submitted by:	Zsolt Udvari <uzsolt@uzsolt.hu>
  Security:	e1de77e8-c45e-48d7-8866-5a6f943046de

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2017Q3/
  branches/2017Q3/mail/squirrelmail/Makefile
  branches/2017Q3/mail/squirrelmail/distinfo
  branches/2017Q3/mail/squirrelmail/files/patch-functions__i18n.php
  branches/2017Q3/mail/squirrelmail/files/patch-functions_strings.php
  branches/2017Q3/mail/squirrelmail/pkg-plist

Comment 11 Steve Wills freebsd_committer

2017-08-22 17:32:18 UTC

I documented the security vulnerability in vuxml, committed these changes, as well as MFH'ing the change to mail/squirrelmail. I wasn't sure if the change to mail/squirrelmail-translations needs to be MFH'd or not, so didn't do it for now. Please let me know if it does.