Bug 219801 - mail/squirrelmail, mail/squirrelmail-translations: Update to 20170705 (Also fixes CVE-2017-7692)
Summary: mail/squirrelmail, mail/squirrelmail-translations: Update to 20170705 (Also f...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Steve Wills
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2017-06-05 11:42 UTC by Zsolt Udvari
Modified: 2017-08-25 03:53 UTC (History)
4 users (show)

See Also:
koobs: maintainer-feedback+
koobs: merge-quarterly+


Attachments
patch (1.17 KB, patch)
2017-06-05 11:42 UTC, Zsolt Udvari
no flags Details | Diff
translations patch (1.20 KB, patch)
2017-06-05 11:42 UTC, Zsolt Udvari
no flags Details | Diff
mail/squirrelmail update to 20170705 (7.43 KB, patch)
2017-07-05 11:52 UTC, Zsolt Udvari
no flags Details | Diff
mail/squirrelmail-translations update to 20170705 (1.24 KB, patch)
2017-07-05 13:35 UTC, Zsolt Udvari
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Zsolt Udvari 2017-06-05 11:42:01 UTC
Created attachment 183240 [details]
patch

Simple update.
Take maintainership.

The main fix is:
Fix insufficient sendmail command argument escaping (thanks to Mitchel Sahertian, Maor Shwartz and Dawid Golunski for bringing this to our attention). [CVE-2017-7692]
Comment 1 Zsolt Udvari 2017-06-05 11:42:29 UTC
Created attachment 183241 [details]
translations patch
Comment 2 Zsolt Udvari 2017-07-05 11:52:02 UTC
Created attachment 184070 [details]
mail/squirrelmail update to 20170705

* update to newer version.
* includes a patch which solves the bug [1]. Original patch [2] is made by Paul Lesniewski - 2016-01-25.
* fix MASTER_SITES

[1] https://sourceforge.net/p/squirrelmail/bugs/2806/
[2] https://sourceforge.net/p/squirrelmail/bugs/_discuss/thread/feebafb3/f2f7/2c33/attachment/quoted_printable_fix-1.4.x-version_3.diff
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-05 12:21:37 UTC
@Zsolt That you for your contribution. 

Could you please obsolete outdated versions of patches (if there are any). This can either be done when uploading a new attachment or by going to Attachment -> Details -> Edit Details -> [x] Obsolete

If the two attachments are to be both committed, please combine them into a single svn diff, OR if they should be committed separately (for example, one per port), please update the descriptions so that is clear. Example:

Attachment 1 [details]: category/port1: Update to blah
Attachment 2 [details]: category/port2: Translation blah

Please also confirm whether or not the latest patch (attachment 184070 [details]) also (continues to) resolve the CVE-2017-7692 mentioned in comment 0
Comment 4 Zsolt Udvari 2017-07-05 13:35:24 UTC
Created attachment 184072 [details]
mail/squirrelmail-translations update to 20170705
Comment 5 Zsolt Udvari 2017-07-05 13:52:25 UTC
@Kubilay: I hope the patch comments are clear.

The patches belong different ports (mail/squirrelmail and mail/squirrelmail-translations). The squirrelmail-translations patch shouldn't be the first because it requires fresh squirrelmail (check its RUN_DEPENDS). I don't know in this case they can/should be one svn-diff or not.

The CVE-2017-7692 fix is resolved with the newest patch too because this fix is solved in the official source code (check commit [1]) and doesn't need plus patch by FreeBSD.

[1] https://sourceforge.net/p/squirrelmail/code/14649/
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-07 00:40:55 UTC
Thank you for clarifying
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-26 02:54:16 UTC
Ping ports-secteam
Comment 8 commit-hook freebsd_committer 2017-08-22 17:26:02 UTC
A commit references this bug:

Author: swills
Date: Tue Aug 22 17:25:10 UTC 2017
New revision: 448570
URL: https://svnweb.freebsd.org/changeset/ports/448570

Log:
  mail/squirrelmail: Update to 20170705

  While here, give maintainership to submitter

  PR:		219801
  Submitted by:	Zsolt Udvari <uzsolt@uzsolt.hu>
  MFH:		2017Q3
  Security:	e1de77e8-c45e-48d7-8866-5a6f943046de

Changes:
  head/mail/squirrelmail/Makefile
  head/mail/squirrelmail/distinfo
  head/mail/squirrelmail/files/patch-functions__i18n.php
  head/mail/squirrelmail/files/patch-functions_strings.php
  head/mail/squirrelmail/pkg-plist
Comment 9 commit-hook freebsd_committer 2017-08-22 17:27:06 UTC
A commit references this bug:

Author: swills
Date: Tue Aug 22 17:26:08 UTC 2017
New revision: 448571
URL: https://svnweb.freebsd.org/changeset/ports/448571

Log:
  mail/squirrelmail-translations: Update to 20170705

  While here, give maintainership to submitter

  PR:		219801
  Submitted by:	Zsolt Udvari <uzsolt@uzsolt.hu>

Changes:
  head/mail/squirrelmail-translations/Makefile
  head/mail/squirrelmail-translations/distinfo
Comment 10 commit-hook freebsd_committer 2017-08-22 17:27:08 UTC
A commit references this bug:

Author: swills
Date: Tue Aug 22 17:26:42 UTC 2017
New revision: 448572
URL: https://svnweb.freebsd.org/changeset/ports/448572

Log:
  MFH: r448570

  mail/squirrelmail: Update to 20170705

  While here, give maintainership to submitter

  PR:		219801
  Submitted by:	Zsolt Udvari <uzsolt@uzsolt.hu>
  Security:	e1de77e8-c45e-48d7-8866-5a6f943046de

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2017Q3/
  branches/2017Q3/mail/squirrelmail/Makefile
  branches/2017Q3/mail/squirrelmail/distinfo
  branches/2017Q3/mail/squirrelmail/files/patch-functions__i18n.php
  branches/2017Q3/mail/squirrelmail/files/patch-functions_strings.php
  branches/2017Q3/mail/squirrelmail/pkg-plist
Comment 11 Steve Wills freebsd_committer 2017-08-22 17:32:18 UTC
I documented the security vulnerability in vuxml, committed these changes, as well as MFH'ing the change to mail/squirrelmail. I wasn't sure if the change to mail/squirrelmail-translations needs to be MFH'd or not, so didn't do it for now. Please let me know if it does.