Bug 226831 - [PATCH] mail/squirrelmail: update to patch security flaw in attachment processing
Summary: [PATCH] mail/squirrelmail: update to patch security flaw in attachment proces...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Mathieu Arnold
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-21 17:46 UTC by jsmith
Modified: 2018-05-07 10:48 UTC (History)
1 user (show)

See Also:
uzsolt: maintainer-feedback+
uzsolt: merge-quarterly?


Attachments
Update and security fix for squirrelmail (3.42 KB, text/plain)
2018-03-21 17:46 UTC, jsmith
no flags Details
Update to 20180404, fix CVE (1.12 KB, patch)
2018-04-04 07:38 UTC, Zsolt Udvari
uzsolt: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description jsmith 2018-03-21 17:46:46 UTC
Created attachment 191714 [details]
Update and security fix for squirrelmail

The Squirrelmail (mail/squirrelmail) port contains a security flaw which could allow users to access files on the server's file system. See CVE-2018-8741 discussed here: http://www.openwall.com/lists/oss-security/2018/03/17/2

The attached patch updates the Squirrelmail port to address the security hole. Basically it just includes the new patch provided by Openwall and bumps the port's revision number.
Comment 1 Zsolt Udvari 2018-03-21 17:55:13 UTC
I think this patch is correct. Thanks for your work!
Comment 2 jsmith 2018-03-21 18:16:13 UTC
(In reply to Zsolt Udvari from comment #1)

My pleasure. I've now tested the patched package on two servers and it's working ok for me.
Comment 3 Zsolt Udvari 2018-04-04 07:38:26 UTC
Created attachment 192200 [details]
Update to 20180404, fix CVE

The squirrelmail codebase is updated, see https://sourceforge.net/p/squirrelmail/code/14751 .
Comment 4 Zsolt Udvari 2018-04-04 07:39:29 UTC
Comment on attachment 191714 [details]
Update and security fix for squirrelmail

The newer patch obsoletes this.
Comment 5 commit-hook freebsd_committer 2018-05-03 12:43:05 UTC
A commit references this bug:

Author: mat
Date: Thu May  3 12:42:48 UTC 2018
New revision: 468923
URL: https://svnweb.freebsd.org/changeset/ports/468923

Log:
  Update to 20180404.

  PR:		226831
  Submitted by:	maintainer
  MFH:		2018Q2
  Security:	CVE-2018-8741
  Sponsored by:	Absolight

Changes:
  head/mail/squirrelmail/Makefile
  head/mail/squirrelmail/distinfo
Comment 6 commit-hook freebsd_committer 2018-05-07 10:48:10 UTC
A commit references this bug:

Author: mat
Date: Mon May  7 10:47:30 UTC 2018
New revision: 469283
URL: https://svnweb.freebsd.org/changeset/ports/469283

Log:
  MFH: r468923

  Update to 20180404.

  PR:		226831
  Submitted by:	maintainer
  Security:	CVE-2018-8741
  Sponsored by:	Absolight

Changes:
_U  branches/2018Q2/
  branches/2018Q2/mail/squirrelmail/Makefile
  branches/2018Q2/mail/squirrelmail/distinfo