rpms/squirrelmail/F-13 squirrelmail-1.4.20-cve_2010_1637.patch, NONE, 1.1 squirrelmail.spec, 1.81, 1.82
Michal Hlavinka
mhlavink at fedoraproject.org
Tue Jun 22 10:34:38 UTC 2010
Author: mhlavink
Update of /cvs/pkgs/rpms/squirrelmail/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv28381
Modified Files:
squirrelmail.spec
Added Files:
squirrelmail-1.4.20-cve_2010_1637.patch
Log Message:
* Tue Jun 22 2010 Michal Hlavinka <mhlavink at redhat.com> - 1.4.20-3
- fix CVE-2010-1637 : mail fetch plugin's port-scans via non-standard
POP3 server ports
squirrelmail-1.4.20-cve_2010_1637.patch:
doc/ChangeLog | 2 +
plugins/mail_fetch/README | 26 +++++++++++++
plugins/mail_fetch/config_example.php | 62 +++++++++++++++++++++++++++++++
plugins/mail_fetch/functions.php | 66 ++++++++++++++++++++++++++++++++++
plugins/mail_fetch/options.php | 45 ++++++++++++++++++++++-
5 files changed, 199 insertions(+), 2 deletions(-)
--- NEW FILE squirrelmail-1.4.20-cve_2010_1637.patch ---
diff -U0 squirrelmail-1.4.20/doc/ChangeLog.cvepatch squirrelmail-1.4.20/doc/ChangeLog
--- squirrelmail-1.4.20/doc/ChangeLog.cvepatch 2010-03-07 01:30:35.000000000 +0100
+++ squirrelmail-1.4.20/doc/ChangeLog 2010-06-22 12:27:04.205730179 +0200
@@ -4,0 +5,2 @@
++ - Fixed minor vulnerability in Mail Fetch plugin [CVE-2010-1637/TEHTRI-SA-2010-009]
+
diff -up squirrelmail-1.4.20/plugins/mail_fetch/config_example.php.cvepatch squirrelmail-1.4.20/plugins/mail_fetch/config_example.php
--- squirrelmail-1.4.20/plugins/mail_fetch/config_example.php.cvepatch 2010-06-22 12:26:55.043729669 +0200
+++ squirrelmail-1.4.20/plugins/mail_fetch/config_example.php 2010-06-22 12:26:55.043729669 +0200
@@ -0,0 +1,62 @@
+<?php
+
+/**
+ * mail_fetch/config_example.php
+ *
+ * Configuration file for the mailfetch plugin.
+ *
+ * @copyright 1999-2010 The SquirrelMail Project Team
+ * @license http://opensource.org/licenses/gpl-license.php GNU Public License
+ * @version $Id: functions.php 13893 2010-01-25 02:47:41Z pdontthink $
+ * @package plugins
+ * @subpackage mail_fetch
+ */
+
+global $mail_fetch_allowable_ports, $mail_fetch_block_server_pattern;
+
+
+// This is the list of POP3 ports the user may specify.
+//
+// Usually, this does not need to be used at all, and
+// ports 110 and 995 will be the only available ports.
+//
+// If users are allowed to access POP3 that is served
+// on a non-standard port, you'll need to add that port
+// to this list and make sure this file is saved as
+// "config.php" in the mail_fetch plugin directory
+//
+// If you do not wish to restrict the allowable port
+// numbers at all, include "ALL" in this list.
+//
+$mail_fetch_allowable_ports = array(110, 995);
+
+
+
+// This is a pattern match that allows you to block
+// access to certain server addresses. This prevents
+// a user from attempting to try to specify certain
+// servers when adding a POP3 address.
+//
+// By default, this plugin will block POP3 server
+// addresses starting with "10.", "192.", "127." and
+// "localhost" (the pattern shown below).
+//
+// If you want to block other addresses, you'll need
+// to add them to this pattern and make sure that this
+// file is saved as "config.php" in the mail_fetch
+// plugin diretory
+//
+// If you do not wish to restrict the allowable server
+// addresses at all, set this value to be "UNRESTRICTED"
+//
+// This is a full regular expression pattern
+//
+// Allow anything:
+//
+// $mail_fetch_block_server_pattern = 'UNRESTRICTED';
+//
+// Default pattern:
+//
+$mail_fetch_block_server_pattern = '/(^10\.)|(^192\.)|(^127\.)|(^localhost)/';
+
+
diff -up squirrelmail-1.4.20/plugins/mail_fetch/functions.php.cvepatch squirrelmail-1.4.20/plugins/mail_fetch/functions.php
--- squirrelmail-1.4.20/plugins/mail_fetch/functions.php.cvepatch 2010-01-25 03:47:41.000000000 +0100
+++ squirrelmail-1.4.20/plugins/mail_fetch/functions.php 2010-06-22 12:26:55.044729451 +0200
@@ -26,6 +26,72 @@ global $mail_fetch_allow_unsubscribed;
*/
$mail_fetch_allow_unsubscribed = false;
+/**
+ * Validate a requested POP3 port number
+ *
+ * Allowable port numbers are configured in config.php
+ * (see config_example.php for an example and more
+ * rules about how the list of allowable port numbers
+ * can be specified)
+ *
+ * @param int $requested_port The port number given by the user
+ *
+ * @return string An error string is returned if the port
+ * number is not allowable, otherwise an
+ * empty string is returned.
+ *
+ */
+function validate_mail_fetch_port_number($requested_port) {
+ global $mail_fetch_allowable_ports;
+ @include_once(SM_PATH . 'plugins/mail_fetch/config.php');
+ if (empty($mail_fetch_allowable_ports))
+ $mail_fetch_allowable_ports = array(110, 995);
+
+ if (in_array('ALL', $mail_fetch_allowable_ports))
+ return '';
+
+ if (!in_array($requested_port, $mail_fetch_allowable_ports)) {
+ sq_change_text_domain('mail_fetch');
+ $error = _("Sorry, that port number is not allowed");
+ sq_change_text_domain('squirrelmail');
+ return $error;
+ }
+
+ return '';
+}
+
+/**
+ * Validate a requested POP3 server address
+ *
+ * Blocked server addresses are configured in config.php
+ * (see config_example.php for more details)
+ *
+ * @param int $requested_address The server address given by the user
+ *
+ * @return string An error string is returned if the server
+ * address is not allowable, otherwise an
+ * empty string is returned.
+ *
+ */
+function validate_mail_fetch_server_address($requested_address) {
+ global $mail_fetch_block_server_pattern;
+ @include_once(SM_PATH . 'plugins/mail_fetch/config.php');
+ if (empty($mail_fetch_block_server_pattern))
+ $mail_fetch_block_server_pattern = '/(^10\.)|(^192\.)|(^127\.)|(^localhost)/';
+
+ if ($mail_fetch_block_server_pattern == 'UNRESTRICTED')
+ return '';
+
+ if (preg_match($mail_fetch_block_server_pattern, $requested_address)) {
+ sq_change_text_domain('mail_fetch');
+ $error = _("Sorry, that server address is not allowed");
+ sq_change_text_domain('squirrelmail');
+ return $error;
+ }
+
+ return '';
+}
+
function hex2bin( $data ) {
/* Original code by josh at superfork.com */
diff -up squirrelmail-1.4.20/plugins/mail_fetch/options.php.cvepatch squirrelmail-1.4.20/plugins/mail_fetch/options.php
--- squirrelmail-1.4.20/plugins/mail_fetch/options.php.cvepatch 2010-01-25 03:47:41.000000000 +0100
+++ squirrelmail-1.4.20/plugins/mail_fetch/options.php 2010-06-22 12:26:55.043729669 +0200
@@ -55,6 +55,8 @@ sqgetGlobalVar('mf_login', $mf_l
sqgetGlobalVar('mf_fref', $mf_fref, SQ_POST);
sqgetGlobalVar('mf_lmos', $mf_lmos, SQ_POST);
sqgetGlobalVar('submit_mailfetch', $submit_mailfetch, SQ_POST);
+$mf_port = trim($mf_port);
+$mf_server = trim($mf_server);
/* end globals */
@@ -63,6 +65,19 @@ sqgetGlobalVar('submit_mailfetch', $subm
switch( $mf_action ) {
case 'add':
+
+ $mf_action = 'config';
+
+ // restrict port number if necessary
+ //
+ $message = validate_mail_fetch_port_number($mf_port);
+ if (!empty($message)) break;
+
+ // restrict server address if necessary
+ //
+ $message = validate_mail_fetch_server_address($mf_server);
+ if (!empty($message)) break;
+
if ($mf_sn<1) $mf_sn=0;
if (!isset($mf_server)) return;
setPref($data_dir,$username,"mailfetch_server_$mf_sn", (isset($mf_server)?$mf_server:""));
@@ -85,10 +100,28 @@ sqgetGlobalVar('submit_mailfetch', $subm
setPref($data_dir,$username,"mailfetch_subfolder_$mf_sn",(isset($mf_subfolder)?$mf_subfolder:""));
$mf_sn++;
setPref($data_dir,$username,'mailfetch_server_number', $mf_sn);
- $mf_action = 'config';
break;
+
+ // modify a server
+ //
case 'confirm_modify':
- //modify a server
+
+ // restrict port number if necessary
+ //
+ $message = validate_mail_fetch_port_number($mf_port);
+ if (!empty($message)) {
+ $mf_action = 'Modify';
+ break;
+ }
+
+ // restrict server address if necessary
+ //
+ $message = validate_mail_fetch_server_address($mf_server);
+ if (!empty($message)) {
+ $mf_action = 'Modify';
+ break;
+ }
+
if (!isset($mf_server)) return;
setPref($data_dir,$username,"mailfetch_server_$mf_sn", (isset($mf_server)?$mf_server:""));
setPref($data_dir,$username,"mailfetch_port_$mf_sn", (isset($mf_port)?$mf_port:110));
@@ -199,6 +232,14 @@ sqgetGlobalVar('submit_mailfetch', $subm
) ,
'center', '', 'width="95%"' );
+ // display error or other messages if necessary
+ //
+ if (!empty($message)) {
+ echo html_tag( 'table', '', 'center', '', 'width="70%" cellpadding="5" cellspacing="1"' ) .
+ html_tag( 'tr',
+ html_tag( 'td', '<b>' . $message . '</b>', 'center', $color[2] ));
+ }
+
switch( $mf_action ) {
case 'config':
echo html_tag( 'table', '', 'center', '', 'width="70%" cellpadding="5" cellspacing="1"' ) .
diff -up squirrelmail-1.4.20/plugins/mail_fetch/README.cvepatch squirrelmail-1.4.20/plugins/mail_fetch/README
--- squirrelmail-1.4.20/plugins/mail_fetch/README.cvepatch 2007-07-11 11:43:41.000000000 +0200
+++ squirrelmail-1.4.20/plugins/mail_fetch/README 2010-06-22 12:26:55.044729451 +0200
@@ -75,6 +75,32 @@ the "Encrypt Password" checkbox in the o
reenter account's passwords the system will switch to encrypted mode.
+Security
+========
+
+By default, the user is not allowed to enter a non-standard POP3 port
+number when configuring an external server with this plugin. This prevents
+the use of this plugin as a port scanner against other servers. However,
+if you need to allow users to access a POP3 service running on a non-
+standard port, you may create a "config.php" file by copying "config_example.php"
+and editing the list of allowable port numbers therein. If "ALL" is added
+to the list of allowable port numbers, then there will be no restriction
+on port numbers whatsoever. Be aware that although this may not represent
+any security threat to servers elsewhere on the Internet that does not
+already exist (other port scanners are freely available), if your server
+resides on a network behind a firewall, this could allow a malicious user
+to scan the servers and services behind your firewall that they'd normally
+not have access to.
+
+The user will also not be allowed to enter server addresses starting
+with "10.", "192.", "127." and "localhost" by default. This prevents users
+from being able to scan an internal network for the presence of other servers
+they are not allowed to access. If other server addresses should be banned,
+or this list is too restrictive, you may create a "config.php" file by copying
+"config_example.php" and then edit the list of blocked server addresses
+therein.
+
+
Future Work
===========
Index: squirrelmail.spec
===================================================================
RCS file: /cvs/pkgs/rpms/squirrelmail/F-13/squirrelmail.spec,v
retrieving revision 1.81
retrieving revision 1.82
diff -u -p -r1.81 -r1.82
--- squirrelmail.spec 7 Jun 2010 07:56:10 -0000 1.81
+++ squirrelmail.spec 22 Jun 2010 10:34:38 -0000 1.82
@@ -6,7 +6,7 @@
Summary: webmail client written in php
Name: squirrelmail
Version: 1.4.20
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
URL: http://www.squirrelmail.org/
Group: Applications/Internet
@@ -33,6 +33,9 @@ Patch4: squirrelmail-1.4.17-biguid.patch
# bug #508631 - use hunspell instead of aspell
Patch5: squirrelmail-1.4.19-hunspell.patch
+# CVE-2010-1637 for sm <=1 .4.20
+Patch6: squirrelmail-1.4.20-cve_2010_1637.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: gettext
@@ -53,6 +56,7 @@ easy to configure and install.
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
mkdir locale_tempdir
pushd locale_tempdir
@@ -264,6 +268,10 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/cron.daily/squirrelmail.cron
%changelog
+* Tue Jun 22 2010 Michal Hlavinka <mhlavink at redhat.com> - 1.4.20-3
+- fix CVE-2010-1637 : mail fetch plugin's port-scans via non-standard
+ POP3 server ports
+
* Mon Jun 07 2010 Michal Hlavinka <mhlavink at redhat.com> - 1.4.20-2
- add note to config file that https connections are forced by default
More information about the scm-commits
mailing list