Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier

Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community supported. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

It's a looooong patch .. working on it

jaunty debdiff, package builds installs and works ..

Working on the intrepid,hardy,dapper I guess I must include Karmic too?

Hardy DebDiff , package builds installs and works ..

karmic debdiff,
package builds installs and works fine.

intrepid debdiff
package builds,installs and works

Dapper debdiff
package builds , installs and worked fine.

The patches to

search.php line 240, has no place to patch.

http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/src/search.php?r1=13818&r2=13817&pathrev=13818

and compose.php line 1032 introduces an error when reply,reply all, or forward messages.
leaved this line unpatched

http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/src/compose.php?r1=13818&r2=13817&pathrev=13818

Thanks for the debdiffs. The patch is quite big, please describe the testing that was performed on each release.

Leonel,

Thanks for the debdiffs and your hard work on this! Can you please detail the testing performed as Marc requested? Once this is done we can process your debdiffs. Marking Incomplete for now; please set back to 'In Progress' after you detail your testing.

Thanks again!

After patched builded and created the package

Tested the packages for some hours on a test server and no problems where found or regressions where found

The dapper version I could not apply 2 patches

Leonel, you get to be the first person to take part in the new https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue process.

Hardy ACK'd

Intrepid ACK'd

Jaunty ACK'd

The karmic debdiff is missing a portion of the patch to src/compose.php. Please review the whole patch, and when ready, attach a new debdiff to this bug and set the Karmic task to 'New'. Thanks!

Hardy - Jaunty uploaded to https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages.

Because this is a large patch, I am going to have it go through -proposed for wider testing. I'll update the bug accordingly after it finishes building in the ubuntu-security-proposed PPA.

Pocket copied squirrelmail for Hardy - Jaunty to proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Pasted a little too much in that last comment... The packages are ready to test now.

To ubuntu-sru: if this passes the verification process, please also pocket copy to -security. Thanks!

new karmic debdiff with the missing parts added

> Leonel, you get to be the first person to take part in the new
> https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue process.
>
> --
> Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail
> 1.4.19 and earlier
> https://bugs.launchpad.net/bugs/446838
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Great ! What's next ??

--
Leonel Nunez
http://enelserver.com
http://enelserver.com/leonel/

ACK'd

Karmic uploaded to https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages.

Pocket copied squirrelmail on Karmic to proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Leonel, for karmic I needed to update the distribution to karmic-security and adjust the version to use ubuntu0.1. At this point, the packages in -proposed need to be tested and commented on here. This bug will follow the standard https://wiki.ubuntu.com/StableReleaseUpdates from this point forward.

the patch to hardy seem that it does not work.

Stian, can you give more information, including versions and what "does not work" for you?

Can someone comment on whether these packages fix the problem and still generally work? These packages cannot be copied to -security until people verify they work for each release.

Can now confirm that the Hardy package is working.

I can confirm that squirrelmail appears to be working from karmic-proposed.

This bug was fixed in the package squirrelmail - 2:1.4.19-1ubuntu0.1

---------------
squirrelmail (2:1.4.19-1ubuntu0.1) karmic-security; urgency=low

  * SECURITY UPDATE: (LP: #446838)
  * Multiple cross-site request forgery (CSRF) in all
    forms submissions
  * edited:
    src/addrbook_search_html.php,src/addressbook.php,src/compose.php
    src/folders_create.php,src/folders_delete.php,src/folders.php,
    src/folders_rename_do.php,src/folders_rename_getname.php,
    src/folders_subscribe.php,functions/forms.php,
    functions/mailbox_display.php,src/move_messages.php,
    src/options_highlight.php,src/options_identities.php,
    src/options_order.php,src/options.php,src/search.php,
    functions/strings.php,src/vcard.php
  * Fixes : CVE-2009-2964
    - http://www.squirrelmail.org/security/issue/2009-08-12
    - patches taken from upstream rev 13818
    - patches applied inline
 -- Leonel Nunez <email address hidden> Sun, 11 Oct 2009 19:18:52 -0600

This bug was fixed in the package squirrelmail - 2:1.4.13-2ubuntu1.5

---------------
squirrelmail (2:1.4.13-2ubuntu1.5) hardy-security; urgency=low

  * SECURITY UPDATE: (LP: #446838)
  * Multiple cross-site request forgery (CSRF) in all
    forms submissions
  * edited:
    src/addrbook_search_html.php,src/addressbook.php,src/compose.php
    src/folders_create.php,src/folders_delete.php,src/folders.php,
    src/folders_rename_do.php,src/folders_rename_getname.php,
    src/folders_subscribe.php,functions/forms.php,
    functions/mailbox_display.php,src/move_messages.php,
    src/options_highlight.php,src/options_identities.php,
    src/options_order.php,src/options.php,src/search.php,
    functions/strings.php,src/vcard.php
  * Fixes : CVE-2009-2964
    - http://www.squirrelmail.org/security/issue/2009-08-12
    - patches taken from upstream rev 13818
    - patches applied inline
 -- Leonel Nunez <email address hidden> Sun, 11 Oct 2009 06:41:56 -0600

Hardy and Karmic copied. Leaving the verification-needed tag for Intrepid and Jaunty. Can someone please test Jaunty and Intrepid?

This bug was fixed in the package squirrelmail - 2:1.4.15-3ubuntu0.4

---------------
squirrelmail (2:1.4.15-3ubuntu0.4) intrepid-security; urgency=low

  * SECURITY UPDATE: (LP: #446838)
  * Multiple cross-site request forgery (CSRF) in all
    forms submissions
  * edited:
    src/addrbook_search_html.php,src/addressbook.php,src/compose.php
    src/folders_create.php,src/folders_delete.php,src/folders.php,
    src/folders_rename_do.php,src/folders_rename_getname.php,
    src/folders_subscribe.php,functions/forms.php,
    functions/mailbox_display.php,src/move_messages.php,
    src/options_highlight.php,src/options_identities.php,
    src/options_order.php,src/options.php,src/search.php,
    functions/strings.php,src/vcard.php
  * Fixes : CVE-2009-2964
    - http://www.squirrelmail.org/security/issue/2009-08-12
    - patches taken from upstream rev 13818
    - patches applied inline
 -- Leonel Nunez <email address hidden> Sun, 11 Oct 2009 21:33:16 -0600

This bug was fixed in the package squirrelmail - 2:1.4.15-4ubuntu0.3

---------------
squirrelmail (2:1.4.15-4ubuntu0.3) jaunty-security; urgency=low

  * SECURITY UPDATE: (LP: #446838)
  * Multiple cross-site request forgery (CSRF) in all
    forms submissions
  * edited:
    src/addrbook_search_html.php,src/addressbook.php,src/compose.php
    src/folders_create.php,src/folders_delete.php,src/folders.php,
    src/folders_rename_do.php,src/folders_rename_getname.php,
    src/folders_subscribe.php,functions/forms.php,
    functions/mailbox_display.php,src/move_messages.php,
    src/options_highlight.php,src/options_identities.php,
    src/options_order.php,src/options.php,src/search.php,
    functions/strings.php,src/vcard.php
  * Fixes : CVE-2009-2964
    - http://www.squirrelmail.org/security/issue/2009-08-12
    - patches taken from upstream rev 13818
    - patches applied inline
 -- Leonel Nunez <email address hidden> Sat, 10 Oct 2009 19:30:41 -0600

Since all momentum was lost on this bug wrt intrepid and jaunty, I rechecked the debdiff between hardy and intrepid and hardy and jaunty and there are only whitespace changes. Being in universe and no bugs were filed against the hardy update, I am copying this over now.

Unsubscribing ubuntu-security-sponsors. Based on earlier comments, the Dapper patch needs more work and testing. Leonel, please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the changes are complete. Thanks!