[pkgsrc/pkgsrc-2017Q1]: pkgsrc/mail/squirrelmail Pullup ticket #5333 - reques...

[bsiegert <bsiegert%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/70ca39e05ecd
branches:  pkgsrc-2017Q1
changeset: 360283:70ca39e05ecd
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Thu Apr 20 18:27:26 2017 +0000

description:
Pullup ticket #5333 - requested by maya
mail/squirrelmail: security fix

Revisions pulled up:
- mail/squirrelmail/Makefile                                    1.132
- mail/squirrelmail/distinfo                                    1.68
- mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php 1.1

---
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Wed Apr 19 17:10:18 UTC 2017

   Modified Files:
           pkgsrc/mail/squirrelmail: Makefile distinfo
   Added Files:
           pkgsrc/mail/squirrelmail/patches:
               patch-class_deliver_Deliver__SendMail.class.php

   Log Message:
   squirrelmail: patch remote code execution (CVE-2017-7692)
   separately escape tainted input before feeding it into popen.
   https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html

   patch from Filipo Cavallarin@wearesegment, who also found the vulnerability.
   bump PKGREVISION

diffstat:

 mail/squirrelmail/Makefile                                                |   3 +-
 mail/squirrelmail/distinfo                                                |   3 +-
 mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php |  23 ++++++++++
 3 files changed, 27 insertions(+), 2 deletions(-)

diffs (53 lines):

diff -r 7e82d2aa7071 -r 70ca39e05ecd mail/squirrelmail/Makefile
--- a/mail/squirrelmail/Makefile        Wed Apr 19 18:57:03 2017 +0000
+++ b/mail/squirrelmail/Makefile        Thu Apr 20 18:27:26 2017 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.131 2016/11/17 15:10:07 taca Exp $
+# $NetBSD: Makefile,v 1.131.4.1 2017/04/20 18:27:26 bsiegert Exp $
 
 DISTNAME=      squirrelmail-webmail-1.4.23pre14605
+PKGREVISION=   1
 PKGNAME=       ${DISTNAME:S/-webmail//}
 CATEGORIES=    mail www
 MASTER_SITES=  ${MASTER_SITE_LOCAL}
diff -r 7e82d2aa7071 -r 70ca39e05ecd mail/squirrelmail/distinfo
--- a/mail/squirrelmail/distinfo        Wed Apr 19 18:57:03 2017 +0000
+++ b/mail/squirrelmail/distinfo        Thu Apr 20 18:27:26 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.67 2016/11/17 15:10:07 taca Exp $
+$NetBSD: distinfo,v 1.67.4.1 2017/04/20 18:27:26 bsiegert Exp $
 
 SHA1 (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = b0301f777ac5e71b08cd8d718358ce0f3417a21d
 RMD160 (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = ee9c4d6bd6975f0134797cfc383821368a140542
@@ -8,3 +8,4 @@
 SHA1 (patch-ab) = 30bf68c730f20e817fbe81d18bc2a95899ee3fd0
 SHA1 (patch-ai) = 1c08904ecf074ff3ba7e6042becc0f0771388b9f
 SHA1 (patch-ca) = d2e41316b8ecd97b49842eff548219e40e9b163a
+SHA1 (patch-class_deliver_Deliver__SendMail.class.php) = 0358ce2445fee73261075226e794054d6ada0150
diff -r 7e82d2aa7071 -r 70ca39e05ecd mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php Thu Apr 20 18:27:26 2017 +0000
@@ -0,0 +1,23 @@
+$NetBSD: patch-class_deliver_Deliver__SendMail.class.php,v 1.1.2.2 2017/04/20 18:27:26 bsiegert Exp $
+
+Patch CVE-2017-7692 by separately escaping $envelopefrom
+concatenating it with a space before escaping allows for injecting command
+parameters.
+
+From Filippo Cavallarin
+https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html
+
+--- class/deliver/Deliver_SendMail.class.php.orig      2016-01-01 20:04:30.000000000 +0000
++++ class/deliver/Deliver_SendMail.class.php
+@@ -95,9 +95,9 @@ class Deliver_SendMail extends Deliver {
+         $envelopefrom = trim($from->mailbox.'@'.$from->host);
+         $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom);
+         // save executed command for future reference
+-        $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";
++        $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . escapeshellarg($envelopefrom);
+         // open process handle for writing
+-        $stream = popen(escapeshellcmd($this->sendmail_command), "w");
++        $stream = popen($this->sendmail_command, "w");
+         return $stream;
+     }
+