tags 659392 + patch
tags 659392 + pending
thanks
Dear maintainer,
I've prepared an NMU for imp4 (versioned as 4.3.10+debian0-1.1) and
uploaded it to DELAYED/02. Please feel free to tell me if I
should delay it longer.
Cheers
Luk
diff -u imp4-4.3.10+debian0/debian/changelog imp4-4.3.10+debian0/debian/changelog
--- imp4-4.3.10+debian0/debian/changelog
+++ imp4-4.3.10+debian0/debian/changelog
@@ -1,3 +1,10 @@
+imp4 (4.3.10+debian0-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix XSS (CVE-2012-0791, Closes: #659392)
+
+ -- Luk Claes <l...@debian.org> Sat, 23 Jun 2012 12:32:31 +0200
+
imp4 (4.3.10+debian0-1) unstable; urgency=low
* New upstream release (Closes: #620181)
only in patch2:
unchanged:
--- imp4-4.3.10+debian0.orig/acl.php
+++ imp4-4.3.10+debian0/acl.php
@@ -179,7 +179,7 @@
$t->set('changefolder', Horde::link('#', _("Change Folder"), 'smallheader', '', 'ACLFolderChange(true); return false;'));
$t->set('sharedimg', Horde::img('shared.png', _("Change Folder")));
$t->set('options', IMP::flistSelect('', true, array(), $folder));
-$t->set('current', sprintf(_("Current access to %s"), IMP::displayFolder($folder)));
+$t->set('current', sprintf(_("Current access to %s"), htmlspecialchars(IMP::displayFolder($folder))));
$t->set('folder', $folder);
$t->set('noacl', !count($curr_acl));
$t->set('maxrule', 1);
only in patch2:
unchanged:
--- imp4-4.3.10+debian0.orig/compose.php
+++ imp4-4.3.10+debian0/compose.php
@@ -191,7 +191,8 @@
if (is_null($rtemode)) {
$rtemode = $prefs->getValue('compose_html');
} else {
- $oldrtemode = Util::getFormData('oldrtemode');
+ $rtemode = intval($rtemode);
+ $oldrtemode = intval(Util::getFormData('oldrtemode'));
$get_sig = false;
}
}
@@ -226,8 +227,8 @@
/* Update the attachment information. */
foreach (array_keys($imp_compose->getAttachments()) as $i) {
if (!in_array($i, $deleteList)) {
- $disposition = Util::getFormData('file_disposition_' . $i);
- $description = Util::getFormData('file_description_' . $i);
+ $disposition = htmlspecialchars(Util::getFormData('file_disposition_' . $i));
+ $description = htmlspecialchars(Util::getFormData('file_description_' . $i));
$imp_compose->updateAttachment($i, array('disposition' => $disposition, 'description' => $description));
}
}
@@ -1131,7 +1132,7 @@
$t->set('ssm_folders', IMP::flistSelect('', false, array('INBOX'), $sent_mail_folder));
} else {
if (!empty($sent_mail_folder)) {
- $sent_mail_folder = '"' . IMP::displayFolder($sent_mail_folder) . '"';
+ $sent_mail_folder = '"' . htmlspecialchars(IMP::displayFolder($sent_mail_folder)) . '"';
}
$t->set('ssm_folder', $sent_mail_folder);
$t->set('ssm_folders', false);
only in patch2:
unchanged:
--- imp4-4.3.10+debian0.orig/mailbox.php
+++ imp4-4.3.10+debian0/mailbox.php
@@ -692,7 +692,7 @@
$msgs = array();
}
$folder_link = Horde::url(Util::addParameter('mailbox.php', 'mailbox', $ob->mailbox));
- $folder_link = Horde::link($folder_link, sprintf(_("View messages in %s"), IMP::displayFolder($ob->mailbox)), 'smallheader') . IMP::displayFolder($ob->mailbox) . '</a>';
+ $folder_link = Horde::link($folder_link, sprintf(_("View messages in %s"), IMP::displayFolder($ob->mailbox)), 'smallheader') . htmlspecialchars(IMP::displayFolder($ob->mailbox)) . '</a>';
if ($search_template === null) {
$search_template = new IMP_Template();
}
only in patch2:
unchanged:
--- imp4-4.3.10+debian0.orig/message.php
+++ imp4-4.3.10+debian0/message.php
@@ -492,7 +492,7 @@
$h_page_label = htmlspecialchars($page_label);
$header_label = $h_page_label;
if (isset($imp_search) && $imp_search->isSearchMbox()) {
- $header_label .= ' [' . Horde::link(Util::addParameter(Horde::applicationUrl('mailbox.php'), 'mailbox', $mailbox_name)) . IMP::displayFolder($mailbox_name) . '</a>]';
+ $header_label .= ' [' . Horde::link(Util::addParameter(Horde::applicationUrl('mailbox.php'), 'mailbox', $mailbox_name)) . htmlspecialchars(IMP::displayFolder($mailbox_name)) . '</a>]';
}
/* Prepare the navbar top template. */
only in patch2:
unchanged:
--- imp4-4.3.10+debian0.orig/contacts.php
+++ imp4-4.3.10+debian0/contacts.php
@@ -31,7 +31,7 @@
$search = Util::getFormData('search');
/* Get the name of the calling form (Defaults to 'compose'). */
-$formname = Util::getFormData('formname', 'compose');
+$formname = preg_replace('/[^a-zA-Z0-9]/', '', Util::getFormData('formname', 'compose'));
/* Are we limiting to only the 'To:' field? */
$to_only = Util::getFormData('to_only');
only in patch2:
unchanged:
--- imp4-4.3.10+debian0.orig/docs/CHANGES
+++ imp4-4.3.10+debian0/docs/CHANGES
@@ -27,7 +27,8 @@
------
v4.3.7
------
-
+[mms] SECURITY: Fix XSS vulnerabilities on the compose page, the contacts popup
+ window, and with certain IMAP mailbox names.
[mms] Fix spellcheck-on-send when using fckeditor and no errors exist
(Bug #8833).
[mms] Fix authenticate API call and synchronization when using realms
only in patch2:
unchanged:
--- imp4-4.3.10+debian0.orig/lib/Maintenance/Task/purge_trash.php
+++ imp4-4.3.10+debian0/lib/Maintenance/Task/purge_trash.php
@@ -76,7 +76,7 @@
function describeMaintenance()
{
return sprintf(_("All messages in your \"%s\" folder older than %s days will be permanently deleted."),
- IMP::displayFolder(IMP::folderPref($GLOBALS['prefs']->getValue('trash_folder'), true)),
+ htmlspecialchars(IMP::displayFolder(IMP::folderPref($GLOBALS['prefs']->getValue('trash_folder'), true))),
$GLOBALS['prefs']->getValue('purge_trash_keep'));
}
only in patch2:
unchanged:
--- imp4-4.3.10+debian0.orig/lib/Maintenance/Task/purge_sentmail.php
+++ imp4-4.3.10+debian0/lib/Maintenance/Task/purge_sentmail.php
@@ -80,7 +80,7 @@
Maintenance_Task_purge_sentmail::_getFolders());
return sprintf(_("All messages in the folder(s) \"%s\" older than %s days will be permanently deleted."),
- implode(', ', $folder_list),
+ htmlspecialchars(implode(', ', $folder_list)),
$GLOBALS['prefs']->getValue('purge_sentmail_keep'));
}
only in patch2:
unchanged:
--- imp4-4.3.10+debian0.orig/lib/Maintenance/Task/rename_sentmail_monthly.php
+++ imp4-4.3.10+debian0/lib/Maintenance/Task/rename_sentmail_monthly.php
@@ -66,7 +66,7 @@
$new_folders[] = IMP::displayFolder(Maintenance_Task_rename_sentmail_monthly::_renameSentmailMonthlyName($folder));
}
- return sprintf(_("The current folder(s) \"%s\" will be renamed to \"%s\"."), implode(', ', $old_folders), implode(', ', $new_folders));
+ return sprintf(_("The current folder(s) \"%s\" will be renamed to \"%s\"."), htmlspecialchars(implode(', ', $old_folders)), htmlspecialchars(implode(', ', $new_folders)));
}
/**
only in patch2:
unchanged:
--- imp4-4.3.10+debian0.orig/lib/Maintenance/Task/purge_spam.php
+++ imp4-4.3.10+debian0/lib/Maintenance/Task/purge_spam.php
@@ -77,7 +77,7 @@
function describeMaintenance()
{
return sprintf(_("All messages in your \"%s\" folder older than %s days will be permanently deleted."),
- IMP::displayFolder(IMP::folderPref($GLOBALS['prefs']->getValue('spam_folder'), true)),
+ htmlspecialchars(IMP::displayFolder(IMP::folderPref($GLOBALS['prefs']->getValue('spam_folder'), true))),
$GLOBALS['prefs']->getValue('purge_spam_keep'));
}
only in patch2:
unchanged:
--- imp4-4.3.10+debian0.orig/lib/Block/summary.php
+++ imp4-4.3.10+debian0/lib/Block/summary.php
@@ -81,7 +81,7 @@
$html .= '<strong>';
$anyUnseen = true;
}
- $html .= Horde::link($url) . IMP::displayFolder($folder) . '</a>';
+ $html .= Horde::link($url) . htmlspecialchars(IMP::displayFolder($folder)) . '</a>';
if (!empty($info['unseen'])) {
$html .= '</strong>';
}
