security update
Problems fixed: #32080 Specially crafted <base href> can lead to XSS exploit #32032 TextEncode related resource information not saved correctly in db file #32014 CVE-2010-1677: DoS when processing html messages with deep tag nesting #32013 CVE-2010-4524: Improper escaping of certain HTML sequences (XSS) #26577 Changed semantic for unpack breaks UTF-8 #25486 Resource FieldStore causes .mhonarc.db to grow over bounds. #25225 dir_create() fails to make temporary directories (PATCH) #24247 iso2022jp.pl: unneeded ESC ( B remains in message body #23198 Incorrect Setting Installation Directory #20142 strip backslash in rfc822 From: field #20074 extra space in subject #18908 X-Subject data get split in separate lines #18113 inconsistant thread slices w/ poor man's windowing #17904 FieldOrder affects AddressModifyCode #17860 incorrect nested HTML Tags for references #17660 Threaded index resource ordering doesn't allow well formed XML output #15433 relative attachmentdir is relative to current working dir, not outdir #14747 major (10X) memory savings possible in some situations #13853 creation of archive with attachments writes over symlinks
This commit is contained in:
parent
f15a8672f5
commit
6ad9338426
4 changed files with 10 additions and 152 deletions
|
@ -1,8 +1,7 @@
|
|||
# $NetBSD: Makefile,v 1.30 2011/01/05 09:45:21 spz Exp $
|
||||
# $NetBSD: Makefile,v 1.31 2011/01/09 19:59:48 spz Exp $
|
||||
|
||||
DISTNAME= MHonArc-2.6.16
|
||||
PKGNAME= mhonarc-2.6.16
|
||||
PKGREVISION= 1
|
||||
DISTNAME= MHonArc-2.6.18
|
||||
PKGNAME= mhonarc-2.6.18
|
||||
CATEGORIES= mail
|
||||
MASTER_SITES= http://www.mhonarc.org/release/MHonArc/tar/
|
||||
EXTRACT_SUFX= .tar.bz2
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
@comment $NetBSD: PLIST,v 1.10 2009/06/14 18:04:37 joerg Exp $
|
||||
@comment $NetBSD: PLIST,v 1.11 2011/01/09 19:59:48 spz Exp $
|
||||
bin/mha-dbedit
|
||||
bin/mha-dbrecover
|
||||
bin/mha-decode
|
||||
|
@ -203,6 +203,7 @@ share/doc/mhonarc/rcfileexs/date.mrc.html
|
|||
share/doc/mhonarc/rcfileexs/def-mime.mrc.html
|
||||
share/doc/mhonarc/rcfileexs/frames.mrc.html
|
||||
share/doc/mhonarc/rcfileexs/icons.mrc.html
|
||||
share/doc/mhonarc/rcfileexs/secure.mrc.html
|
||||
share/doc/mhonarc/rcfileexs/subject.mrc.html
|
||||
share/doc/mhonarc/rcfileexs/utf-8-encode.mrc.html
|
||||
share/doc/mhonarc/rcfileexs/utf-8.mrc.html
|
||||
|
@ -251,6 +252,7 @@ share/doc/mhonarc/resources/fileperms.html
|
|||
share/doc/mhonarc/resources/firstpglink.html
|
||||
share/doc/mhonarc/resources/fldbeg.html
|
||||
share/doc/mhonarc/resources/fldend.html
|
||||
share/doc/mhonarc/resources/followsymlinks.html
|
||||
share/doc/mhonarc/resources/folrefs.html
|
||||
share/doc/mhonarc/resources/folupbegin.html
|
||||
share/doc/mhonarc/resources/folupend.html
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
$NetBSD: distinfo,v 1.16 2011/01/05 09:45:21 spz Exp $
|
||||
$NetBSD: distinfo,v 1.17 2011/01/09 19:59:48 spz Exp $
|
||||
|
||||
SHA1 (MHonArc-2.6.16.tar.bz2) = 8b803a610805fe736036c3dcd2596e2e416a886b
|
||||
RMD160 (MHonArc-2.6.16.tar.bz2) = 31d6659fabdb00b4d4594eda9f5985bd5f3f33b8
|
||||
Size (MHonArc-2.6.16.tar.bz2) = 1562490 bytes
|
||||
SHA1 (patch-ab) = 588a697b7fc22a07ec8974cf7ab06bebf223b799
|
||||
SHA1 (MHonArc-2.6.18.tar.bz2) = 4990889d13cc3f4a2e1c284c55db5abb64e7072e
|
||||
RMD160 (MHonArc-2.6.18.tar.bz2) = 4cf0d8e67050cc573ef81f826938a6c096ff0e93
|
||||
Size (MHonArc-2.6.18.tar.bz2) = 1546854 bytes
|
||||
|
|
|
@ -1,142 +0,0 @@
|
|||
$NetBSD: patch-ab,v 1.1 2011/01/05 09:45:21 spz Exp $
|
||||
|
||||
fixes for CVE-2010-4524 and CVE-2010-1677 taken from the MHonArc cvs
|
||||
|
||||
--- lib/mhtxthtml.pl.orig 2005-05-02 00:04:39.000000000 +0000
|
||||
+++ lib/mhtxthtml.pl
|
||||
@@ -59,6 +59,11 @@ my %special_to_char = (
|
||||
## final filtered HTML messages. Modification is needed so the
|
||||
## resulting filtered message is valid HTML.
|
||||
##
|
||||
+## CAUTION: Some of these options can open up a site to attacks.
|
||||
+## The MIMEFILTERS reference page provide additional
|
||||
+## information on the risks associated with enabling
|
||||
+## a given option.
|
||||
+##
|
||||
## Arguments:
|
||||
##
|
||||
## allowcomments Preserve any comment declarations. Normally
|
||||
@@ -90,6 +95,8 @@ my %special_to_char = (
|
||||
## and Content-Disposition specifies the data as
|
||||
## an attachment, the data is saved to a file
|
||||
## with a link to it from the message page.
|
||||
+## NOTE: This option can expose your site to
|
||||
+## XSS attacks.
|
||||
##
|
||||
## disablerelated Disable MHTML processing.
|
||||
##
|
||||
@@ -100,7 +107,7 @@ my %special_to_char = (
|
||||
## subdir Place derived files in a subdirectory
|
||||
##
|
||||
|
||||
-# DEVELOPER's NOTE:
|
||||
+# CAUTION:
|
||||
# The script stripping code is probably not complete. Since a
|
||||
# whitelist model is not being used -- because full HTML parsing
|
||||
# would be required (and possible reliance on non-standard modules) --
|
||||
@@ -112,6 +119,25 @@ sub filter {
|
||||
my($fields, $data, $isdecode, $args) = @_;
|
||||
$args = '' unless defined $args;
|
||||
|
||||
+ # Bug-32013 (CVE-2010-4524): Invalid tags cause immediate rejection.
|
||||
+ # Bug-32014 (CVE-2010-1677): Prevents DoS if massively nested.
|
||||
+ my $allowcom = $args =~ /\ballowcomments\b/i;
|
||||
+ strip_comments($fields, $data) unless $allowcom;
|
||||
+ if ($$data =~ /<[^>]*</) {
|
||||
+ # XXX: This will reject HTML that includes a '<' char in a
|
||||
+ # comment declaration. Unsure it is worth the hassle
|
||||
+ # to deal with it. Such scenarios would normally indicate
|
||||
+ # hand generated HTML vs how most HTML email is generated.
|
||||
+ # Plus, allowcomments should not be enabled, so they get
|
||||
+ # removed above.
|
||||
+ warn qq/\n/,
|
||||
+ qq/Warning: Invalid HTML detected, rejecting\n/,
|
||||
+ qq/ Message-Id: <$mhonarc::MHAmsgid>\n/,
|
||||
+ qq/ Message Subject: /, $fields->{'x-mha-subject'}, qq/\n/,
|
||||
+ qq/ Message Number: $mhonarc::MHAmsgnum\n/;
|
||||
+ return undef;
|
||||
+ }
|
||||
+
|
||||
## Check if content-disposition should be checked
|
||||
if ($args =~ /\battachcheck\b/i) {
|
||||
my($disp, $nameparm, $raw) =
|
||||
@@ -134,7 +160,6 @@ sub filter {
|
||||
my $onlycid = $args !~ /\ballownoncidurls\b/i;
|
||||
my $subdir = $args =~ /\bsubdir\b/i;
|
||||
my $norelate = $args =~ /\bdisablerelated\b/i;
|
||||
- my $allowcom = $args =~ /\ballowcomments\b/i;
|
||||
my $atdir = $subdir ? $mhonarc::MsgPrefix.$mhonarc::MHAmsgnum : "";
|
||||
my $tmp;
|
||||
|
||||
@@ -149,6 +174,7 @@ sub filter {
|
||||
warn qq/\n/,
|
||||
qq/Warning: Unrecognized character set: $charset\n/,
|
||||
qq/ Message-Id: <$mhonarc::MHAmsgid>\n/,
|
||||
+ qq/ Message Subject: /, $fields->{'x-mha-subject'}, qq/\n/,
|
||||
qq/ Message Number: $mhonarc::MHAmsgnum\n/;
|
||||
}
|
||||
|
||||
@@ -341,12 +367,13 @@ sub filter {
|
||||
$$data =~ s/\b$ahref_tmp\b/href/g;
|
||||
}
|
||||
|
||||
+ ## NOTE: Comment strip moved to top.
|
||||
## Check comment declarations: may screw-up mhonarc processing
|
||||
## and avoids someone sneaking in SSIs.
|
||||
- if (!$allowcom) {
|
||||
- #$$data =~ s/<!(?:--(?:[^-]|-[^-])*--\s*)+>//go; # can crash perl
|
||||
- $$data =~ s/<!--[^-]+[#X%\$\[]*/<!--/g; # Just mung them (faster)
|
||||
- }
|
||||
+# if (!$allowcom) {
|
||||
+# #$$data =~ s/<!(?:--(?:[^-]|-[^-])*--\s*)+>//go; # can crash perl
|
||||
+# $$data =~ s/<!--[^-]+[#X%\$\[]*/<!--/g; # Just mung them (faster)
|
||||
+# }
|
||||
|
||||
## Prevent comment spam
|
||||
## <http://www.google.com/googleblog/2005/01/preventing-comment-spam.html>
|
||||
@@ -448,4 +475,45 @@ sub dehtmlize_ascii {
|
||||
|
||||
##---------------------------------------------------------------------------
|
||||
|
||||
+sub strip_comments {
|
||||
+ my $fields = shift; # for diagnostics
|
||||
+ my $data = shift; # ref to text to strip
|
||||
+
|
||||
+ # We avoid using regex since it can lead to performance problems.
|
||||
+ # We also do not do full SGML-style comment declarations since it
|
||||
+ # increases parsing complexity. Here, we just remove any
|
||||
+ # "<!-- ... -->" strings. Although whitespace is allowed between
|
||||
+ # final "--" and ">", we do not support it.
|
||||
+
|
||||
+ my $n = index($$data, '<!--', 0);
|
||||
+ if ($n < 0) {
|
||||
+ # Nothing to do. Good.
|
||||
+ return $data;
|
||||
+ }
|
||||
+
|
||||
+ my $ret = '';
|
||||
+ while ($n >= 0) {
|
||||
+ $ret .= substr($$data, 0, $n);
|
||||
+ substr($$data, 0, $n) = '';
|
||||
+ $n = index($$data, '-->', 0);
|
||||
+ if ($n < 0) {
|
||||
+ # No end to comment declaration: Warn and strip rest of data.
|
||||
+ warn qq/\n/,
|
||||
+ qq/Warning: HTML comment declaration not terminated.\n/,
|
||||
+ qq/ Message-Id: <$mhonarc::MHAmsgid>\n/,
|
||||
+ qq/ Message Subject: /, $fields->{'x-mha-subject'}, qq/\n/,
|
||||
+ qq/ Message Number: $mhonarc::MHAmsgnum\n/;
|
||||
+ $$data = '';
|
||||
+ last;
|
||||
+ }
|
||||
+ substr($$data, 0, $n+3) = '';
|
||||
+ $n = index($$data, '<!--', 0);
|
||||
+ }
|
||||
+ $ret .= $$data;
|
||||
+ $$data = $ret;
|
||||
+ $data;
|
||||
+}
|
||||
+
|
||||
+##---------------------------------------------------------------------------
|
||||
+
|
||||
1;
|
Loading…
Reference in a new issue