[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
rpms/squirrelmail/devel squirrelmail-1.4.8-CVE-2006-6142-draft_composesess.patch, NONE, 1.1 squirrelmail-1.4.8-CVE-2006-6142-mailto.patch, NONE, 1.1 squirrelmail-1.4.8-CVE-2006-6142-mime.php.patch, NONE, 1.1 squirrelmail.spec, 1.46, 1.47
- From: fedora-cvs-commits redhat com
- To: fedora-cvs-commits redhat com
- Subject: rpms/squirrelmail/devel squirrelmail-1.4.8-CVE-2006-6142-draft_composesess.patch, NONE, 1.1 squirrelmail-1.4.8-CVE-2006-6142-mailto.patch, NONE, 1.1 squirrelmail-1.4.8-CVE-2006-6142-mime.php.patch, NONE, 1.1 squirrelmail.spec, 1.46, 1.47
- Date: Tue, 16 Jan 2007 01:30:15 -0500
Author: wtogami
Update of /cvs/dist/rpms/squirrelmail/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv11080
Modified Files:
squirrelmail.spec
Added Files:
squirrelmail-1.4.8-CVE-2006-6142-draft_composesess.patch
squirrelmail-1.4.8-CVE-2006-6142-mailto.patch
squirrelmail-1.4.8-CVE-2006-6142-mime.php.patch
Log Message:
CVE-2006-6142
squirrelmail-1.4.8-CVE-2006-6142-draft_composesess.patch:
compose.php | 8 +++++++-
right_main.php | 2 +-
2 files changed, 8 insertions(+), 2 deletions(-)
--- NEW FILE squirrelmail-1.4.8-CVE-2006-6142-draft_composesess.patch ---
Index: src/compose.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/compose.php,v
retrieving revision 1.319.2.70
diff -u -r1.319.2.70 compose.php
--- src/compose.php 3 Aug 2006 14:48:09 -0000 1.319.2.70
+++ src/compose.php 28 Nov 2006 14:50:34 -0000
@@ -74,7 +74,11 @@
sqgetGlobalVar('draft_id',$draft_id);
sqgetGlobalVar('ent_num',$ent_num);
sqgetGlobalVar('saved_draft',$saved_draft);
-sqgetGlobalVar('delete_draft',$delete_draft);
+
+if ( sqgetGlobalVar('delete_draft',$delete_draft) ) {
+ $delete_draft = (int)$delete_draft;
+}
+
if ( sqgetGlobalVar('startMessage',$startMessage) ) {
$startMessage = (int)$startMessage;
} else {
@@ -296,6 +319,8 @@
if (!isset($composesession)) {
$composesession = 0;
sqsession_register(0,'composesession');
+} else {
+ $composesession = (int)$composesession;
}
if (!isset($session) || (isset($newmessage) && $newmessage)) {
Index: src/right_main.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/right_main.php,v
retrieving revision 1.104.2.16
diff -u -r1.104.2.16 right_main.php
--- src/right_main.php 30 Sep 2006 07:38:03 -0000 1.104.2.16
+++ src/right_main.php 28 Nov 2006 14:50:34 -0000
@@ -148,7 +148,7 @@
if ($composenew) {
$comp_uri = SM_PATH . 'src/compose.php?mailbox='. urlencode($mailbox).
- "&session=$session";
+ "&session=" .urlencode($session);
displayPageHeader($color, $mailbox, "comp_in_new('$comp_uri');", false);
} else {
displayPageHeader($color, $mailbox);
squirrelmail-1.4.8-CVE-2006-6142-mailto.patch:
compose.php | 19 +++++++++++++++++++
login.php | 8 ++++----
mailto.php | 17 +++++++++--------
redirect.php | 10 +++++-----
webmail.php | 9 +++++----
5 files changed, 42 insertions(+), 21 deletions(-)
--- NEW FILE squirrelmail-1.4.8-CVE-2006-6142-mailto.patch ---
Index: src/compose.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/compose.php,v
retrieving revision 1.319.2.70
diff -u -r1.319.2.70 compose.php
--- src/compose.php 3 Aug 2006 14:48:09 -0000 1.319.2.70
+++ src/compose.php 28 Nov 2006 14:50:34 -0000
@@ -96,6 +100,25 @@
/** GET VARS */
sqgetGlobalVar('attachedmessages', $attachedmessages, SQ_GET);
+/**
+ * Here we decode the data passed in from mailto.php.
+ */
+if ( sqgetGlobalVar('mailtodata', $mailtodata, SQ_GET) ) {
+ $trtable = array('to' => 'send_to',
+ 'cc' => 'send_to_cc',
+ 'bcc' => 'send_to_bcc',
+ 'body' => 'body',
+ 'subject' => 'subject');
+ $mtdata = unserialize($mailtodata);
+
+ foreach ($trtable as $f => $t) {
+ if ( !empty($mtdata[$f]) ) {
+ $$t = $mtdata[$f];
+ }
+ }
+ unset($mailtodata,$mtdata, $trtable);
+}
+
/* Location (For HTTP 1.1 Header("Location: ...") redirects) */
$location = get_location();
Index: src/login.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/login.php,v
retrieving revision 1.98.2.14
diff -u -r1.98.2.14 login.php
--- src/login.php 3 Aug 2006 14:48:09 -0000 1.98.2.14
+++ src/login.php 28 Nov 2006 14:50:34 -0000
@@ -113,10 +113,10 @@
do_hook('login_top');
-if(sqgetGlobalVar('mailto', $mailto)) {
- $rcptaddress = addHidden('mailto', $mailto);
+if(sqgetGlobalVar('mailtodata', $mailtodata)) {
+ $mailtofield = addHidden('mailtodata', $mailtodata);
} else {
- $rcptaddress = '';
+ $mailtofield = '';
}
/* If they don't have a logo, don't bother.. */
@@ -169,7 +169,7 @@
html_tag( 'td',
addPwField($password_form_name).
addHidden('js_autodetect_results', SMPREF_JS_OFF).
- $rcptaddress .
+ $mailtofield .
addHidden('just_logged_in', '1'),
'left', '', 'width="*"' )
) ,
Index: src/mailto.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/mailto.php,v
retrieving revision 1.11.2.4
diff -u -r1.11.2.4 mailto.php
--- src/mailto.php 2 Jun 2006 15:51:50 -0000 1.11.2.4
+++ src/mailto.php 28 Nov 2006 14:50:34 -0000
@@ -41,6 +41,8 @@
'subject' => 'subject');
$url = '';
+$data = array();
+
if(sqgetGlobalVar('emailaddress', $emailaddress)) {
$emailaddress = trim($emailaddress);
if(stristr($emailaddress, 'mailto:')) {
@@ -50,33 +52,32 @@
list($emailaddress, $a) = explode('?', $emailaddress, 2);
if(strlen(trim($a)) > 0) {
$a = explode('=', $a, 2);
- $url .= $trtable[strtolower($a[0])] . '=' . urlencode($a[1]) . '&';
+ $data[strtolower($a[0])] = $a[1];
}
}
- $url = 'send_to=' . urlencode($emailaddress) . '&' . $url;
+ $data['to'] = $emailaddress;
/* CC, BCC, etc could be any case, so we'll fix them here */
foreach($_GET as $k=>$g) {
$k = strtolower($k);
if(isset($trtable[$k])) {
$k = $trtable[$k];
- $url .= $k . '=' . urlencode($g) . '&';
+ $data[$k] = $g;
}
}
- $url = substr($url, 0, -1);
}
sqsession_is_active();
if($force_login == false && sqsession_is_registered('user_is_logged_in')) {
if($compose_only == true) {
- $redirect = 'compose.php?' . $url;
+ $redirect = 'compose.php?mailtodata=' . urlencode(serialize($data));
} else {
- $redirect = 'webmail.php?right_frame=compose.php?' . urlencode($url);
+ $redirect = 'webmail.php?mailtodata=' . urlencode(serialize($data));
}
} else {
- $redirect = 'login.php?mailto=' . urlencode($url);
+ $redirect = 'login.php?mailtodata=' . urlencode(serialize($data));
}
session_write_close();
header('Location: ' . get_location() . '/' . $redirect);
-?>
\ No newline at end of file
+?>
Index: src/redirect.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/redirect.php,v
retrieving revision 1.72.2.13
diff -u -r1.72.2.13 redirect.php
--- src/redirect.php 3 Aug 2006 15:13:36 -0000 1.72.2.13
+++ src/redirect.php 28 Nov 2006 14:50:34 -0000
@@ -52,8 +52,8 @@
$squirrelmail_language = $squirrelmail_default_language;
}
-if (!sqgetGlobalVar('mailto', $mailto)) {
- $mailto = '';
+if (!sqgetGlobalVar('mailtodata', $mailtodata)) {
+ $mailtodata = '';
}
@@ -159,9 +159,9 @@
unset($session_expired_location);
}
-if($mailto != '') {
- $redirect_url = $location . '/webmail.php?right_frame=compose.php&mailto=';
- $redirect_url .= urlencode($mailto);
+if($mailtodata != '') {
+ $redirect_url = $location . '/webmail.php?right_frame=compose.php&mailtodata=';
+ $redirect_url .= urlencode($mailtodata);
}
Index: src/webmail.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/webmail.php,v
retrieving revision 1.92.2.19
diff -u -r1.92.2.19 webmail.php
--- src/webmail.php 3 Aug 2006 14:48:09 -0000 1.92.2.19
+++ src/webmail.php 28 Nov 2006 14:50:34 -0000
@@ -52,11 +52,12 @@
$mailbox = 'INBOX';
}
-if(!sqgetGlobalVar('mailto', $mailto)) {
- $mailto = '';
+if(sqgetGlobalVar('mailtodata', $mailtodata)) {
+ $mailtourl = 'mailtodata='.urlencode($mailtodata);
+} else {
+ $mailtourl = '';
}
-
is_logged_in();
do_hook('webmail_top');
@@ -151,7 +152,7 @@
$right_frame_url = 'folders.php';
break;
case 'compose.php':
- $right_frame_url = 'compose.php?' . $mailto;
+ $right_frame_url = 'compose.php?' . $mailtourl;
break;
case '':
$right_frame_url = 'right_main.php';
squirrelmail-1.4.8-CVE-2006-6142-mime.php.patch:
mime.php | 181 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 files changed, 168 insertions(+), 13 deletions(-)
--- NEW FILE squirrelmail-1.4.8-CVE-2006-6142-mime.php.patch ---
Using a customized patch because the upstream provided patches reportedly against 1.4.8 were incorrectly formed.
Resolves:
- Security: close cross site scripting vulnerability in draft, compose
and mailto functionality [CVE-2006-6142].
- Security: work around an issue in Internet Explorer that would guess
the mime type of a file based on contents, not Content-Type header.
- XSS fixes, all related to the magicHtml filter
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/tags/rel-1_4_9a/squirrelmail/functions/mime.php?r1=11980&r2=11217
patch from 1.4.8 to 1.4.9 of mime.php
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/tags/rel-1_4_9a/squirrelmail/functions/mime.php?r1=11217&r2=11967&diff_format=u
This seemingly unrelated bugfix backed out
diff -urN squirrelmail-1.4.8/functions/mime.php squirrelmail-1.4.8.mime.php/functions/mime.php
--- squirrelmail-1.4.8/functions/mime.php 2006-06-20 02:14:53.000000000 -0400
+++ squirrelmail-1.4.8.mime.php/functions/mime.php 2007-01-16 00:24:20.000000000 -0500
@@ -477,7 +477,11 @@
if ($where && $what) {
$defaultlink .= '&where='. urlencode($where).'&what='.urlencode($what);
}
-
+ // IE does make use of mime content sniffing. Forcing a download
+ // prohibit execution of XSS inside an application/octet-stream attachment
+ if ($type0 == 'application' && $type1 == 'octet-stream') {
+ $defaultlink .= '&absolute_dl=true';
+ }
/* This executes the attachment hook with a specific MIME-type.
* If that doesn't have results, it tries if there's a rule
* for a more generic type.
@@ -1019,6 +1023,75 @@
}
/**
+ * Translate all dangerous Unicode or Shift_JIS characters which are acepted by
+ * IE as regular characters.
+ *
+ * @param attvalue The attribute value before dangerous characters are translated.
+ * @return attvalue Nothing, modifies a reference value.
+ * @author Marc Groot Koerkamp.
+ */
+function sq_fixIE_idiocy(&$attvalue) {
+ // remove NUL
+ $attvalue = str_replace("\0", "", $attvalue);
+ // remove comments
+ $attvalue = preg_replace("/(\/\*.*?\*\/)/","",$attvalue);
+
+ // IE has the evil habit of excepting every possible value for the attribute expression
+ // The table below contain characters which are valid in IE if they are used in the "expression"
+ // attribute value.
+ $aDangerousCharsReplacementTable = array(
+ array('ʟ', 'ʟ' ,/* L UNICODE IPA Extension */
+ 'ʀ', 'ʀ' ,/* R UNICODE IPA Extension */
+ 'ɴ', 'ɴ' ,/* N UNICODE IPA Extension */
+ 'E', 'E' ,/* Unicode FULLWIDTH LATIN CAPITAL LETTER E */
+ 'e', 'e' ,/* Unicode FULLWIDTH LATIN SMALL LETTER E */
+ 'X', 'X',/* Unicode FULLWIDTH LATIN CAPITAL LETTER X */
+ 'x', 'x',/* Unicode FULLWIDTH LATIN SMALL LETTER X */
+ 'P', 'P',/* Unicode FULLWIDTH LATIN CAPITAL LETTER P */
+ 'p', 'p',/* Unicode FULLWIDTH LATIN SMALL LETTER P */
+ 'R', 'R',/* Unicode FULLWIDTH LATIN CAPITAL LETTER R */
+ 'r', 'r',/* Unicode FULLWIDTH LATIN SMALL LETTER R */
+ 'S', 'S',/* Unicode FULLWIDTH LATIN CAPITAL LETTER S */
+ 's', 's',/* Unicode FULLWIDTH LATIN SMALL LETTER S */
+ 'I', 'I',/* Unicode FULLWIDTH LATIN CAPITAL LETTER I */
+ 'i', 'i',/* Unicode FULLWIDTH LATIN SMALL LETTER I */
+ 'O', 'O',/* Unicode FULLWIDTH LATIN CAPITAL LETTER O */
+ 'o', 'o',/* Unicode FULLWIDTH LATIN SMALL LETTER O */
+ 'N', 'N',/* Unicode FULLWIDTH LATIN CAPITAL LETTER N */
+ 'n', 'n',/* Unicode FULLWIDTH LATIN SMALL LETTER N */
+ 'L', 'L',/* Unicode FULLWIDTH LATIN CAPITAL LETTER L */
+ 'l', 'l',/* Unicode FULLWIDTH LATIN SMALL LETTER L */
+ 'U', 'U',/* Unicode FULLWIDTH LATIN CAPITAL LETTER U */
+ 'u', 'u',/* Unicode FULLWIDTH LATIN SMALL LETTER U */
+ 'ⁿ', 'ⁿ' ,/* Unicode SUPERSCRIPT LATIN SMALL LETTER N */
+ '艤', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER E */ // in unicode this is some chinese char range
+ '芅', /* Shift JIS FULLWIDTH LATIN SMALL LETTER E */
+ '艷', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER X */
+ '芘', /* Shift JIS FULLWIDTH LATIN SMALL LETTER X */
+ '良', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER P */
+ '芐', /* Shift JIS FULLWIDTH LATIN SMALL LETTER P */
+ '艱', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER R */
+ '芒', /* Shift JIS FULLWIDTH LATIN SMALL LETTER R */
+ '色', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER S */
+ '芓', /* Shift JIS FULLWIDTH LATIN SMALL LETTER S */
+ '艨', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER I */
+ '芉', /* Shift JIS FULLWIDTH LATIN SMALL LETTER I */
+ '艮', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER O */
+ '芏', /* Shift JIS FULLWIDTH LATIN SMALL LETTER O */
+ '艭', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER N */
+ '芎'), /* Shift JIS FULLWIDTH LATIN SMALL LETTER N */
+ array('l', 'l', 'r','r','n','n',
+ 'E','E','e','e','X','X','x','x','P','P','p','p','S','S','s','s','I','I',
+ 'i','i','O','O','o','o','N','N','n','n','L','L','l','l','U','U','u','u','n',
+ 'E','e','X','x','P','p','S','s','I','i','O','o','N','n'));
+ $attvalue = str_replace($aDangerousCharsReplacementTable[0],$aDangerousCharsReplacementTable[1],$attvalue);
+
+ // Escapes are usefull for special characters like "{}[]()'&. In other cases they are
+ // used for XSS
+ $attvalue = preg_replace("/(\\\\)([a-zA-Z]{1})/",'$2',$attvalue);
+}
+
+/**
* This function returns the final tag out of the tag name, an array
* of attributes, and the type of the tag. This function is called by
* sq_sanitize internally.
@@ -1484,10 +1557,23 @@
}
}
}
+
+ /**
+ * Workaround for IE quirks
+ */
+ sq_fixIE_idiocy($attvalue);
+
/**
* Remove any backslashes, entities, and extraneous whitespace.
*/
+ $oldattvalue = $attvalue;
sq_defang($attvalue);
+ if ($attname == 'style' && $attvalue !== $oldattvalue) {
+ // entities are used in the attribute value. In 99% of the cases it's there as XSS
+ // i.e.<div style="{ left:expʀessioɴ( alert('XSS') ) }">
+ $attvalue = "idiocy";
+ $attary{$attname} = $attvalue;
+ }
sq_unspace($attvalue);
/**
@@ -1567,12 +1653,69 @@
function sq_fixstyle($body, $pos, $message, $id, $mailbox){
global $view_unsafe_images;
$me = 'sq_fixstyle';
- $ret = sq_findnxreg($body, $pos, '</\s*style\s*>');
- if ($ret == FALSE){
+
+ // workaround for </style> in between comments
+ $iCurrentPos = $pos;
+ $content = '';
+ $sToken = '';
+ $bSucces = false;
+ $bEndTag = false;
+ for ($i=$pos,$iCount=strlen($body);$i<$iCount;++$i) {
+ $char = $body{$i};
+ switch ($char) {
+ case '<':
+ $sToken .= $char;
+ break;
+ case '/':
+ if ($sToken == '<') {
+ $sToken .= $char;
+ $bEndTag = true;
+ } else {
+ $content .= $char;
+ }
+ break;
+ case '>':
+ if ($bEndTag) {
+ $sToken .= $char;
+ if (preg_match('/\<\/\s*style\s*\>/i',$sToken,$aMatch)) {
+ $newpos = $i + 1;
+ $bSucces = true;
+ break 2;
+ } else {
+ $content .= $sToken;
+ }
+ $bEndTag = false;
+ } else {
+ $content .= $char;
+ }
+ break;
+ case '!':
+ if ($sToken == '<') {
+ // possible comment
+ if (isset($body{$i+2}) && substr($body,$i,3) == '!--') {
+ $i = strpos($body,'-->',$i+3);
+ if ($i === false) { // no end comment
+ $i = strlen($body);
+ }
+ $sToken = '';
+ }
+ } else {
+ $content .= $char;
+ }
+ break;
+ default:
+ if ($bEndTag) {
+ $sToken .= $char;
+ } else {
+ $content .= $char;
+ }
+ break;
+ }
+ }
+ if ($bSucces == FALSE){
return array(FALSE, strlen($body));
}
- $newpos = $ret[0] + strlen($ret[2]);
- $content = $ret[1];
+
/**
* First look for general BODY style declaration, which would be
* like so:
@@ -1581,12 +1724,18 @@
*/
$content = preg_replace("|body(\s*\{.*?\})|si", ".bodyclass\\1", $content);
$secremoveimg = '../images/' . _("sec_remove_eng.png");
+
+ // IE Sucks hard. We have a special function for it.
+ sq_fixIE_idiocy($content);
+
+ // remove @import line
+ $content = preg_replace("/^\s*(@import.*)$/mi","\n<!-- @import rules forbidden -->\n",$content);
+
/**
* Fix url('blah') declarations.
*/
- // remove NUL
- $content = str_replace("\0", "", $content);
// translate ur\l and variations into url (IE parses that)
+ // TODO check if the sq_fixIE_idiocy function already handles this.
$content = preg_replace("/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i",'url', $content);
// NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop.
while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) {
@@ -1645,11 +1794,13 @@
* in IE.
*/
$match = Array('/\/\*.*\*\//',
- '/expression/i',
- '/behaviou*r/i',
- '/binding/i',
- '/include-source/i');
- $replace = Array('', 'idiocy', 'idiocy', 'idiocy', 'idiocy');
+ '/expression/i',
+ '/behaviou*r/i',
+ '/binding/i',
+ '/include-source/i',
+ '/javascript/i',
+ '/script/i');
+ $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy');
$contentNew = preg_replace($match, $replace, $contentTemp);
if ($contentNew !== $contentTemp) {
// insecure css declarations are used. From now on we don't care
@@ -2191,11 +2342,15 @@
// This works for most types, but doesn't work with Word files
header ("Content-Type: application/download; name=\"$filename\"");
-
+ // This is to prevent IE for MIME sniffing and auto open a file in IE
+ header ("Content-Type: application/force-download; name=\"$filename\"");
// These are spares, just in case. :-)
//header("Content-Type: $type0/$type1; name=\"$filename\"");
//header("Content-Type: application/x-msdownload; name=\"$filename\"");
//header("Content-Type: application/octet-stream; name=\"$filename\"");
+ } else if ($isIE) {
+ // This is to prevent IE for MIME sniffing and auto open a file in IE
+ header ("Content-Type: application/force-download; name=\"$filename\"");
} else {
// another application/octet-stream forces download for Netscape
header ("Content-Type: application/octet-stream; name=\"$filename\"");
Index: squirrelmail.spec
===================================================================
RCS file: /cvs/dist/rpms/squirrelmail/devel/squirrelmail.spec,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- squirrelmail.spec 16 Aug 2006 02:07:24 -0000 1.46
+++ squirrelmail.spec 16 Jan 2007 06:30:13 -0000 1.47
@@ -6,7 +6,7 @@
Summary: SquirrelMail webmail client
Name: squirrelmail
Version: 1.4.8
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPL
URL: http://www.squirrelmail.org/
Group: Applications/Internet
@@ -21,6 +21,11 @@
Patch3: squirrelmail-1.4.6-japanese-multibyte-view-text.patch
Patch4: squirrelmail-1.4.6-japanese-multibyte-view-body.patch
Patch5: squirrelmail-1.4.7-ja-translate.patch
+# CVE-2006-6142
+Patch100: squirrelmail-1.4.8-CVE-2006-6142-draft_composesess.patch
+Patch101: squirrelmail-1.4.8-CVE-2006-6142-mailto.patch
+Patch102: squirrelmail-1.4.8-CVE-2006-6142-mime.php.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: gettext
@@ -45,6 +50,11 @@
%patch3 -p1
%patch4 -p1
+# CVE-2006-6142
+%patch100 -p0
+%patch101 -p0
+%patch102 -p1
+
mkdir locale_tempdir
cd locale_tempdir
tar xfj %SOURCE4
@@ -246,6 +256,9 @@
%{_sysconfdir}/cron.daily/squirrelmail.cron
%changelog
+* Mon Jan 15 2006 Warren Togami <wtogami redhat com> 1.4.8-3
+- CVE-2006-6142
+
* Tue Aug 15 2006 Warren Togami <wtogami redhat com> 1.4.8-2
- more Japanese filename fixes (#195639)
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]