mailing list archives
Re: Strange CVE situation (at least one ID should come of this)
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 03 Dec 2012 22:26:29 -0700
-----BEGIN PGP SIGNED MESSAGE-----
On 10/26/2012 01:54 PM, Josh Bressers wrote:
This Squirrelmail plugin came to my attention a few weeks back:
It's from 2004, which is suspect in itself, but I took a look after
someone asked. It's pretty scary in there.
If I was to list the security problems I found after a few minutes
of looking, they are:
* It uses MD5 passwords
Going with this one since there's a good number of MD5 related CVE's
Please use CVE-2012-5623 for this issue.
* The shadow file is directly modified without locking (which could
lead to a race condition) * If you get the password wrong, it
doesn't unlink the empty temporary file.
None are really a big deal, you *could* run this and probably never
notice these problems.
Fundamentally though, this thing should get one CVE ID that
basically say "don't use this". How have situations like this been
handled in the past?
I mailed the Squirrelmail security team. They never responded.
Regardless of their response though, the plugin site says it has
been downloaded more than 100K times, so I suspect it's still in
use somewhere. My goal in this CVE request is to raise awareness so
hopefully people stop using this (and get the Squirrelmail guys to
remove it from their site).
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Re: Strange CVE situation (at least one ID should come of this) Raphael Geissert (Oct 30)
Re: Strange CVE situation (at least one ID should come of this) Kurt Seifried (Dec 04)