SquirrelMail: Remote Code Execution — GLSA 201709-13

A vulnerability in SquirrelMail might allow remote attackers to execute arbitrary code.

Affected Packages

mail-client/squirrelmail on all architectures
Affected versions < 1.4.23_pre20140426
Unaffected versions

Background

SquirrelMail is a webmail package written in PHP. It supports IMAP and SMTP and can optionally be installed with SQL support.

Description

It was discovered that the sendmail.cf file is mishandled in a popen call.

Impact

A remote attacker, by enticing a user to open an e-mail attachment, could execute arbitrary shell commands.

Workaround

There is no known workaround at this time.

Resolution

Gentoo has discontinued support for SquirrelMail and recommends that users unmerge the package:

 # emerge --unmerge "mail-client/squirrelmail"
 

References

Release Date
September 17, 2017

Latest Revision
September 17, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries