Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 554866 - <mail-client/roundcube-1.1.2: multiple vulnerabilities
Summary: <mail-client/roundcube-1.1.2: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-14 10:04 UTC by Agostino Sarubbo
Modified: 2016-03-09 09:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-07-14 10:04:32 UTC
From ${URL} :

From https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/
 
> The security-related fixes in particular are:
> * XSS vulnerability in _mbox argument

Fix XSS vulnerability in _mbox argument handling (#1490417
<http://trac.roundcube.net/ticket/1490417>)
http://trac.roundcube.net/ticket/1490417

The XSS-vulnerability can be triggered by appending malicious script
code to the _mbox-parameter. The following example will pop an alert box:

​
https://{YOURSERVER}/?_task=mail&_mbox=INBOX%22%3E%3Cscript%3Ealert(%22Roundcube+v1.1.1+XSS%22)%3C%2Fscript%3E
<https://%7BYOURSERVER%7D/?_task=mail&_mbox=INBOX%22%3E%3Cscript%3Ealert%28%22Roundcube+v1.1.1+XSS%22%29%3C%2Fscript%3E>

Attackers could use this vulnerability to steal cookies or extract
email-content.

Commit:
1.1: http://trac.roundcube.net/changeset/b782815dac/github
Not claimed to affect 1.0.

> * security improvement in contact photo handling

Fix security issue in contact photo handling (#1490379
<http://trac.roundcube.net/ticket/1490379>)
http://trac.roundcube.net/ticket/1490379

There is a potential for an arbitrary read from an authenticated user
who uploads a contact (vCard) with a specially crafted POST.
[...]
by supplying the "_alt" param in the POST. User must be authenticated.
[...]
I was able to read any file on disk (the apache has access to, e.g.
config/config.inc.php) using GET request

Commits:
1.1: http://trac.roundcube.net/changeset/681ba6fc3/github
1.0: http://trac.roundcube.net/changeset/6ccd4c54b/github

> * potential info disclosure from temp directory

Fix potential info disclosure issue by protecting directory access
(#1490378 <http://trac.roundcube.net/ticket/1490378>)
http://trac.roundcube.net/ticket/1490378

The logs directory is not protected from browsing. Most log entries are
not bad, but one became evident on my host that was pretty nasty.

It looked like the following:

[25-Apr-2015 04:03:11 -0400]: <ijpv9kqo> DB Error: [1062] Duplicate entry 'ijpv9kqofvpksxxxxxxxxxxxx' for key 'PRIMARY' (SQL Query: INSERT INTO `session` (`sess_id`, `vars`, `ip`, `created`, `changed`) VALUES ('ijpv9kqofvpksxxxxxxxx', 'xxxxxxxxxxxxxxxxxxxxxxx=', 
'108.61.90.131', now(), now())) in /var/www/html/roundcubemail-1.1.1/program/lib/Roundcube/rcube_db.php on line 543 (POST /roundcubemail-1.1.1/?_task=mail&_action=refresh?_task=&_action=)

I obfuscated the sensitive fields, but this would be enough for a
non-credential user to view the file (via the webroot/logs/errors file),
and then replace their own cookies with the entry from above to log in
as a user that was listed there.

This seems to be a very rare occurrence, but considering that other
SQL/other actions might report other sensitive data into this file, it
might be worth automatically protecting this directory with an .htaccess
file, or prepending a php tag to avoid overt reading by any
unauthenticated user.

Commits:
http://trac.roundcube.net/changeset/012555c1c/github
1.1: http://trac.roundcube.net/changeset/16640c7fb0c8/github
Not claimed to affect 1.0.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Josh G 2015-07-23 15:29:42 UTC
For 1.0.6, I just renamed the ebuild and compiled. Its been working fine for about a month.
Comment 2 Tomáš Mózes 2015-07-23 18:52:03 UTC
Same here.
Comment 3 Tomáš Mózes 2015-08-05 11:39:34 UTC
Any progress here please? It's a trivial bump for 1.0.6.
Comment 4 Josh G 2015-08-24 06:33:50 UTC
Tomas: I think all the attention is going to 1.1.1. I simply updated my local tree with a renamed 1.0.5 ebuild for 1.0.6
Comment 5 Tim Harder gentoo-dev 2015-08-25 04:58:09 UTC
1.0.6 in the tree, 1.1.2 will come later.

Arches please stabilize.
Comment 6 Agostino Sarubbo gentoo-dev 2015-08-25 07:09:38 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-08-25 07:10:18 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-08-26 07:31:14 UTC
ppc stable
Comment 9 Markus Meier gentoo-dev 2015-09-01 16:00:15 UTC
arm stable, all arches done.
Comment 10 Aaron W. Swenson gentoo-dev 2015-12-09 12:59:33 UTC
I'll add arches in a day or so to make sure no issues crop up.

commit c20f39cdcba8d3f75fcd7d6c09e80d2ee0655e40
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Wed Dec 9 07:44:37 2015 -0500

    mail-client/roundcube: Version bump, security, and bug fixes
    
    Added two use flags controlling optional dependencies to support the
    enigma and and sieverules plugins.
    
    Added REQUIRED_USE as one of postgres, mysql, or sqlite must be
    enabled. Rouncube requires a database to operate. As the ebuild uses
    this now, removed the default enable on the mysql USE flag.
    
    Added POST-UPGRADE.txt which is just a shortened version of the
    UPGRADE text from upstream.
    
    Dropped arm and ppc64 keywords as one dependency,
    dev-php/PEAR-Net_LDAP2, currently lacks matching keywords for those
    architectures.
    
    Bug: 541172, 545096, 524192, 564476, 565204, 53284
    
    Package-Manager: portage-2.2.20.1
Comment 11 Aaron W. Swenson gentoo-dev 2016-01-21 13:57:24 UTC
commit fddb2b8c50395843639b43ea9a908a94bc887924
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Thu Jan 21 08:51:17 2016 -0500

    mail-client/roundcube: Remove Insecure Versions
    
    Removed insecure versions 1.0.5, 1.0.6, and 1.1.3.
    
    Bug: 554866, 564476, 570336
    
    Package-Manager: portage-2.2.26
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-03-05 09:14:53 UTC
Assigned to GLSA 74a1a7303
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-03-09 09:32:24 UTC
This issue was resolved and addressed in
 GLSA 201603-03 at https://security.gentoo.org/glsa/201603-03
by GLSA coordinator Sergey Popov (pinkbyte).