Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636970 (CVE-2017-16651) - <mail-client/roundcube-1.2.7: Unauthorized access to arbitrary files vulnerability (CVE-2017-16651)
Summary: <mail-client/roundcube-1.2.7: Unauthorized access to arbitrary files vulnerab...
Status: RESOLVED FIXED
Alias: CVE-2017-16651
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-09 16:13 UTC by GLSAMaker/CVETool Bot
Modified: 2018-04-02 23:19 UTC (History)
4 users (show)

See Also:
Package list:
=mail-client/roundcube-1.2.7 =dev-php/PEAR-Crypt_GPG-1.6.0_beta3 ppc ppc64 =dev-php/PEAR-Net_LDAP3-1.0.5_pre20160405 ppc64 =dev-php/PEAR-Console_CommandLine-1.2.2 ppc ppc64
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-09 16:13:26 UTC
CVE-2017-16651 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16651):
  Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3
  allows unauthorized access to arbitrary files on the host's filesystem,
  including configuration files, as exploited in the wild in November 2017.
  The attacker must be able to authenticate at the target system with a valid
  username/password as the attack requires an active session. The issue is
  related to file-based attachment plugins and
  _task=settings&_action=upload-display&_from=timezone requests.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-09 16:14:15 UTC
@Maintainer please call for stabilization when ready.

Thank you
Comment 2 Aaron W. Swenson gentoo-dev 2017-11-09 17:54:39 UTC
Stabilization target:
=mail-client/roundcube-1.2.7 ~amd64 ~arm ~ppc ~ppc64 ~x86

commit 4d044d7e03b744873e0b61d3d9bb361518453e1b (HEAD -> master, origin/master, origin/HEAD)
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Thu Nov 9 12:51:56 2017 -0500

    mail-client/roundcube: Security Bump (Bug 636970)

    Security-related version bump to:
     * 1.3.3
     * 1.2.7

    CVE-2017-16651 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16651):
    Roundcube Webmail before 1.2.x before 1.2.7, and 1.3.x before 1.3.3
    allows unauthorized access to arbitrary files on the host's filesystem.

    Gentoo-Bug: https://bugs.gentoo.org/636970
    Package-Manager: Portage-2.3.8, Repoman-2.3.3
Comment 3 Stabilization helper bot gentoo-dev 2017-11-09 18:00:59 UTC
An automated check of this bug failed - repoman reported dependency errors (12 lines truncated): 

> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-php/PEAR-Crypt_GPG-1.4.0']
> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['>=dev-php/PEAR-Crypt_GPG-1.4.0']
> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop/gnome) ['>=dev-php/PEAR-Crypt_GPG-1.4.0']
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-11 18:00:50 UTC
x86 stable
Comment 5 Stabilization helper bot gentoo-dev 2017-11-11 19:02:18 UTC
An automated check of this bug failed - repoman reported dependency errors (29 lines truncated): 

> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['dev-php/PEAR-Console_CommandLine', 'dev-php/phpunit']
> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['dev-php/PEAR-Console_CommandLine']
> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['dev-php/PEAR-Console_CommandLine', 'dev-php/phpunit']
> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['dev-php/PEAR-Net_LDAP3']
> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop) ['dev-php/PEAR-Net_LDAP3']
> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop/gnome) ['dev-php/PEAR-Net_LDAP3']
Comment 6 Markus Meier gentoo-dev 2017-11-19 15:18:00 UTC
arm stable
Comment 7 Stabilization helper bot gentoo-dev 2017-11-19 16:02:00 UTC
An automated check of this bug failed - repoman reported dependency errors (29 lines truncated): 

> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['dev-php/PEAR-Net_LDAP3']
> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop) ['dev-php/PEAR-Net_LDAP3']
> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop/gnome) ['dev-php/PEAR-Net_LDAP3']
> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['dev-php/PEAR-Console_CommandLine']
> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['dev-php/PEAR-Console_CommandLine']
> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['dev-php/PEAR-Console_CommandLine']
Comment 8 Rolf Eike Beer archtester 2017-12-01 18:52:28 UTC
Works fine for me on amd64 with USE="spell sqlite ssl".
Comment 9 Stabilization helper bot gentoo-dev 2017-12-01 19:01:37 UTC
An automated check of this bug failed - repoman reported dependency errors (57 lines truncated): 

> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['dev-php/PEAR-Console_CommandLine']
> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['dev-php/PEAR-Console_CommandLine']
> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['dev-php/PEAR-Console_CommandLine']
Comment 10 Stabilization helper bot gentoo-dev 2017-12-01 21:01:02 UTC
An automated check of this bug failed - the following atom is unknown:

dev-php/PEAR-Console_CommandLine/PEAR-Console_CommandLine-1.2.2

Please verify the atom list.
Comment 11 Stabilization helper bot gentoo-dev 2017-12-02 03:01:51 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 12 Larry the Git Cow gentoo-dev 2017-12-04 12:23:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dcb3d41b2df922a411539fd9078b74320b7bd38a

commit dcb3d41b2df922a411539fd9078b74320b7bd38a
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2017-12-04 12:23:26 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2017-12-04 12:23:26 +0000

    mail-client/roundcube: stable 1.2.7 on amd64
    
    Bug: https://bugs.gentoo.org/636970
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 mail-client/roundcube/Manifest               | 2 +-
 mail-client/roundcube/roundcube-1.2.7.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)}
Comment 13 Aaron W. Swenson gentoo-dev 2017-12-04 12:24:40 UTC
(In reply to Rolf Eike Beer from comment #8)
> Works fine for me on amd64 with USE="spell sqlite ssl".

Thanks for the confirmation.
Comment 14 Aaron W. Swenson gentoo-dev 2018-01-17 11:28:04 UTC
@ppc and @ppc64: Ping.
Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-19 09:25:52 UTC
ppc64 stable
Comment 16 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-19 20:03:40 UTC
ppc stable
Comment 17 Aaron W. Swenson gentoo-dev 2018-03-23 10:54:27 UTC
All affected versions removed from tree.
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2018-04-02 23:19:38 UTC
Downgraded.

GLSA Vote: No