Summary: | <mail-client/roundcube-{0.8.7,0.9.5} : random file access, manipulated SQL queries and even code execution (CVE-2013-6172) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Benny Pedersen <me> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | major | CC: | alex_y_xu, gentoo_bugs_peep, web-apps | ||||||
Priority: | Normal | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | All | ||||||||
URL: | http://roundcube.net/download/ | ||||||||
Whiteboard: | B1 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
Benny Pedersen
2013-10-21 21:56:54 UTC
*** Bug 488994 has been marked as a duplicate of this bug. *** Created attachment 361858 [details]
roundcube 0.8.7 ebuild
ebuild for roundcube 0.8.7; copied from 0.8.6
Created attachment 361860 [details]
roundcube 0.9.5 ebuild
ebuild for roundcube 0.9.5; copied from 0.9.4.
(In reply to Andrew Hamilton from comment #3) > Created attachment 361860 [details] > roundcube 0.9.5 ebuild > > ebuild for roundcube 0.9.5; copied from 0.9.4. You really don't need to attach trivially modified ebuilds. Arches, please stabilize: =mail-client/roundcube-0.8.7 and =mail-client/roundcube-0.9.5 All stable, please cleanup i readed on bugs.g.o there is now webapp-config override configs :( it was a problem i only thinked wordpress had :( new bugs ? If this is not related to the security GLSA or cleanup of old ebuilds, please file a new bug. CVE-2013-6172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6172): steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code. 12 Nov 2013; Tim Harder <radhermit@gentoo.org> -roundcube-0.8.6.ebuild, -roundcube-0.9.2.ebuild, -roundcube-0.9.3.ebuild, -roundcube-0.9.4.ebuild: Remove old. Cleanup was done, GLSA request filed, thanks to all This issue was resolved and addressed in GLSA 201402-15 at http://security.gentoo.org/glsa/glsa-201402-15.xml by GLSA coordinator Sergey Popov (pinkbyte). |