Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 554866

Summary: <mail-client/roundcube-1.1.2: multiple vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: hydrapolic, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-07-14 10:04:32 UTC
From ${URL} :

> The security-related fixes in particular are:
> * XSS vulnerability in _mbox argument

Fix XSS vulnerability in _mbox argument handling (#1490417

The XSS-vulnerability can be triggered by appending malicious script
code to the _mbox-parameter. The following example will pop an alert box:


Attackers could use this vulnerability to steal cookies or extract

Not claimed to affect 1.0.

> * security improvement in contact photo handling

Fix security issue in contact photo handling (#1490379

There is a potential for an arbitrary read from an authenticated user
who uploads a contact (vCard) with a specially crafted POST.
by supplying the "_alt" param in the POST. User must be authenticated.
I was able to read any file on disk (the apache has access to, e.g.
config/ using GET request


> * potential info disclosure from temp directory

Fix potential info disclosure issue by protecting directory access
(#1490378 <>)

The logs directory is not protected from browsing. Most log entries are
not bad, but one became evident on my host that was pretty nasty.

It looked like the following:

[25-Apr-2015 04:03:11 -0400]: <ijpv9kqo> DB Error: [1062] Duplicate entry 'ijpv9kqofvpksxxxxxxxxxxxx' for key 'PRIMARY' (SQL Query: INSERT INTO `session` (`sess_id`, `vars`, `ip`, `created`, `changed`) VALUES ('ijpv9kqofvpksxxxxxxxx', 'xxxxxxxxxxxxxxxxxxxxxxx=', 
'', now(), now())) in /var/www/html/roundcubemail-1.1.1/program/lib/Roundcube/rcube_db.php on line 543 (POST /roundcubemail-1.1.1/?_task=mail&_action=refresh?_task=&_action=)

I obfuscated the sensitive fields, but this would be enough for a
non-credential user to view the file (via the webroot/logs/errors file),
and then replace their own cookies with the entry from above to log in
as a user that was listed there.

This seems to be a very rare occurrence, but considering that other
SQL/other actions might report other sensitive data into this file, it
might be worth automatically protecting this directory with an .htaccess
file, or prepending a php tag to avoid overt reading by any
unauthenticated user.

Not claimed to affect 1.0.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Josh G 2015-07-23 15:29:42 UTC
For 1.0.6, I just renamed the ebuild and compiled. Its been working fine for about a month.
Comment 2 Tomáš Mózes 2015-07-23 18:52:03 UTC
Same here.
Comment 3 Tomáš Mózes 2015-08-05 11:39:34 UTC
Any progress here please? It's a trivial bump for 1.0.6.
Comment 4 Josh G 2015-08-24 06:33:50 UTC
Tomas: I think all the attention is going to 1.1.1. I simply updated my local tree with a renamed 1.0.5 ebuild for 1.0.6
Comment 5 Tim Harder gentoo-dev 2015-08-25 04:58:09 UTC
1.0.6 in the tree, 1.1.2 will come later.

Arches please stabilize.
Comment 6 Agostino Sarubbo gentoo-dev 2015-08-25 07:09:38 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-08-25 07:10:18 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-08-26 07:31:14 UTC
ppc stable
Comment 9 Markus Meier gentoo-dev 2015-09-01 16:00:15 UTC
arm stable, all arches done.
Comment 10 Aaron W. Swenson gentoo-dev 2015-12-09 12:59:33 UTC
I'll add arches in a day or so to make sure no issues crop up.

commit c20f39cdcba8d3f75fcd7d6c09e80d2ee0655e40
Author: Aaron W. Swenson <>
Date:   Wed Dec 9 07:44:37 2015 -0500

    mail-client/roundcube: Version bump, security, and bug fixes
    Added two use flags controlling optional dependencies to support the
    enigma and and sieverules plugins.
    Added REQUIRED_USE as one of postgres, mysql, or sqlite must be
    enabled. Rouncube requires a database to operate. As the ebuild uses
    this now, removed the default enable on the mysql USE flag.
    Added POST-UPGRADE.txt which is just a shortened version of the
    UPGRADE text from upstream.
    Dropped arm and ppc64 keywords as one dependency,
    dev-php/PEAR-Net_LDAP2, currently lacks matching keywords for those
    Bug: 541172, 545096, 524192, 564476, 565204, 53284
    Package-Manager: portage-
Comment 11 Aaron W. Swenson gentoo-dev 2016-01-21 13:57:24 UTC
commit fddb2b8c50395843639b43ea9a908a94bc887924
Author: Aaron W. Swenson <>
Date:   Thu Jan 21 08:51:17 2016 -0500

    mail-client/roundcube: Remove Insecure Versions
    Removed insecure versions 1.0.5, 1.0.6, and 1.1.3.
    Bug: 554866, 564476, 570336
    Package-Manager: portage-2.2.26
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-05 09:14:53 UTC
Assigned to GLSA 74a1a7303
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-03-09 09:32:24 UTC
This issue was resolved and addressed in
 GLSA 201603-03 at
by GLSA coordinator Sergey Popov (pinkbyte).