Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 601410 (CVE-2016-9920)

Summary: <mail-client/roundcube-1.2.3: Vulnerability in handling of mail()'s 5th argument (CVE-2016-9920)
Product: Gentoo Security Reporter: Philippe Chaintreuil <gentoo_bugs_peep>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: hydrapolic, jstein, tb, titanofold, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released
Whiteboard: B1 [glsa cve cleanup]
Package list:
Runtime testing required: ---

Description Philippe Chaintreuil 2016-12-02 00:09:17 UTC
Roundcube 1.2.3 has been released.  It's a bug fix & security release.

Security details from the release summary:
=======================================================================
"Included is a fix for a recently reported security issue when using PHP’s mail() function. It has been discovered by Robin Peraglie using RIPS and more details along with a CVE number will be pulished shortly."
=======================================================================

These traditionally work fine by just renaming the last ebuild.  (I'll report back shortly after I try locally.)

Changelog: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-123
Comment 1 Philippe Chaintreuil 2016-12-02 02:29:09 UTC
Can confirm: just renaming roundcube-1.2.2.ebuild to roundcube-1.2.3.ebuild worked just fine for me.
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-12-07 13:46:56 UTC
Converting this report into a security bug. Thanks for the report!
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-12-11 00:36:22 UTC
CVE-2016-9920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9920):
  steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3,
  when no SMTP server is configured and the sendmail program is enabled, does
  not properly restrict the use of custom envelope-from addresses on the
  sendmail command line, which allows remote authenticated users to execute
  arbitrary code via a modified HTTP request that sends a crafted e-mail
  message.
Comment 4 Thomas Deutschmann gentoo-dev Security 2016-12-12 23:44:10 UTC
I bumped the package, https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec8ab56776b3bf6fd4d5faee022ffeaa9bd6c423


@ Arches,

please test and mark stable: =mail-client/roundcube-1.2.3
Comment 5 Agostino Sarubbo gentoo-dev 2016-12-13 11:06:41 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-12-13 11:32:03 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2016-12-23 15:07:00 UTC
arm stable, all arches done.
Comment 8 Thomas Deutschmann gentoo-dev Security 2016-12-23 15:25:20 UTC
New GLSA created.

@ Maintainer(s): Please cleanup!
Comment 9 Aaron W. Swenson gentoo-dev 2016-12-23 21:44:58 UTC
(In reply to Thomas Deutschmann from comment #8)
> New GLSA created.
> 
> @ Maintainer(s): Please cleanup!

Done
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2016-12-24 06:44:40 UTC
This issue was resolved and addressed in
 GLSA 201612-44 at https://security.gentoo.org/glsa/201612-44
by GLSA coordinator Aaron Bauman (b-man).