|Summary:||<mail-client/roundcube-1.2.3: Vulnerability in handling of mail()'s 5th argument (CVE-2016-9920)|
|Product:||Gentoo Security||Reporter:||Philippe Chaintreuil <gentoo_bugs_peep>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||major||CC:||hydrapolic, jstein, tb, titanofold, web-apps|
|Whiteboard:||B1 [glsa cve cleanup]|
|Package list:||Runtime testing required:||---|
Description Philippe Chaintreuil 2016-12-02 00:09:17 UTC
Roundcube 1.2.3 has been released. It's a bug fix & security release. Security details from the release summary: ======================================================================= "Included is a fix for a recently reported security issue when using PHP’s mail() function. It has been discovered by Robin Peraglie using RIPS and more details along with a CVE number will be pulished shortly." ======================================================================= These traditionally work fine by just renaming the last ebuild. (I'll report back shortly after I try locally.) Changelog: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-123
Comment 1 Philippe Chaintreuil 2016-12-02 02:29:09 UTC
Can confirm: just renaming roundcube-1.2.2.ebuild to roundcube-1.2.3.ebuild worked just fine for me.
Comment 2 Thomas Deutschmann 2016-12-07 13:46:56 UTC
Converting this report into a security bug. Thanks for the report!
Comment 3 GLSAMaker/CVETool Bot 2016-12-11 00:36:22 UTC
CVE-2016-9920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9920): steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.
Comment 4 Thomas Deutschmann 2016-12-12 23:44:10 UTC
I bumped the package, https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec8ab56776b3bf6fd4d5faee022ffeaa9bd6c423 @ Arches, please test and mark stable: =mail-client/roundcube-1.2.3
Comment 5 Agostino Sarubbo 2016-12-13 11:06:41 UTC
Comment 6 Agostino Sarubbo 2016-12-13 11:32:03 UTC
Comment 7 Markus Meier 2016-12-23 15:07:00 UTC
arm stable, all arches done.
Comment 8 Thomas Deutschmann 2016-12-23 15:25:20 UTC
New GLSA created. @ Maintainer(s): Please cleanup!
Comment 9 Aaron W. Swenson 2016-12-23 21:44:58 UTC
(In reply to Thomas Deutschmann from comment #8) > New GLSA created. > > @ Maintainer(s): Please cleanup! Done