Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 618322 (CVE-2017-8114)

Summary: <mail-client/roundcube-1.2.5: arbitrary password resets by authenticated users. (CVE-2017-8114)
Product: Gentoo Security Reporter: Volkan <vBugZilla>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor Flags: stable-bot: sanity-check+
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1448400
Whiteboard: B3 [glsa cve]
Package list:
mail-client/roundcube-1.2.5
 Runtime testing required: ---

Description Volkan 2017-05-12 23:09:59 UTC 
Roundcube Webmail allows arbitrary password resets by authenticated
users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and
1.2.x before 1.2.5. The problem is caused by an improperly restricted
exec call in the virtualmin and sasl drivers of the password plugin.

External References:

https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-06-04 21:03:29 UTC 
CVE-2017-8114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8114):
  Roundcube Webmail allows arbitrary password resets by authenticated users.
  This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before
  1.2.5. The problem is caused by an improperly restricted exec call in the
  virtualmin and sasl drivers of the password plugin.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 21:08:24 UTC 
Now in repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cacce1c76fc3f72971acc28703d0df7059d69936


@ Arches,

please test and mark stable: =mail-client/roundcube-1.2.5
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-05 11:06:17 UTC 
amd64 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-05 14:30:55 UTC 
x86 stable
Comment 5 Markus Meier gentoo-dev 2017-06-08 05:08:50 UTC 
arm stable, all arches done.
Comment 6 Aaron W. Swenson gentoo-dev 2017-06-19 10:36:20 UTC 
Insecure version removed.

commit d73891e8c36797684cf8dad8d9c04fd0ea0209e8 (HEAD -> master, origin/master, origin/HEAD)
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Mon Jun 19 06:35:20 2017 -0400

    mail-client/roundcube: Remove Insecure 1.2.4
    
    Bug: 618322
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.1
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-19 11:24:46 UTC 
GLSA Vote: Yes

New GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 20:21:07 UTC 
This issue was resolved and addressed in
 GLSA 201707-11 at https://security.gentoo.org/glsa/201707-11
by GLSA coordinator Thomas Deutschmann (whissi).