Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 636970 (CVE-2017-16651)

Summary: <mail-client/roundcube-1.2.7: Unauthorized access to arbitrary files vulnerability (CVE-2017-16651)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: earny, gentoo_bugs_peep, titanofold, web-apps
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C3 [noglsa cve]
Package list:
=mail-client/roundcube-1.2.7 =dev-php/PEAR-Crypt_GPG-1.6.0_beta3 ppc ppc64 =dev-php/PEAR-Net_LDAP3-1.0.5_pre20160405 ppc64 =dev-php/PEAR-Console_CommandLine-1.2.2 ppc ppc64
 Runtime testing required: No

Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-09 16:13:26 UTC 
CVE-2017-16651 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16651):
  Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3
  allows unauthorized access to arbitrary files on the host's filesystem,
  including configuration files, as exploited in the wild in November 2017.
  The attacker must be able to authenticate at the target system with a valid
  username/password as the attack requires an active session. The issue is
  related to file-based attachment plugins and
  _task=settings&_action=upload-display&_from=timezone requests.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-09 16:14:15 UTC 
@Maintainer please call for stabilization when ready.

Thank you
Comment 2 Aaron W. Swenson gentoo-dev 2017-11-09 17:54:39 UTC 
Stabilization target:
=mail-client/roundcube-1.2.7 ~amd64 ~arm ~ppc ~ppc64 ~x86

commit 4d044d7e03b744873e0b61d3d9bb361518453e1b (HEAD -> master, origin/master, origin/HEAD)
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Thu Nov 9 12:51:56 2017 -0500

    mail-client/roundcube: Security Bump (Bug 636970)

    Security-related version bump to:
     * 1.3.3
     * 1.2.7

    CVE-2017-16651 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16651):
    Roundcube Webmail before 1.2.x before 1.2.7, and 1.3.x before 1.3.3
    allows unauthorized access to arbitrary files on the host's filesystem.

    Gentoo-Bug: https://bugs.gentoo.org/636970
    Package-Manager: Portage-2.3.8, Repoman-2.3.3
Comment 3 Stabilization helper bot gentoo-dev 2017-11-09 18:00:59 UTC 
An automated check of this bug failed - repoman reported dependency errors (12 lines truncated): 

> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-php/PEAR-Crypt_GPG-1.4.0']
> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['>=dev-php/PEAR-Crypt_GPG-1.4.0']
> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop/gnome) ['>=dev-php/PEAR-Crypt_GPG-1.4.0']
Comment 4 Thomas Deutschmann gentoo-dev 2017-11-11 18:00:50 UTC 
x86 stable
Comment 5 Stabilization helper bot gentoo-dev 2017-11-11 19:02:18 UTC 
An automated check of this bug failed - repoman reported dependency errors (29 lines truncated): 

> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['dev-php/PEAR-Console_CommandLine', 'dev-php/phpunit']
> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['dev-php/PEAR-Console_CommandLine']
> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['dev-php/PEAR-Console_CommandLine', 'dev-php/phpunit']
> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['dev-php/PEAR-Net_LDAP3']
> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop) ['dev-php/PEAR-Net_LDAP3']
> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop/gnome) ['dev-php/PEAR-Net_LDAP3']
Comment 6 Markus Meier gentoo-dev 2017-11-19 15:18:00 UTC 
arm stable
Comment 7 Stabilization helper bot gentoo-dev 2017-11-19 16:02:00 UTC 
An automated check of this bug failed - repoman reported dependency errors (29 lines truncated): 

> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['dev-php/PEAR-Net_LDAP3']
> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop) ['dev-php/PEAR-Net_LDAP3']
> dependency.bad mail-client/roundcube/roundcube-1.2.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop/gnome) ['dev-php/PEAR-Net_LDAP3']
> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['dev-php/PEAR-Console_CommandLine']
> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['dev-php/PEAR-Console_CommandLine']
> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['dev-php/PEAR-Console_CommandLine']
Comment 8 Rolf Eike Beer archtester 2017-12-01 18:52:28 UTC 
Works fine for me on amd64 with USE="spell sqlite ssl".
Comment 9 Stabilization helper bot gentoo-dev 2017-12-01 19:01:37 UTC 
An automated check of this bug failed - repoman reported dependency errors (57 lines truncated): 

> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['dev-php/PEAR-Console_CommandLine']
> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['dev-php/PEAR-Console_CommandLine']
> dependency.bad dev-php/PEAR-Crypt_GPG/PEAR-Crypt_GPG-1.6.0_beta3.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['dev-php/PEAR-Console_CommandLine']
Comment 10 Stabilization helper bot gentoo-dev 2017-12-01 21:01:02 UTC 
An automated check of this bug failed - the following atom is unknown:

dev-php/PEAR-Console_CommandLine/PEAR-Console_CommandLine-1.2.2

Please verify the atom list.
Comment 11 Stabilization helper bot gentoo-dev 2017-12-02 03:01:51 UTC 
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 12 Larry the Git Cow gentoo-dev 2017-12-04 12:23:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dcb3d41b2df922a411539fd9078b74320b7bd38a

commit dcb3d41b2df922a411539fd9078b74320b7bd38a
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2017-12-04 12:23:26 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2017-12-04 12:23:26 +0000

    mail-client/roundcube: stable 1.2.7 on amd64
    
    Bug: https://bugs.gentoo.org/636970
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 mail-client/roundcube/Manifest               | 2 +-
 mail-client/roundcube/roundcube-1.2.7.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)}
Comment 13 Aaron W. Swenson gentoo-dev 2017-12-04 12:24:40 UTC 
(In reply to Rolf Eike Beer from comment #8)
> Works fine for me on amd64 with USE="spell sqlite ssl".

Thanks for the confirmation.
Comment 14 Aaron W. Swenson gentoo-dev 2018-01-17 11:28:04 UTC 
@ppc and @ppc64: Ping.
Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-19 09:25:52 UTC 
ppc64 stable
Comment 16 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-19 20:03:40 UTC 
ppc stable
Comment 17 Aaron W. Swenson gentoo-dev 2018-03-23 10:54:27 UTC 
All affected versions removed from tree.
Comment 18 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-02 23:19:38 UTC 
Downgraded.

GLSA Vote: No