Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 580746 (CVE-2015-8864, CVE-2016-4069) - <mail-client/roundcube-1.2.0: Multiple vulnerabilities (CVE-2016-4069)
Summary: <mail-client/roundcube-1.2.0: Multiple vulnerabilities (CVE-2016-4069)
Status: RESOLVED FIXED
Alias: CVE-2015-8864, CVE-2016-4069
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://roundcube.net/news/2016/04/20...
Whiteboard: B4 [noglsa cve]
Keywords:
: 583414 (view as bug list)
Depends on: 584200
Blocks:
  Show dependency tree
 
Reported: 2016-04-21 16:06 UTC by Philippe Chaintreuil
Modified: 2016-11-30 08:53 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
1.1.5 ebuild -- fixes download url (roundcube-1.1.5.ebuild,2.30 KB, text/plain)
2016-04-23 21:41 UTC, Philippe Chaintreuil
no flags Details
1.1.4 -> 1.2.0.patch (roundcube.patch,773 bytes, patch)
2016-05-23 18:35 UTC, Kim B. Sindalsen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Philippe Chaintreuil 2016-04-21 16:06:04 UTC
Minor bug fix version: "delivering important bug fixes and helps protecting Roundcube against more XSS and CSRF attacks. Version 1.1.5 also has two new plugin hooks integrated [...]."

Changelog: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115

Roundcube version bumps have historically only required a ebuild copy+rename.  Nothing indicates that this version would require anything more.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-04-23 15:40:37 UTC
Multiple vulnerabilities for roundcube have been fixed in 1.1.5: 

http://www.openwall.com/lists/oss-security/2016/04/23/3
Fix XSS issue in SVG images handling (#4949)
Protect download urls against CSRF using unique request tokens (#4957):

https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115 also mentions
Fix (again) security issue in DBMail driver of password plugin (CVE-2015-2181) (#4958)
Comment 2 Philippe Chaintreuil 2016-04-23 21:41:53 UTC
Created attachment 431740 [details]
1.1.5 ebuild -- fixes download url

Attached an updated ebuild that just changes the SRC_URI from mirror://sourceforge/ to the new https://github.com/ location.  (I tried to use mirror://github/, but that stuck a "/download/" at the base of the URL that messed it up.  If someone knows how to fix that, feel free.

This ebuild worked for me (1.1.4 -> 1.1.5).
Comment 3 Coacher 2016-05-19 12:23:31 UTC
*** Bug 583414 has been marked as a duplicate of this bug. ***
Comment 4 Meik Frischke 2016-05-23 17:39:48 UTC
1.2.0 has been released, which also fixes php7 compability for stable releases:
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-120
Comment 5 Kim B. Sindalsen 2016-05-23 18:35:00 UTC
Created attachment 435124 [details, diff]
1.1.4 -> 1.2.0.patch

Made a 1.1.4 -> 1.2.0.ebuild.patch

Basically rename + changed EAPI to 6
No testing of USE-flags (builds for me with ssl and mysql)
Comment 6 Philippe Chaintreuil 2016-05-25 15:08:22 UTC
Added a github pull request for 1.1.5 in hopes it makes life easier and moves this along: https://github.com/gentoo/gentoo/pull/1538
Comment 7 Philippe Chaintreuil 2016-05-25 15:23:43 UTC
I opened a separate bug #584098 to track 1.2.0 since this 1.1.5 has specific security patches, whereas 1.2.0 has new features.
Comment 8 Aaron W. Swenson gentoo-dev 2016-05-29 17:45:48 UTC
Thank you for working on this, Kim Sindalsen and Philippe Chaintreuil. I also have to beg your forgiveness as I forgot to thank you in the commit. I stared at it for several minutes thinking I was forgetting something, and not being able to remember, pushed it.

commit 4d31c895c86b85f0fec9effbaf37b55c8a2229fb
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Sun May 29 13:35:04 2016 -0400

    mail-client/roundcube: Fix Multiple Vulnerabilities
    
    Many security issues/enhancements are resolved with this release. The
    most significant being:
    
    * Fix (again) security issue in DBMail driver of password plugin (CVE-2015-2181)
    * Fix path traversal vulnerability in setting a skin (CVE-2015-8770)
    * Fix XSS issue in SVG images handling
    * Fix XSS issue in href attribute on area tag
    
    You can find the complete list of changes in the included CHANGELOG or at:
    https://github.com/roundcube/roundcubemail/wiki/Changelog
    
    Bug: 580746, 584200, 584098
    
    Package-Manager: portage-2.2.26
Comment 9 Aaron W. Swenson gentoo-dev 2016-05-29 17:51:55 UTC
@Security: This bug should probably be consolidated into 584200.
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 22:05:41 UTC
@ Security: Please vote!
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-11-30 08:53:01 UTC
CVE-2016-4069 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4069):
  Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before
  1.1.5 allows remote attackers to hijack the authentication of users for
  requests that download attachments and cause a denial of service (disk
  consumption) via unspecified vectors.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-11-30 08:53:47 UTC
GLSA Vote: No