Roundcube 1.2.3 has been released. It's a bug fix & security release.
Security details from the release summary:
"Included is a fix for a recently reported security issue when using PHP’s mail() function. It has been discovered by Robin Peraglie using RIPS and more details along with a CVE number will be pulished shortly."
These traditionally work fine by just renaming the last ebuild. (I'll report back shortly after I try locally.)
Can confirm: just renaming roundcube-1.2.2.ebuild to roundcube-1.2.3.ebuild worked just fine for me.
Converting this report into a security bug. Thanks for the report!
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3,
when no SMTP server is configured and the sendmail program is enabled, does
not properly restrict the use of custom envelope-from addresses on the
sendmail command line, which allows remote authenticated users to execute
arbitrary code via a modified HTTP request that sends a crafted e-mail
I bumped the package, https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec8ab56776b3bf6fd4d5faee022ffeaa9bd6c423
please test and mark stable: =mail-client/roundcube-1.2.3
arm stable, all arches done.
New GLSA created.
@ Maintainer(s): Please cleanup!
(In reply to Thomas Deutschmann from comment #8)
> New GLSA created.
> @ Maintainer(s): Please cleanup!
This issue was resolved and addressed in
GLSA 201612-44 at https://security.gentoo.org/glsa/201612-44
by GLSA coordinator Aaron Bauman (b-man).