Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 653044 (CVE-2018-9846) - <mail-client/roundcube-1.3.6: MX injection in archive.php (CVE-2018-9846)
Summary: <mail-client/roundcube-1.3.6: MX injection in archive.php (CVE-2018-9846)
Status: RESOLVED FIXED
Alias: CVE-2018-9846
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
: 654220 (view as bug list)
Depends on:
Blocks: 651124
  Show dependency tree
 
Reported: 2018-04-12 18:45 UTC by Philippe Chaintreuil
Modified: 2018-05-02 13:02 UTC (History)
4 users (show)

See Also:
Package list:
mail-client/roundcube-1.3.6
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philippe Chaintreuil 2018-04-12 18:45:26 UTC
Roundcube 1.3.6 has been released.  It's addresses CVE-2018-9846.

"It primarily fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846."

These usually work by just renaming the existing ebuild.

Announcement: https://roundcube.net/news/2018/04/11/security-update-1.3.6
Changelog: https://github.com/roundcube/roundcubemail/releases/tag/1.3.6
CVE: https://nvd.nist.gov/vuln/detail/CVE-2018-9846
Comment 1 Philippe Chaintreuil 2018-04-16 19:59:16 UTC
Can confirm that just renaming the existing 1.3.4 ebuild to 1.3.6 works fine for me.
Comment 2 Larry the Git Cow gentoo-dev 2018-04-27 19:41:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c769016cc36b9803c40f093f3ab9831529ded12

commit 2c769016cc36b9803c40f093f3ab9831529ded12
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2018-04-27 19:41:26 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2018-04-27 19:41:26 +0000

    mail-client/roundcube: Bump to 1.3.6
    
    Fixes a security issue related to IMAP command injection.
    
    Fixes a XSS concern.
    
    Bug: https://bugs.gentoo.org/651124
    Bug: https://bugs.gentoo.org/653044
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 mail-client/roundcube/Manifest               |  1 +
 mail-client/roundcube/roundcube-1.3.6.ebuild | 99 ++++++++++++++++++++++++++++
 2 files changed, 100 insertions(+)}
Comment 3 Aaron W. Swenson gentoo-dev 2018-04-27 19:53:23 UTC
Please stabilize the following target:
=mail-client/roundcube-1.3.6 ~amd64 ~arm ~ppc ~ppc64 ~x86
Comment 4 Philippe Chaintreuil 2018-04-27 20:05:57 UTC
This CVE has been addressed in the 1.2.x line as well.  I just added bug #654220 to track that.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2018-04-28 10:24:25 UTC
*** Bug 654220 has been marked as a duplicate of this bug. ***
Comment 6 Aaron W. Swenson gentoo-dev 2018-04-28 11:28:05 UTC
(In reply to Philippe Chaintreuil from comment #4)
> This CVE has been addressed in the 1.2.x line as well.  I just added bug
> #654220 to track that.

I think we'll drop 1.2 as soon as this is stabled.
Comment 7 Agostino Sarubbo gentoo-dev 2018-04-30 07:51:23 UTC
amd64 stable
Comment 8 Aaron Bauman gentoo-dev Security 2018-04-30 22:48:23 UTC
GLSA Vote: No

@maintainer(s), please clean the vulnerable versions.
Comment 10 Larry the Git Cow gentoo-dev 2018-05-02 12:16:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a9ffc2bbca6873f0c222c2bf69c408f387ae63a3

commit a9ffc2bbca6873f0c222c2bf69c408f387ae63a3
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2018-05-02 12:15:49 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2018-05-02 12:15:49 +0000

    mail-client/roundcube: Cleanup <1.3.6
    
    Cleanup insecure versions.
    
    Bug: https://bugs.gentoo.org/653044
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 mail-client/roundcube/Manifest                  |  3 -
 mail-client/roundcube/roundcube-1.2.7.ebuild    | 74 ------------------
 mail-client/roundcube/roundcube-1.3.3-r1.ebuild | 76 -------------------
 mail-client/roundcube/roundcube-1.3.4.ebuild    | 99 -------------------------
 4 files changed, 252 deletions(-)