Bug 19920

Summary: roundcubemail new security issue CVE-2016-9920
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/708655/
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Source RPM: roundcubemail-1.0.9-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-12-09 18:19:20 CET 
A CVE has been assigned for a security issue fixed upstream in roundcubemail:
http://openwall.com/lists/oss-security/2016/12/08/17

The issue is fixed in 1.2.3, for which Cauldron has been updated.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated roundcubemail package fixes security vulnerability:

Users can execute commands on the server by writing e-mails, due to insufficient
sanitation of the from field when calling PHP's mail() function (CVE-2016-9920).

Note that only roundcubemail installations that don't have an SMTP server
configured for mail delivery are affected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9920
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
http://openwall.com/lists/oss-security/2016/12/08/17
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.0.9-1.1.mga5

from roundcubemail-1.0.9-1.1.mga5.src.rpm
Comment 1 Herman Viaene 2016-12-27 15:03:16 CET 
MGA5-32 on Acer D620 Xfce
No installation issues.
Still hitting same "Error 404" problem as in previous updates (bug 18257), so OK as is.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Lewis Smith 2016-12-28 10:54:53 CET

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 2 Lewis Smith 2016-12-29 20:28:01 CET 
Testing M5 x64

All previous info got nowhere, so this is basically (as recommended) just an install + update run-through.

BEFORE update:
Installed from normal repos: roundcubemail-1.0.9-1.mga5
before I had set up a database - which threw an error
"grep: /etc/php.d/99_apc.ini: No such file or directory
ERROR: Error connecting to database: SQLSTATE[HY000] [1045] Access denied for user 'roundcube'@'localhost' (using password: YES)";
which I then did as per the Wiki:
 MariaDB [(none)]> CREATE USER roundcube IDENTIFIED BY 'pass';
 MariaDB [(none)]> CREATE DATABASE roundcubemail;
 MariaDB [(none)]> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'pass';
 MariaDB [(none)]> FLUSH PRIVILEGES;
 MariaDB [(none)]> exit
Using the example values means that /etc/roundcubemail/config.inc.php already has the correct database line:
 $config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';

http://localhost/roundcubemail/ yielded a Roundcube page with "DATABASE ERROR: CONNECTION FAILED!"

AFTER update to: roundcubemail-1.0.9-1.1.mga5
Two config file confirmations during the update (accepted both new).
http://localhost/roundcubemail/ gave the same error as before.

OKing this because the update went OK. But it would be nice to find a way to have this thing visibly working. Validating at the same time.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2016-12-30 00:40:19 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0430.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED