Bug 26720

Summary: roundcubemail new security issues CVE-2020-1396[45]
Product: Mageia Reporter: Marc Krämer <mageia>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, luigiwalser, mageia, mageia, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: roundcubemail-1.3.11-1.mga7 CVE:
Status comment:

Description Marc Krämer 2020-06-03 02:11:35 CEST 
some xss attacks on roundcoube have been fixed in the latest maintenance release:
Fix XSS issue in template object 'username' (#7406)
Fix cross-site scripting (XSS) via malicious XML attachment
Fix a couple of XSS issues in Installer (#7406)

Ref:
https://github.com/roundcube/roundcubemail/releases/tag/1.3.12
Comment 1 Marc Krämer 2020-06-03 02:15:45 CEST 
The latest maintenance release of roundcubemail fixes some xss issues:
- Fix XSS issue in template object 'username'
- Fix cross-site scripting (XSS) via malicious XML attachment

and improves the fix for CVE-2020-12641

References:
https://github.com/roundcube/roundcubemail/releases/tag/1.3.12
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12641
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.3.12-1.mga7.noarch.rpm

SRPM:
roundcubemail-1.3.12-1.mga7.src.rpm

Assignee: mageia => qa-bugs

Comment 2 Herman Viaene 2020-06-03 15:25:17 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
This laptop had a previous version of roundcubemail, so reused the cnfig file after creating the database in mysql.
Getting into trouble with the connection string.
Tryng to login into roundcubemail gets me "Connection to storage server failed"
When I try at the CLI:
$ mysql -u roundcube:tester@localhost/roundcubemail
ERROR 1045 (28000): Access denied for user 'roundcube:tester@localhost/roundcubemail'@'localhost' (using password: NO)
but with
$ mysql -u roundcube -p roundcubemail
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
beats me

CC: (none) => herman.viaene

Comment 3 Marc Krämer 2020-06-03 15:32:31 CEST 
@herman: if you want to connect via commandline hostnames must be specified via -h (but localhost is default)
so your connection string should look like this:
mysql -u roundcube -h localhost -p roundcubemail
Comment 4 Herman Viaene 2020-06-03 17:10:45 CEST 
I was trying the command line to come to terms with the error I get when connection roundcubemail. It has in its setting the string mysql://roundcube:tester@localhost/roundcubemail, and I cann't see what is wrong with it.
But while I am typing and searching, I see find that this error also can occur when the dovecot service is not running, and that is something which is not mentioned in the wiki or previous tests.
I'll get back, when I can run my testing laptop again.
Comment 5 Marc Krämer 2020-06-03 17:26:59 CEST 
ok, plse post the log output from php/apache; I assume there is a more specific error shown there.
Comment 6 Herman Viaene 2020-06-04 13:57:31 CEST 
I overlooked bug 22941 Comment 3 that dovecot is needed. But now struggling to get that one configured.Giving up on it for now.
Comment 7 PC LX 2020-06-05 00:57:17 CEST 
Installed and tested without issues.


Tested in a system setup with apache, PHP-FPM, mariadb and dovecot. 
Tested with several email accounts with GiB of emails.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep roundcubemail
roundcubemail-1.3.12-1.mga7
$
$
$ rpm -qa | egrep '(mariadb|apache|php-fpm|dovecot)' | sort
apache-2.4.43-1.mga7
apache-commons-io-2.6-3.mga7
apache-commons-logging-1.2-9.mga7
apache-mod_http2-2.4.43-1.mga7
apache-mod_php-7.3.18-1.mga7
apache-mod_proxy-2.4.43-1.mga7
apache-mod_ssl-2.4.43-1.mga7
dovecot-2.3.10.1-1.mga7
dovecot-pigeonhole-2.3.10.1-1.mga7
lib64mariadb3-10.3.22-1.mga7
mariadb-10.3.22-1.mga7
mariadb-client-10.3.22-1.mga7
mariadb-common-10.3.22-1.mga7
mariadb-common-core-10.3.22-1.mga7
mariadb-core-10.3.22-1.mga7
mariadb-extra-10.3.22-1.mga7
php-fpm-7.3.18-1.mga7
$
$
$ systemctl status httpd.service php-fpm.service dovecot.service mysqld.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-06-04 22:07:05 WEST; 1h 41min ago
 Main PID: 17540 (httpd)
   Status: "Total requests: 58; Idle/Busy workers 100/0;Requests/sec: 0.00953; Bytes served/sec: 176 B/sec"
    Tasks: 258 (limit: 4697)
   Memory: 43.7M
   CGroup: /system.slice/httpd.service
           ├─17540 /usr/sbin/httpd -DFOREGROUND
           ├─17542 /usr/sbin/httpd -DFOREGROUND
           ├─17543 /usr/sbin/httpd -DFOREGROUND
           ├─17544 /usr/sbin/httpd -DFOREGROUND
           ├─17546 /usr/sbin/httpd -DFOREGROUND
           └─17868 /usr/sbin/httpd -DFOREGROUND

jun 04 22:07:05 marte systemd[1]: Starting The Apache HTTP Server...
jun 04 22:07:05 marte systemd[1]: Started The Apache HTTP Server.

● php-fpm.service - The PHP FastCGI Process Manager
   Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-06-04 22:07:41 WEST; 1h 40min ago
 Main PID: 17817 (php-fpm)
   Status: "Processes active: 0, idle: 2, Requests: 11, slow: 0, Traffic: 0req/sec"
    Tasks: 3 (limit: 4697)
   Memory: 24.2M
   CGroup: /system.slice/php-fpm.service
           ├─17817 php-fpm: master process (/etc/php-fpm.conf)
           ├─17829 php-fpm: pool www
           └─17972 php-fpm: pool www

jun 04 22:07:40 marte systemd[1]: Starting The PHP FastCGI Process Manager...
jun 04 22:07:41 marte systemd[1]: Started The PHP FastCGI Process Manager.

● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-06-04 15:40:21 WEST; 8h ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 7777 (dovecot)
    Tasks: 7 (limit: 4697)
   Memory: 13.5M
   CGroup: /system.slice/dovecot.service
           ├─7777 /usr/sbin/dovecot -F
           ├─7779 dovecot/anvil
           ├─7780 dovecot/log
           ├─7781 dovecot/imap-login
           ├─7782 dovecot/config
           ├─7783 dovecot/stats
           └─7791 dovecot/imap

jun 04 22:07:54 marte dovecot[7780]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=17978, secured, session=<SNIP>
jun 04 22:07:54 marte dovecot[7780]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=17980, secured, session=<SNIP>
jun 04 22:07:54 marte dovecot[7780]: imap(pclx)<17978><w7fGiUinttL9AAAAAAEAAQAAAAAAAAAB>: Logged out in=303 out=2837 deleted=0 expunged=0 trashed=0 hdr_count=3 hdr_bytes=992 body_count=0 body_bytes=0
jun 04 22:07:54 marte dovecot[7780]: imap(pclx)<17980><tAnHiUinuNL9AAAAAAEAAQAAAAAAAAAB>: Logged out in=1073 out=3365 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
● mysqld.service - MySQL database server
   Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-06-04 22:07:50 WEST; 1h 47min ago
  Process: 17853 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
 Main PID: 17867 (mysqld)
   Status: "Taking your SQL requests now..."
    Tasks: 30 (limit: 4697)
   Memory: 60.8M
   CGroup: /system.slice/mysqld.service
           └─17867 /usr/sbin/mysqld

jun 04 22:07:50 marte mysqld[17867]: 2020-06-04 22:07:50 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
jun 04 22:07:50 marte mysqld[17867]: 2020-06-04 22:07:50 0 [Note] InnoDB: 10.3.22 started; log sequence number 296577098; transaction id 895136
jun 04 22:07:50 marte mysqld[17867]: 2020-06-04 22:07:50 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
jun 04 22:07:50 marte mysqld[17867]: 200604 22:07:50 server_audit: MariaDB Audit Plugin version 1.4.8 STARTED.
jun 04 22:07:50 marte mysqld[17867]: 200604 22:07:50 server_audit: Query cache is enabled with the TABLE events. Some table reads can be veiled.2020-06-04 22:07:50 0 [Note] Reading of all Master_info entries s>
jun 04 22:07:50 marte mysqld[17867]: 2020-06-04 22:07:50 0 [Note] Added new Master_info '' to hash table
jun 04 22:07:50 marte mysqld[17867]: 2020-06-04 22:07:50 0 [Note] /usr/sbin/mysqld: ready for connections.
jun 04 22:07:50 marte mysqld[17867]: Version: '10.3.22-MariaDB'  socket: '/var/lib/mysql/mysql.sock'  port: 0  Mageia MariaDB Server
jun 04 22:07:50 marte systemd[1]: Started MySQL database server.
jun 04 22:07:50 marte mysqld[17867]: 2020-06-04 22:07:50 0 [Note] InnoDB: Buffer pool(s) load completed at 200604 22:07:50

CC: (none) => mageia

Comment 8 Herman Viaene 2020-06-10 14:02:36 CEST 
No success in getting this to work. I keep getting "Login failed" although I cn connect at the CLI to the database.
Comment 9 PC LX 2020-06-11 21:54:57 CEST 
(In reply to Herman Viaene from comment #8)
> No success in getting this to work. I keep getting "Login failed" although I
> cn connect at the CLI to the database.

Are you trying to use the database username/password to login to rouncubemail?
That is probably not correct.

It depends on how roundcubemail is configured but try your system username and password (the ones you use to login to your GNU/Linux user account). If think that would work with the roundcubemail default configuration.
Comment 10 David Walser 2020-06-12 22:06:03 CEST 
Debian has issued an advisory for this on June 11:
https://www.debian.org/security/2020/dsa-4700

Make sure you add the CVEs to the advisory.

Summary: some xss issues in roundcubemail => roundcubemail new security issues CVE-2020-1396[45]

Comment 11 Herman Viaene 2020-06-13 13:52:54 CEST 
Followed advice of PC LX, logged in as normal user, that worked.
Despite getting a message "Server Error: STATUS: Internal error occurred" I could send a mail out. But I could not receive the answer.
Checked config file and found I did not enter the ddefault hostname correctly. Once that was OK, I could login with my mail-id and all worked well.

Whiteboard: (none) => MGA7-64-OK

Comment 12 Thomas Andrews 2020-06-14 01:10:50 CEST 
Thank the both of you! Validating. Advisory information in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 13 David Walser 2020-06-14 01:45:49 CEST 
(In reply to Thomas Andrews from comment #12)
> Thank the both of you! Validating. Advisory information in Comment 1.

Not completely.  See Comment 10.
Nicolas Lécureuil 2020-06-15 09:03:11 CEST

Keywords: (none) => advisory
CC: (none) => mageia

Comment 14 Mageia Robot 2020-06-15 09:55:58 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0261.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 15 David Walser 2020-09-25 01:00:47 CEST 
This update also fixed CVE-2020-12641:
https://bugzilla.suse.com/show_bug.cgi?id=1171148
https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html

CC: (none) => luigiwalser

Comment 16 David Walser 2021-06-27 18:17:22 CEST 
This update also fixed CVE-2020-18670 CVE-2020-18671:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BPPHYZD6Y3QJBTGPLX66Y3DJ3KCNEUJQ/