Bug 11552 - roundcubemail new security issue fixed in 0.9.5 and 0.8.7 (CVE-2013-6172)
Summary: roundcubemail new security issue fixed in 0.9.5 and 0.8.7 (CVE-2013-6172)
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/571975/
Whiteboard: MGA2TOO has_procedure advisory mga2-3...
Keywords: validated_update
Depends on:
Reported: 2013-10-28 13:24 CET by David Walser
Modified: 2013-11-18 15:45 CET (History)
5 users (show)

See Also:
Source RPM: roundcubemail
Status comment:


Description David Walser 2013-10-28 13:24:53 CET
Upstream has issued an advisory on October 21:

Guillaume Rousse has requested a freeze push to update this for Cauldron.


Steps to Reproduce:
David Walser 2013-10-28 13:25:27 CET

CC: (none) => guillomovitch
Summary: roundcubemail new security issues fixed in 0.9.5 and 0.8.7 => roundcubemail new security issue fixed in 0.9.5 and 0.8.7 (CVE-2013-6172)
Whiteboard: (none) => MGA2TOO

Comment 1 David Walser 2013-10-28 22:22:21 CET
Advisories for this have been issued by Debian and Fedora:

URL: (none) => http://lwn.net/Vulnerabilities/571975/

Comment 2 Oden Eriksson 2013-10-29 08:59:05 CET
roundcubemail-0.9.5-1.mga3 and roundcubemail-0.7.4-1.3.mga2 has been submitted which fixes this.

CC: (none) => oe

Comment 4 David Walser 2013-10-29 17:50:03 CET
Thanks Oden!


Updated roundcubemail package fixes security vulnerability:

It was discovered that roundcube does not properly sanitize the
_session parameter in steps/utils/save_pref.inc during saving
preferences. The vulnerability can be exploited to overwrite
configuration settings and subsequently allowing random file access,
manipulated SQL queries and even code execution (CVE-2013-6172).


Updated packages in core/updates_testing:

from SRPMS:

Assignee: bugsquad => qa-bugs

Comment 5 claire robinson 2013-10-31 16:13:46 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=9640#c5

Whiteboard: MGA2TOO => MGA2TOO has_procedure

Comment 6 claire robinson 2013-10-31 16:54:07 CET
Testing complete mga2 32

Same issues as bug 9640 comment 5 but nothing new.

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga2-32-ok

David Walser 2013-10-31 17:47:24 CET

Severity: normal => critical

Comment 7 claire robinson 2013-10-31 18:11:49 CET
Testing complete mga2 64
claire robinson 2013-10-31 18:12:11 CET

Whiteboard: MGA2TOO has_procedure mga2-32-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok

Comment 8 claire robinson 2013-10-31 18:39:16 CET
Mga3 64

On step 2 of the installer it can't create the config files, continuing with the installer fails saying it can't find the config files and so database settings etc too.

See last update for this also.

This package is generally quite poor in mga2 and mga3. 
I'll create some bugs for it later.

Using Daves solution
ln -s /etc/roundcubemail/ /usr/share/roundcubemail/config

It then finds the config files bug shows this error below about the logs same as mga2 but also bizarrely one for /home/iurt..
Check if directories are writable

Roundcube may need to write/save files into these directories
/home/iurt/rpmbuild/tmp/:  NOT OK(not writeable for the webserver)
/var/log/roundcubemail/:  NOT OK(not writeable for the webserver)

Then trying to initialise the database it says..
Cannot read the schema file: /usr/share/roundcubemail/SQL/mysql.initial.sql

Giving up for now, I've run out of time today.
Dave Hodgins 2013-11-13 14:35:59 CET

CC: (none) => davidwhodgins
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok advisory

Comment 9 claire robinson 2013-11-18 09:25:52 CET
Old issues still remain with this package and mga3 is impossible to use so just ensuring the update installs ok as we have too many other updates demanding our attention to spend more time on this one.
Comment 10 claire robinson 2013-11-18 09:31:10 CET
Testing complete mga3 32 & 64 (just that the update installs ok) 

Validating the update. Advisory previously uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates


Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok advisory => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 11 Thomas Backlund 2013-11-18 15:45:49 CET
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.