Mageia Bugzilla – Bug 11552
roundcubemail new security issue fixed in 0.9.5 and 0.8.7 (CVE-2013-6172)
Last modified: 2013-11-18 15:45:49 CET
Upstream has issued an advisory on October 21:
Guillaume Rousse has requested a freeze push to update this for Cauldron.
Steps to Reproduce:
Advisories for this have been issued by Debian and Fedora:
roundcubemail-0.9.5-1.mga3 and roundcubemail-0.7.4-1.3.mga2 has been submitted which fixes this.
Updated roundcubemail package fixes security vulnerability:
It was discovered that roundcube does not properly sanitize the
_session parameter in steps/utils/save_pref.inc during saving
preferences. The vulnerability can be exploited to overwrite
configuration settings and subsequently allowing random file access,
manipulated SQL queries and even code execution (CVE-2013-6172).
Updated packages in core/updates_testing:
Testing complete mga2 32
Same issues as bug 9640 comment 5 but nothing new.
Testing complete mga2 64
On step 2 of the installer it can't create the config files, continuing with the installer fails saying it can't find the config files and so database settings etc too.
See last update for this also.
This package is generally quite poor in mga2 and mga3.
I'll create some bugs for it later.
Using Daves solution
ln -s /etc/roundcubemail/ /usr/share/roundcubemail/config
It then finds the config files bug shows this error below about the logs same as mga2 but also bizarrely one for /home/iurt..
Check if directories are writable
Roundcube may need to write/save files into these directories
/home/iurt/rpmbuild/tmp/: NOT OK(not writeable for the webserver)
/var/log/roundcubemail/: NOT OK(not writeable for the webserver)
Then trying to initialise the database it says..
Cannot read the schema file: /usr/share/roundcubemail/SQL/mysql.initial.sql
Giving up for now, I've run out of time today.
Old issues still remain with this package and mga3 is impossible to use so just ensuring the update installs ok as we have too many other updates demanding our attention to spend more time on this one.
Testing complete mga3 32 & 64 (just that the update installs ok)
Validating the update. Advisory previously uploaded.
Could sysadmin please push from 2&3 core/updates_testing to updates