Bug 11552 - roundcubemail new security issue fixed in 0.9.5 and 0.8.7 (CVE-2013-6172)
: roundcubemail new security issue fixed in 0.9.5 and 0.8.7 (CVE-2013-6172)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/571975/
: MGA2TOO has_procedure advisory mga2-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-10-28 13:24 CET by David Walser
Modified: 2013-11-18 15:45 CET (History)
5 users (show)

See Also:
Source RPM: roundcubemail
CVE:


Attachments

Description David Walser 2013-10-28 13:24:53 CET
Upstream has issued an advisory on October 21:
http://roundcube.net/news/2013/10/21/security-updates-095-and-087/

Guillaume Rousse has requested a freeze push to update this for Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-10-28 22:22:21 CET
Advisories for this have been issued by Debian and Fedora:
http://www.debian.org/security/2013/dsa-2787
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119655.html
Comment 2 Oden Eriksson 2013-10-29 08:59:05 CET
roundcubemail-0.9.5-1.mga3 and roundcubemail-0.7.4-1.3.mga2 has been submitted which fixes this.
Comment 4 David Walser 2013-10-29 17:50:03 CET
Thanks Oden!

Advisory:
========================

Updated roundcubemail package fixes security vulnerability:

It was discovered that roundcube does not properly sanitize the
_session parameter in steps/utils/save_pref.inc during saving
preferences. The vulnerability can be exploited to overwrite
configuration settings and subsequently allowing random file access,
manipulated SQL queries and even code execution (CVE-2013-6172).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6172
http://roundcube.net/news/2013/10/21/security-updates-095-and-087/
http://www.debian.org/security/2013/dsa-2787
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:263/
========================

Updated packages in core/updates_testing:
========================
roundcubemail-0.7.4-1.3.mga2
roundcubemail-0.9.5-1.mga3

from SRPMS:
roundcubemail-0.7.4-1.3.mga2.src.rpm
roundcubemail-0.9.5-1.mga3.src.rpm
Comment 5 claire robinson 2013-10-31 16:13:46 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=9640#c5
Comment 6 claire robinson 2013-10-31 16:54:07 CET
Testing complete mga2 32

Same issues as bug 9640 comment 5 but nothing new.
Comment 7 claire robinson 2013-10-31 18:11:49 CET
Testing complete mga2 64
Comment 8 claire robinson 2013-10-31 18:39:16 CET
Mga3 64

On step 2 of the installer it can't create the config files, continuing with the installer fails saying it can't find the config files and so database settings etc too.

See last update for this also.
https://bugs.mageia.org/show_bug.cgi?id=11069#c11

This package is generally quite poor in mga2 and mga3. 
I'll create some bugs for it later.


Using Daves solution
ln -s /etc/roundcubemail/ /usr/share/roundcubemail/config

It then finds the config files bug shows this error below about the logs same as mga2 but also bizarrely one for /home/iurt..
---
Check if directories are writable

Roundcube may need to write/save files into these directories
/home/iurt/rpmbuild/tmp/:  NOT OK(not writeable for the webserver)
/var/log/roundcubemail/:  NOT OK(not writeable for the webserver)
---

Then trying to initialise the database it says..
Cannot read the schema file: /usr/share/roundcubemail/SQL/mysql.initial.sql

Giving up for now, I've run out of time today.
Comment 9 claire robinson 2013-11-18 09:25:52 CET
Old issues still remain with this package and mga3 is impossible to use so just ensuring the update installs ok as we have too many other updates demanding our attention to spend more time on this one.
Comment 10 claire robinson 2013-11-18 09:31:10 CET
Testing complete mga3 32 & 64 (just that the update installs ok) 

Validating the update. Advisory previously uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 11 Thomas Backlund 2013-11-18 15:45:49 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0325.html

Note You need to log in before you can comment on or make changes to this bug.