This bug is now fixed and the following packages are in mga5 updates_testing

roundcubemail-1.0.6-1.mga5.src.rpm
roundcubemail-1.0.6-1.mga5.noarch.rpm

Assigning it to QA

Status: NEW => ASSIGNED
CC: (none) => thomas
Assignee: thomas => qa-bugs

Thanks Thomas!

Advisory:
----------------------------------------

The roundcubemail package has been updated to version 1.0.6, which contains
a couple of security improvements and several bug fixes.  See the upstream
release announcement for more details.

References:
https://github.com/roundcube/roundcubemail/releases/tag/1.0.6
http://lists.opensuse.org/opensuse-updates/2015-06/msg00062.html

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=9640#c5

Whiteboard: (none) => has_procedure

Advisory committed to svn.

CC: (none) => davidwhodgins
Whiteboard: has_procedure => has_procedure advisory

CVE request:
http://openwall.com/lists/oss-security/2015/07/06/10

Now we have some CVEs.

The DBMail driver issue has CVEs noted on the upstream bug:
http://trac.roundcube.net/ticket/1490261

The CVE request gained CVE assignments, including one for the vCard issue:
http://openwall.com/lists/oss-security/2015/07/07/2

Please update the advisory in SVN.

Advisory:
========================

Updated roundcubemail packages fix security vulnerabilities:

Multiple security issues in the DBMail driver for the password plugin,
including buffer overflows (CVE-2015-2181) and the ability for a remote
attacker to execute arbitrary shell commands as root (CVE-2015-2180).

An authenticated user can download arbitrary files from the web server that
the web server process has read access to, by uploading a vCard with a
specially crafted POST (CVE-2015-5382).

The roundcubemail package has been updated to version 1.0.6, fixing these
issues and several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5382
http://openwall.com/lists/oss-security/2015/07/07/2
http://trac.roundcube.net/ticket/1490261
https://github.com/roundcube/roundcubemail/releases/tag/1.0.6
http://lists.opensuse.org/opensuse-updates/2015-06/msg00062.html

Whiteboard: has_procedure advisory => has_procedure

Updated advisory committed to svn.

Whiteboard: has_procedure => has_procedure advisory

Another LWN entry, I've asked them to merge them:
http://lwn.net/Vulnerabilities/650994/

LWN reference for CVE-2015-538[1-3]:
http://lwn.net/Vulnerabilities/652800/

Fedora has issued an advisory for this on July 13:
https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162461.html

Note the procedure is shown at https://wiki.mageia.org/en/QA_procedure:Roundcubemail
which can be found by clicking on the wiki link for the update in madb.

Unfortunately, that procedure is outdated.
in main.inc.php you have to edit following line (line 159) to enable the setup via browser: 
There is no main.inc.php anymore. it's and the db.inc.php are combined into config.inc.php
The syntax also changed slightly.
The developers are running and leave the doc people far behind.
There seems to be a problem with the DB (at least on my box); I am trying to fix it. Let me know if you see the same.

Let me know if you experience the problem of showing a lot of DB errors in the log and on the WEBinterface. It maybe that my server just didn't do the upgrade right from mga4 to mga5 or if there is a bug. Anyway I have a fix and if needed could be added to the Errata.

I could never get roundcubemail 1.06 installed.  1.05 installed.

This is the message when I try to install 1.06.  Something wrong in dependencies I think.


----
Sorry, the following package cannot be selected:

- roundcubemail-1.0.6-1.mga5.noarch (due to unsatisfied pear(Console/CommandLine.php))
-----

CC: (none) => brtians1

php-pear-Console_CommandLine would provide it, but we don't package it.
per INSTALL in the source
These are the pear requirements:
* PEAR packages distributed with Roundcube or external:
   - Mail_Mime 1.8.1 or newer
   - Mail_mimeDecode 1.5.5 or newer
   - Net_SMTP (latest from https://github.com/pear/Net_SMTP/)
   - Net_IDNA2 0.1.1 or newer
   - Auth_SASL 1.0.6 or newer
   - Net_Sieve 1.3.2 or newer (for managesieve plugin)
   - Crypt_GPG 1.2.0 or newer (for enigma plugin)

So let me ask on the mailing list. It could be just one of those auto-requires

Trying this for Mageia 5 x64. Help!

I installed roundcubemail-1.0.5-4.mga5 & all its dependancies. Then followed both procedures referred to + Comment 11:
 https://wiki.mageia.org/en/QA_procedure:Roundcubemail
 https://bugs.mageia.org/show_bug.cgi?id=9640#c5

Stuck on the installation which others seem to have done without problems. Mainly a question of what to put in various lines of the config file:
 /etc/roundcubemail/config.inc.php
(and at the same time update the QA_procedure:Roundcubemail instructions).

OK $config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';

? $config['default_host'] = 'localhost';

? $config['smtp_server'] = 'smtp.free.fr';
I already fiddled with this - but was it necessary? If so, I imagine these two might be needed also:
 $config['smtp_user'] = '';
 $config['smtp_pass'] = '';

Are you supposed to link Roundcube mail to your external e-mail service?
Why is there all this stuff for outgoing SMTP, and not the equivalent for incoming POP3?

I see no reference in the config file to 'enabling the installer' as mentioned by Claire (but not the procedure). BTAIM going to:
 http://localhost/roundcubemail/installer
goes nowhere  - Error 404, not found.

Going to http://localhost/roundcubemail gives me "DATABASE ERROR: CONNECTION FAILED!", despite MariaDB having been set up as per both_procedures: DBname roundcubemail; DBuser roundcube; DBpassword pass; all permissions granted & flushed. Probably due to not having gone through the installer.

CC: (none) => lewyssmith

(In reply to Thomas Spuhler from comment #14)
> php-pear-Console_CommandLine would provide it, but we don't package it.
> per INSTALL in the source
> These are the pear requirements:
> * PEAR packages distributed with Roundcube or external:
>    - Mail_Mime 1.8.1 or newer
>    - Mail_mimeDecode 1.5.5 or newer
>    - Net_SMTP (latest from https://github.com/pear/Net_SMTP/)
>    - Net_IDNA2 0.1.1 or newer
>    - Auth_SASL 1.0.6 or newer
>    - Net_Sieve 1.3.2 or newer (for managesieve plugin)
>    - Crypt_GPG 1.2.0 or newer (for enigma plugin)
> 
> So let me ask on the mailing list. It could be just one of those
> auto-requires
Just to give you an update on the require Console_CommandLine.
Upstream claims
****
Console/CommandLine is a dependency of Crypt_GPG package, for Roundcube
1.0 and 1.1 you can ignore it, because Enigma plugin should not be used,
even removed from the package (and this is the only part that requires
Crypt_GPG)
****
which is just not through. The requirement is in the code of roundcubemail and our buildserver turns that into an autorequires. It seems to be safe to just add an exception as the feature of enigmail hasn't been implemented in this version.

(In reply to Lewis Smith from comment #15)
> Trying this for Mageia 5 x64. Help!
> 
> I installed roundcubemail-1.0.5-4.mga5 & all its dependancies. Then followed
> both procedures referred to + Comment 11:
>  https://wiki.mageia.org/en/QA_procedure:Roundcubemail
>  https://bugs.mageia.org/show_bug.cgi?id=9640#c5
> 
> Stuck on the installation which others seem to have done without problems.
> Mainly a question of what to put in various lines of the config file:
>  /etc/roundcubemail/config.inc.php
> (and at the same time update the QA_procedure:Roundcubemail instructions).
> 
> OK $config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';
> 
> ? $config['default_host'] = 'localhost';
> 
> ? $config['smtp_server'] = 'smtp.free.fr';
> I already fiddled with this - but was it necessary? If so, I imagine these
> two might be needed also:
>  $config['smtp_user'] = '';
>  $config['smtp_pass'] = '';
> 
> Are you supposed to link Roundcube mail to your external e-mail service?
> Why is there all this stuff for outgoing SMTP, and not the equivalent for
> incoming POP3?
There is, the imap server section
> 
> I see no reference in the config file to 'enabling the installer' as
> mentioned by Claire (but not the procedure). BTAIM going to:
>  http://localhost/roundcubemail/installer
> goes nowhere  - Error 404, not found.
> 
> Going to http://localhost/roundcubemail gives me "DATABASE ERROR: CONNECTION
> FAILED!", despite MariaDB having been set up as per both_procedures: DBname
> roundcubemail; DBuser roundcube; DBpassword pass; all permissions granted &
> flushed. Probably due to not having gone through the installer.

I am using this with the kolab stack and it configures the roundcubemail.
I am using 389-ds as the ldap server.

I have this in my /etc/roundcubemail/config.inc.php file (aargau.btspuhler.com is my mailserver):
<?php
    $config = array();
    $config['force_https'] = 8443;
    

    $config['db_dsnw'] = 'mysqli://roundcube:thomas@localhost/roundcube';

    $config['session_domain'] = '';
    $config['des_key'] = "63APEfpiSam193V4tP1ZgQeo";
    $config['username_domain'] = 'btspuhler.com';
    $config['use_secure_urls'] = true;
    $config['assets_path'] = '/roundcubemail/assets/';
    $config['assets_dir'] = '/usr/share/roundcubemail/public_html/assets/';

    $config['mail_domain'] = '';

    // IMAP Server Settings
    $config['default_host'] = 'tls://aargau.btspuhler.com';
    $config['default_port'] = 143;
    $config['imap_delimiter'] = '/';
    $config['imap_force_lsub'] = true;

    // Caching and storage settings
    $config['imap_cache'] = 'db';
    $config['imap_cache_ttl'] = '10d';
    $config['messages_cache'] = 'db';
    $config['message_cache_ttl'] = '10d';
    $config['session_storage'] = 'db';

    // SMTP Server Settings
    $config['smtp_server'] = 'tls://aargau.btspuhler.com';
    $config['smtp_port'] = 587;
    $config['smtp_user'] = '%u';
    $config['smtp_pass'] = '%p';
    $config['smtp_helo_host'] = $_SERVER["HTTP_HOST"];

    // LDAP Settings
    $config['ldap_cache'] = 'db';
    $config['ldap_cache_ttl'] = '1h';

Sorry for not being of much help, but I know mga folks are using it. Maybe you should ask at the dev mailing list.

I notice from the Updates Testing list that Roundcubemail is described as *an IMAP client*. Which explains the lack of POP3 in its config file. I think I have been flogging a dead horse here: I do not have an IMAP account, just POP3. So I back out.

Additionally, from Comment 13:
" Sorry, the following package cannot be selected:
- roundcubemail-1.0.6-1.mga5.noarch (due to unsatisfied pear(Console/CommandLine.php))"
This is

I notice from the Updates Testing list that Roundcubemail is described as *an IMAP client*. Which explains the lack of POP3 in its config file. I think I have been flogging a dead horse here: I do not have an IMAP account, just POP3. So I back out. But thanks for Thomas's info in Comment 17 anyway.
-----------------------------
Additionally, from Comment 13:
" Sorry, the following package cannot be selected:
- roundcubemail-1.0.6-1.mga5.noarch (due to unsatisfied pear(Console/CommandLine.php))"
This is a real problem if you have roundcubemail installed & want to try *any* update. The Updates Testing list is displayed after that warning message, everything selected *except* roundcubemail. When you click 'Select everything' to DEselect everything, the message is displayed & everything (except roundcubemail) remains ticked. You have to individually deselect every package you do *not* want, to leave selected just those you want. *Very* tedious, so please crack this one.

Adding feedback until the invalid dependency is properly excluded.

Whiteboard: has_procedure advisory => has_procedure advisory feedback

This dependency problem is now resolved by adding an exception.
The following packages are now in updates_testing:
roundcubemail-1.0.6-1.1.mga5.src.rpm
roundcubemail-1.0.6-1.1.mga5.noarch.rpm

Removing advisory tag as the package version will need to be updated in the advisory in SVN.

Whiteboard: has_procedure advisory => has_procedure

Adding feedback marker for now.

The index.php  in /usr/share/roundcubemail makes reference to ./installer/index.php as the installer path, which is as expected. 

The installer directory is completely missing though.

# ll /usr/share/roundcubemail/
total 44
drwxr-xr-x  2 root root  4096 Sep 18 13:42 bin/
-rw-r--r--  1 root root   381 Jan 24  2015 composer.json-dist
lrwxrwxrwx  1 root root    26 Feb 20  2015 config -> ../../../etc/roundcubemail/
-rw-r--r--  1 root root 12962 Jan 24  2015 index.php
lrwxrwxrwx  1 root root    30 Feb 20  2015 logs -> ../../../var/log/roundcubemail/
drwxr-xr-x 52 root root  4096 Sep 18 13:42 plugins/
drwxr-xr-x  8 root root  4096 Sep 18 13:42 program/
-rw-r--r--  1 root root  3833 Jan 24  2015 README.md
-rw-r--r--  1 root root    26 Jan 24  2015 robots.txt
drwxr-xr-x  5 root root  4096 Sep 18 13:42 skins/
lrwxrwxrwx  1 root root    30 Feb 20  2015 temp -> ../../../var/lib/roundcubemail/

This means even after adding $config['enable_installer'] = true; to /etc/roundcubemail/config.inc.php it is inaccessible and, as it stands, the package is uninstallable on it's own.

# urpmf roundcubemail | grep installer | wc -l
0

Whiteboard: has_procedure => has_procedure feedback

From the spec..

rm -rf %{buildroot}%{roundcube}/installer

It is a know issue that the installer doesn't work:https://bugs.mageia.org/show_bug.cgi?id=13056

I removed it April 9,2014 during the upgrade from vers. 0.95 to 1.0.0 probably because it didn't work 

But roundcube is installable, initial install and update. Nothing has changed in this regard with the update. There is an error message, but no regression.
    75/82: roundcubemail         #########################################################################################################
ERROR: Error connecting to database: SQLSTATE[HY000] [2002] No such file or directory

What we may should to is to remove the deps to kolab packages, but again no regression.
That was introduce also April 9,2014

Whether it's a regression or not is only part of the decision to push an update - it's more important to decide whether or not the issues can be fixed *with* this update. This is the first update since it was broken.

As it seems the known bug is quite stale, over a year old, and this is a security update, I guess we can push this and just test that the package itself updates cleanly this time around; as a broken package.

I don't understand why the installer would be removed in the first place.

Validating. Advisory updated with new information.

Please push to 5 updates

Thanks.

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure advisory mga5-64-ok
CC: (none) => sysadmin-bugs

(In reply to claire robinson from comment #26)
> Whether it's a regression or not is only part of the decision to push an
> update - it's more important to decide whether or not the issues can be
> fixed *with* this update. This is the first update since it was broken.
Hmmm. the installer was removed April 9,2014 vers. 0.95 to 1.0.0, sop we had several updates since. I think it's more important to fix the security issue right now.
Roundcubemail has to be installed on a server and the sysadmins usually know how to do the configuration manually.
I will check if the installer now works and fix https://bugs.mageia.org/show_bug.cgi?id=13056 and then if it works add it.

> 
> As it seems the known bug is quite stale, over a year old, and this is a
> security update, I guess we can push this and just test that the package
> itself updates cleanly this time around; as a broken package.
> 
> I don't understand why the installer would be removed in the first place.
> 
> Validating. Advisory updated with new information.
> 
> Please push to 5 updates
> 
> Thanks.

I actually found in file roundcubemail-README.mageia:

WARNING: when upgrading from <= 0.9.5 the old configuration files named main.inc.php and db.inc.php are now deprecated and should be replaced with one single config.inc.php file. Run the ./bin/update.sh script to get this conversion 
done or manually merge the files. NOTE: the new config.inc.php should only 
contain options that differ from the ones listed in defaults.inc.php.

The Roundcube installer is not included in the Mageia package, as its method of
operation is not compatible with distribution packaging.

Thomas Spuhler
2014-04-08

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0400.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED