Bug 19920 - roundcubemail new security issue CVE-2016-9920
Summary: roundcubemail new security issue CVE-2016-9920
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/708655/
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Reported: 2016-12-09 18:19 CET by David Walser
Modified: 2016-12-30 00:40 CET (History)
3 users (show)

See Also:
Source RPM: roundcubemail-1.0.9-1.mga5.src.rpm
Status comment:


Description David Walser 2016-12-09 18:19:20 CET
A CVE has been assigned for a security issue fixed upstream in roundcubemail:

The issue is fixed in 1.2.3, for which Cauldron has been updated.

Patched package uploaded for Mageia 5.


Updated roundcubemail package fixes security vulnerability:

Users can execute commands on the server by writing e-mails, due to insufficient
sanitation of the from field when calling PHP's mail() function (CVE-2016-9920).

Note that only roundcubemail installations that don't have an SMTP server
configured for mail delivery are affected.


Updated packages in core/updates_testing:

from roundcubemail-1.0.9-1.1.mga5.src.rpm
Comment 1 Herman Viaene 2016-12-27 15:03:16 CET
MGA5-32 on Acer D620 Xfce
No installation issues.
Still hitting same "Error 404" problem as in previous updates (bug 18257), so OK as is.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Lewis Smith 2016-12-28 10:54:53 CET

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 2 Lewis Smith 2016-12-29 20:28:01 CET
Testing M5 x64

All previous info got nowhere, so this is basically (as recommended) just an install + update run-through.

BEFORE update:
Installed from normal repos: roundcubemail-1.0.9-1.mga5
before I had set up a database - which threw an error
"grep: /etc/php.d/99_apc.ini: No such file or directory
ERROR: Error connecting to database: SQLSTATE[HY000] [1045] Access denied for user 'roundcube'@'localhost' (using password: YES)";
which I then did as per the Wiki:
 MariaDB [(none)]> CREATE USER roundcube IDENTIFIED BY 'pass';
 MariaDB [(none)]> CREATE DATABASE roundcubemail;
 MariaDB [(none)]> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'pass';
 MariaDB [(none)]> FLUSH PRIVILEGES;
 MariaDB [(none)]> exit
Using the example values means that /etc/roundcubemail/config.inc.php already has the correct database line:
 $config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';

http://localhost/roundcubemail/ yielded a Roundcube page with "DATABASE ERROR: CONNECTION FAILED!"

AFTER update to: roundcubemail-1.0.9-1.1.mga5
Two config file confirmations during the update (accepted both new).
http://localhost/roundcubemail/ gave the same error as before.

OKing this because the update went OK. But it would be nice to find a way to have this thing visibly working. Validating at the same time.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2016-12-30 00:40:19 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.