Bug 20463 - roundcubemail new security issue CVE-2017-6820
Summary: roundcubemail new security issue CVE-2017-6820
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-03-13 01:28 CET by David Walser
Modified: 2017-03-27 23:28 CEST (History)
5 users (show)

See Also:
Source RPM: roundcubemail-1.0.9-1.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-03-13 01:28:26 CET
A security issue in roundcubemail fixed in 1.2.4 has been announced:
http://openwall.com/lists/oss-security/2017/03/12/2

I'm not sure if Mageia 5 is affected, but the upstream commits that fixed the issue are linked in the message above.
Comment 1 Marja van Waes 2017-03-13 06:33:57 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package

Status comment: (none) => Not sure whether Mga 5's roundcubemail-1.0.9 is affected, needs to be checked.
CC: (none) => marja11
Assignee: bugsquad => pkg-bugs
Source RPM: roundcoubemail-1.2.3-1.mga6.src.rpm => roundcubemail-1.2.3-1.mga6.src.rpm

Comment 2 David Walser 2017-03-18 20:29:14 CET
Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated roundcubemail package fixes security vulnerability:

rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is susceptible to a
cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS)
token sequence within an SVG element (CVE-2017-6820).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6820
http://openwall.com/lists/oss-security/2017/03/12/2
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.0.9-1.2.mga5

from roundcubemail-1.0.9-1.2.mga5.src.rpm

Status comment: Not sure whether Mga 5's roundcubemail-1.0.9 is affected, needs to be checked. => (none)
Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Source RPM: roundcubemail-1.2.3-1.mga6.src.rpm => roundcubemail-1.0.9-1.1.mga5.src.rpm

Comment 3 David Walser 2017-03-19 16:14:58 CET
openSUSE has issued an advisory for this today (March 19):
https://lists.opensuse.org/opensuse-updates/2017-03/msg00056.html
Comment 4 Herman Viaene 2017-03-23 10:57:09 CET
MGA5-32 on Asus A6000VM Xfce
No installation issues
Trying to test this is as hopeless as it was in provious attempts (cfr bug 19920 and 18257 and 9640.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 5 Dave Hodgins 2017-03-27 04:47:05 CEST
Testing for roundcubemail-1.0.9-1.2.mga5 with mariadb

Installed roundcubemail from updates. Ignore error message caused by failure to
update prior version, since prior version was not installed.

If not previously done, edit /etc/php.ini to uncomment and set the date.timezone,
in the [Date] section.
See http://php.net/manual/en/timezones.php for possible values. I'm using
date.timezone = America/Toronto

Ensure mariadb installed, started, and password set as per
/usr/share/doc/mariadb/README.urpmi

For ease of use, install phpmyadmin, and login to http://localhost/phpmyadmin/ 
as the mariadb (aka mysql) root user with the admin password set in the prior step.
In the list of items across the top, select Users, then Add user.
  Under Login information ...
    For the user name, on the right enter the value roundcube
    For the host, use the drop down on the left to select local.
    In the Password line, enter the value such as munged
    Also enter it on the following Re-type line.
    
  Under DataBase for user
    select Create database with same name and grant all privileges.
Scroll down and on the right select Go.
NOTE: User name and database name are now both roundcube, with password munged.

Edit /etc/roundcubemail/config.inc.php
 replace the line ...
   $config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';
 with ...
   $config['db_dsnw'] = 'mysql://roundcube:munged@localhost/roundcube';

Restart apache with "systemctl restart httpd.service".

FIXED log permissions with "chmod g+w /var/log/roundcubemail"

While roundcuemail is responding at http://localhost/roundcubemail/ with
a db connect error, http://localhost/roundcubemail/installer returns with
404 - Object not found

I'm going to post to the dev mailing list that roundcube mail should be
dropped, as a useless (as is) package.

Once confirmed that roundcubemail will be dropped from Mageia 6, will close this
bug as wontfix.

CC: (none) => davidwhodgins

Comment 6 Dave Hodgins 2017-03-27 04:57:35 CEST
Also note that the update installs, but the script fails with
Updating database schema (2013061000)... [FAILED]
ERROR: Error in DDL upgrade 2013061000: [1146] Table 'roundcube.cache' doesn't exist
Comment 7 David Walser 2017-03-27 05:04:32 CEST
The package is in Cauldron, but it's a different version, so hopefully it's more obvious how to make it work.  The maintainer is no longer with us, as you may have heard, but insisted that the Mageia 5 package worked as long as knew how to make it work.  As for Cauldron, I seem to remember it being a requirement for Kolab or something, so I think that's the reason we have it.  I wouldn't mind seeing it go, but you should always feel free to ask about something like that on the dev list.  Anyway, unless there's some obvious regression here, which there shouldn't be from this small patch, let's just push it and forget about the Mageia 5 version of this package, which we hopefully will never have to update again.
Comment 8 claire robinson 2017-03-27 09:46:55 CEST
It is used as part of Kolab Dave, Kolab does the necessary configuration. Unfortunately that makes it pretty useless as a stand alone package as the installer was removed.

Not ideal and should probably renamed kolab-roundcubemail to allow the full package to be installed with installer.

You *could* check it using kolab, but previously we've just ensured it updates cleanly.
Comment 9 Lewis Smith 2017-03-27 21:24:14 CEST
'Testing' M5-64

Given the previous lack of success we have had with this package, which I had already installed (https://bugs.mageia.org/show_bug.cgi?id=19920#c2), and heeding Claire('s comment 8, I just updated this to
 roundcubemail-1.0.9-1.2.mga5
The update went smoothly, this time with no new config files to confirm, nor any errors.

http://localhost/roundcubemail/ yielded the familiar
"DATABASE ERROR: CONNECTION FAILED!
Unable to connect to the database!
Please contact your server-administrator."

So from previous testing precedents, & David's comment 7, I am OKing & validating this update. Advisory to follow immediately.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Lewis Smith 2017-03-27 21:30:21 CEST

Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 10 Mageia Robot 2017-03-27 23:28:11 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0092.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.