Bug 22941 - roundcubemail new security issue CVE-2018-9846
Summary: roundcubemail new security issue CVE-2018-9846
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Reported: 2018-04-22 16:39 CEST by David Walser
Modified: 2018-06-20 01:43 CEST (History)
5 users (show)

See Also:
Source RPM: roundcubemail-1.3.3-1.mga7.src.rpm
Status comment:


Description David Walser 2018-04-22 16:39:56 CEST
Fedora has issued an advisory on April 21:

The issue is fixed upstream in 1.3.6.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-04-22 16:40:10 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-04-23 05:42:13 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, mrambo

Comment 2 Mike Rambo 2018-04-28 18:35:37 CEST
Updated package uploaded for cauldron and Mageia 6.


Updated roundcubemail package fixes security vulnerability:

This update fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. (CVE-2018-9846).


Updated packages in core/updates_testing:

from roundcubemail-1.3.6-1.mga6.src.rpm

Testing procedure:

Assignee: pkg-bugs => qa-bugs
Keywords: (none) => has_procedure
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 3 claire robinson 2018-05-19 04:02:52 CEST
Adds some new dependencies. Is that expected?

# urpmi roundcubemail
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release2")
  perl-Authen-SASL               2.160.0      7.mga6        noarch  
  perl-Convert-ASN1              0.270.0      5.mga6        noarch  
  perl-Digest-HMAC               1.30.0       8.mga6        noarch  
  perl-Digest-SHA1               2.130.0      19.mga6       x86_64  
  perl-ldap                      0.650.0      3.mga6        noarch  
(medium "Core Updates Testing")
  roundcubemail                  1.3.6        1.mga6        noarch

Whiteboard: (none) => feedback

Comment 4 claire robinson 2018-05-19 04:05:39 CEST
Also bad signature..

The following package has bad signature:
/var/cache/urpmi/rpms/roundcubemail-1.3.6-1.mga6.noarch.rpm: Missing signature (OK ((none)))
Comment 5 David Walser 2018-05-19 18:22:59 CEST
perl dependencies are automatically generated, so they are what they are, but we can't have bad signatures, so the package will need to rebuilt.
Comment 6 Mike Rambo 2018-05-21 22:16:34 CEST
Rebuilt package to correct signature problem. 

New file list.

Updated packages in core/updates_testing:

from roundcubemail-1.3.6-1.1.mga6.src.rpm

Whiteboard: feedback => (none)

Comment 7 Herman Viaene 2018-05-26 11:20:04 CEST
MGA6-32 on IBM Thinkpad R50e MATE
Installation draws in apache, but not mariadb which is a prerequisite as well.
Please do not refer anymore to bug 9640 anymore as the info on testing is obsolete (the installer is not there anymore), the wiki is better although not complete. I will give more feedback once I get thru all the loops.

CC: (none) => herman.viaene

Comment 8 Herman Viaene 2018-05-26 12:11:50 CEST
I needed to change the file /etc/my.cnf.d/cracklib_password_check.cnf to comment out the line on the cracklib plugin. That gets rid of the policy error when trying to enter the roundcube user.
I'm still stuck at the database connection error, but my guess is that, with our current setup, we do not populate the roundcubemail database with its necessary tables.
I cannot continue my investigation right now.
Comment 9 Herman Viaene 2018-05-26 17:34:47 CEST
Googling I find references to a /usr/share/roundcubemail/SQL folder, but that one is not in our rpm??????
Comment 10 PC LX 2018-06-09 16:13:54 CEST
Installed and (minimally) tested.

Installing required various steps.
1) Install the package roundcubemail and its dependencies (and recommends).
2) Start Apache (the httpd server I used) and MariaDB (the database server I used).
2) Create a database in MariaDB.
3) Create a database account (with all access rights; probably not all access rights are needed or desirable but this was only for testing).
4) Initialize the database. Run:
   mysql -u username -p database_name < /usr/share/doc/roundcubemail/SQL/mysql.initial.sql
5) Install JS dependencies. Run as root:
6) Edit, as root, the file /etc/roundcubemail/config.inc.php, and set the DSN, IMAP and SMTP settings.
7) Load the http://localhost/roundcubemail/ page in a browser.
8) Login using the username/password for a IMAP account in the IMAp server configured in step 6.

While roundcubemail worked, I noticed that only some folders showed up in the list. The account I used has thousands. From the folders shown, I suspect it is only showing folders with recent emails. I don't know if this is how its supposed to be or some limitation of bug.

I don't usually use any webmail stuff and have only used roundcubemail once or twice for a quick access to an account so I have no idea if there are any regressions. Will let someone else decide on giving the approved stamp to this one.

CC: (none) => mageia

Comment 11 PC LX 2018-06-09 16:15:41 CEST
Forgot the system info.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 22:35:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q roundcubemail
Comment 12 PC LX 2018-06-17 13:43:58 CEST
Its been a week since the last comment so I'm making it as ok for x86_64.

Whiteboard: (none) => MGA6-64-OK

Comment 13 claire robinson 2018-06-19 21:34:36 CEST
Advisoried. Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 14 Mageia Robot 2018-06-20 01:43:25 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.