Bug 9640 - roundcubemail new security issue fixed in 0.7.4 (CVE-2013-1904)
: roundcubemail new security issue fixed in 0.7.4 (CVE-2013-1904)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/546480/
: has_procedure mga2-64-ok MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-06 21:37 CEST by David Walser
Modified: 2013-05-02 19:17 CEST (History)
5 users (show)

See Also:
Source RPM: roundcubemail-0.7.3-2.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-04-06 21:37:03 CEST
Upstream issued updated versions 0.8.6 and 0.7.4 to fix a security issue:
http://sourceforge.net/news/?group_id=139281&id=310497
http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.7.4/

Cauldron was already updated, Mageia 2 needs an update.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-04-08 22:46:01 CEST
This is now known as CVE-2013-1904.

Fedora has issued an advisory on March 29:
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101623.html
Comment 2 David Walser 2013-04-21 16:53:22 CEST
Updated package uploaded by Oden.

Note to Oden: removing the %apply_patches macro is really not a good idea.

Advisory:
========================

Updated roundcubemail package fixes security vulnerability:

A local file inclusion flaw was found in the way Round Cube Webmail performed
validation of the 'generic_message_footer' value provided via web user
interface in certain circumstances. A remote attacker could issue a specially-
crafted request that, when processed by Round Cube Webmail could allow an
attacker to obtain arbitrary file on the system, accessible with the
privileges of the user running Round Cube Webmail client (CVE-2013-1904).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1904
http://sourceforge.net/news/?group_id=139281&id=310497
http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.7.4/
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101623.html
========================

Updated packages in core/updates_testing:
========================
roundcubemail-0.7.4-1.1.mga2

from roundcubemail-0.7.4-1.1.mga2.src.rpm
Comment 3 Oden Eriksson 2013-04-21 17:36:21 CEST
(In reply to David Walser from comment #2)

> Note to Oden: removing the %apply_patches macro is really not a good idea.

I know, but I think it will leave backups that otherwise will be packaged, no?
Comment 4 David Walser 2013-04-21 17:50:52 CEST
(In reply to Oden Eriksson from comment #3)
> (In reply to David Walser from comment #2)
> 
> > Note to Oden: removing the %apply_patches macro is really not a good idea.
> 
> I know, but I think it will leave backups that otherwise will be packaged,
> no?

If it does, that should be fixed in the %files list.
Comment 5 claire robinson 2013-04-29 17:08:17 CEST
No information how to configure this, it's not user friendly, plus the INSTALL file has been removed from /usr/share/doc/roundcubemail which the README refers you to.

Could do with a README.urpmi.

Edited /etc/roundcubemail/main.inc.php and configured imap/smtp server and enabled the installer.

Created a mysql database & user with phpmyadmin.
DB: roundcubemail
User: roundcube
Pass: pass

These are just the lazy default values found in /etc/roundcubemail/db.inc/php


Then configured at http://localhost/roundcubemail/installer

In step 3 of the installer it shows an error..
/var/log/roundcubemail/:  NOT OK(not writeable for the webserver)

# ll -d /var/log/roundcubemail
drwxr-xr-x 2 root root 4096 Oct  8  2012 /var/log/roundcubemail/


Clicked to initialise the database.


After this, logged in at http://localhost/roundcubemail and everything works as expected with the exception of the logs.

Is that something you'd like to correct here David?
Comment 6 David Walser 2013-04-29 17:46:22 CEST
(In reply to claire robinson from comment #5)
> Is that something you'd like to correct here David?

I'm not the maintainer (Damien is), but no, not at this time.  Since Oden has already pushed this for MBS, I'd really like to get this released.  Also, I imagine these issues probably affect the Mageia 3 package too, and they won't be able to be corrected there until after the release, so it'll be a while (it takes long enough just to get this package updated).  As long as there's no regressions, I'd like to get this out, and then hopefully these other issues can be corrected before the next time we have to update it.
Comment 7 claire robinson 2013-04-29 18:30:04 CEST
Bug 9915 & bug 9916 created.

Testing complete mga2 64
Comment 8 Dave Hodgins 2013-04-30 05:16:53 CEST
Modification to comment 5 for future testers. The db name/password
are in /etc/roundcubemail/db.inc.php

Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpm
roundcubemail-0.7.4-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated roundcubemail package fixes security vulnerability:

A local file inclusion flaw was found in the way Round Cube Webmail performed
validation of the 'generic_message_footer' value provided via web user
interface in certain circumstances. A remote attacker could issue a specially-
crafted request that, when processed by Round Cube Webmail could allow an
attacker to obtain arbitrary file on the system, accessible with the
privileges of the user running Round Cube Webmail client (CVE-2013-1904).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1904
http://sourceforge.net/news/?group_id=139281&id=310497
http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.7.4/
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101623.html

https://bugs.mageia.org/show_bug.cgi?id=9640
Comment 9 Thomas Backlund 2013-05-02 19:17:07 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0128

Note You need to log in before you can comment on or make changes to this bug.