Hi Salvatore, On Sun, 08 Apr 2018 at 10:27:10 +0200, Salvatore Bonaccorso wrote: > The following vulnerability was published for roundcube. > > CVE-2018-9846[0]: > | In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin > | enabled and configured, it's possible to exploit the unsanitized, > | user-controlled "_uid" parameter (in an archive.php > | _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to > perform > | an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a > | sequence. NOTE: this is less easily exploitable in 1.3.4 and later > | because of a Same Origin Policy protection mechanism. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
1.2.8 was released yesterday. Attached is a debdiff with the following
upstream commits cherry-picked (ignoring changes to CHANGELOG):
https://github.com/roundcube/roundcubemail/commit/cdeb6234a2e029c499898c3432fdf5b2cf093640
https://github.com/roundcube/roundcubemail/commit/5b7e9a2c960eb4fd2364921297020a5dcd2d7dbc
https://github.com/roundcube/roundcubemail/commit/c69b851b8a704f6483ec9d1cae7cd1ecd33c3343
https://github.com/roundcube/roundcubemail/commit/7901047474729a7f466eb8c59c92a36fc7cf0e70
Should we go via stretch-security, or aim for the next stable point
release?
--
Guilhem.
diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog --- roundcube-1.2.3+dfsg.1/debian/changelog 2017-11-09 06:45:05.000000000 +0100 +++ roundcube-1.2.3+dfsg.1/debian/changelog 2018-04-18 21:00:09.000000000 +0200 @@ -1,3 +1,13 @@ +roundcube (1.2.3+dfsg.1-4+deb9u2) stretch-security; urgency=high + + * Backport fix for CVE-2018-9846: When the archive plugin enabled and + configured, it's possible to exploit the unsanitized, user-controlled + "_uid" parameter to perform an MX (IMAP) injection attack. + https://github.com/roundcube/roundcubemail/issues/6238 + (Closes: #895184). + + -- Guilhem Moulin <guil...@debian.org> Wed, 18 Apr 2018 21:00:09 +0200 + roundcube (1.2.3+dfsg.1-4+deb9u1) stretch-security; urgency=high * Backport fix for CVE-2017-16651: File disclosure vulnerability caused by diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch --- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch 1970-01-01 01:00:00.000000000 +0100 +++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch 2018-04-18 21:00:09.000000000 +0200 @@ -0,0 +1,84 @@ +--- + plugins/archive/archive.php | 6 ++++-- + plugins/managesieve/managesieve.php | 4 ++-- + plugins/markasjunk/markasjunk.php | 9 ++++++--- + program/lib/Roundcube/rcube_imap_generic.php | 10 ++++++---- + 4 files changed, 18 insertions(+), 11 deletions(-) + +--- a/program/lib/Roundcube/rcube_imap_generic.php ++++ b/program/lib/Roundcube/rcube_imap_generic.php +@@ -3836,13 +3836,13 @@ class rcube_imap_generic + + if (!is_array($messages)) { + // if less than 255 bytes long, let's not bother +- if (!$force && strlen($messages)<255) { +- return $messages; ++ if (!$force && strlen($messages) < 255) { ++ return preg_match('/[^0-9:,*]/', $messages) ? 'INVALID' : $messages; + } + + // see if it's already been compressed + if (strpos($messages, ':') !== false) { +- return $messages; ++ return preg_match('/[^0-9:,*]/', $messages) ? 'INVALID' : $messages; + } + + // separate, then sort +@@ -3877,7 +3877,9 @@ class rcube_imap_generic + } + + // return as comma separated string +- return implode(',', $result); ++ $result = implode(',', $result); ++ ++ return preg_match('/[^0-9:,]/', $result) ? 'INVALID' : $result; + } + + /** +--- a/plugins/archive/archive.php ++++ b/plugins/archive/archive.php +@@ -122,8 +122,10 @@ class archive extends rcube_plugin + $index = $storage->index(null, rcmail_sort_column(), rcmail_sort_order()); + $messageset = array($current_mbox => $index->get()); + } +- else { +- $messageset = rcmail::get_uids(); ++ else if (!empty($uids)) { ++ $messageset = rcmail::get_uids($uids, $current_mbox); ++ } else { ++ $messageset = array(); + } + + foreach ($messageset as $mbox => $uids) { +--- a/plugins/managesieve/managesieve.php ++++ b/plugins/managesieve/managesieve.php +@@ -190,8 +190,8 @@ class managesieve extends rcube_plugin + function managesieve_actions() + { + // handle fetching email headers for the new filter form +- if ($uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) { +- $uids = rcmail::get_uids(); ++ if ($_uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) { ++ $uids = rcmail::get_uids($_uid); + $mailbox = key($uids); + $message = new rcube_message($uids[$mailbox][0], $mailbox); + $headers = $this->parse_headers($message->headers); +--- a/plugins/markasjunk/markasjunk.php ++++ b/plugins/markasjunk/markasjunk.php +@@ -62,10 +62,13 @@ class markasjunk extends rcube_plugin + + $rcmail = rcmail::get_instance(); + $storage = $rcmail->get_storage(); ++ $uids = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST); + +- foreach (rcmail::get_uids() as $mbox => $uids) { +- $storage->unset_flag($uids, 'NONJUNK', $mbox); +- $storage->set_flag($uids, 'JUNK', $mbox); ++ if (!empty($uids)) { ++ foreach (rcmail::get_uids($uids) as $mbox => $uids) { ++ $storage->unset_flag($uids, 'NONJUNK', $mbox); ++ $storage->set_flag($uids, 'JUNK', $mbox); ++ } + } + + if (($junk_mbox = $rcmail->config->get('junk_mbox'))) { diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series --- roundcube-1.2.3+dfsg.1/debian/patches/series 2017-11-09 06:45:05.000000000 +0100 +++ roundcube-1.2.3+dfsg.1/debian/patches/series 2018-04-18 21:00:09.000000000 +0200 @@ -13,3 +13,4 @@ CVE-2017-6820.patch CVE-2017-8114.patch CVE-2017-16651.patch +CVE-2018-9846.patch
signature.asc
Description: PGP signature
