On Fri, 20 Apr 2018 at 05:18:36 +0200, Salvatore Bonaccorso wrote: > Thanks for following up for stretch. First a quick comment. Please > always CC t...@security.debian.org on such questions for if an update > is wanted for DSA. This alows team members to better share the load > for review, release, etc ... (and it's recorded futhermore on the team > alias).
Oops, I assumed that the Security Team received all bugs tagged ‘security’ so I omitted the CC on purpose… my bad. > I think we should release this through stretch-security. The debdiff > per se looks already good. Were you able to test the update in > production under stretch? Yes, I did test the update. > There is though one no-dsa issue, > https://security-tracker.debian.org/tracker/CVE-2018-1000071 which > would be good to be included. Could you backport that fix as well and > send a new debdiff for quick review+ack for upload? Sure, new debdiff attached. -- Guilhem.
diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog --- roundcube-1.2.3+dfsg.1/debian/changelog 2017-11-09 06:45:05.000000000 +0100 +++ roundcube-1.2.3+dfsg.1/debian/changelog 2018-04-21 01:51:56.000000000 +0200 @@ -1,3 +1,16 @@ +roundcube (1.2.3+dfsg.1-4+deb9u2) stretch-security; urgency=high + + * Backport fix for CVE-2018-9846: When the archive plugin enabled and + configured, it's possible to exploit the unsanitized, user-controlled + "_uid" parameter to perform an MX (IMAP) injection attack. + https://github.com/roundcube/roundcubemail/issues/6238 + (Closes: #895184). + * Backport fix for CVE-2018-1000071: Insecure Permissions vulnerability in + enigma plugin that can result in exfiltration of gpg private key. + https://github.com/roundcube/roundcubemail/issues/6173 + + -- Guilhem Moulin <guil...@debian.org> Sat, 21 Apr 2018 01:51:56 +0200 + roundcube (1.2.3+dfsg.1-4+deb9u1) stretch-security; urgency=high * Backport fix for CVE-2017-16651: File disclosure vulnerability caused by diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-1000071.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-1000071.patch --- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-1000071.patch 1970-01-01 01:00:00.000000000 +0100 +++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-1000071.patch 2018-04-21 01:51:56.000000000 +0200 @@ -0,0 +1,74 @@ +commit 48417c5fc9f6eb4b90500c09596606d489c700b5 +Author: Aleksander Machniak <a...@alec.pl> +Date: Sun Mar 4 09:14:43 2018 +0100 + + Remove default for enigma_pgp_homedir (#6173) + + To make the default installation more secure force users to set the folder. + Added notes that it should be secured or not accessible from the web browser. + +--- + plugins/enigma/README | 15 +++++++++++++-- + plugins/enigma/config.inc.php.dist | 4 ++-- + plugins/enigma/home/.htaccess | 7 ------- + plugins/enigma/lib/enigma_driver_gnupg.php | 2 +- + 4 files changed, 16 insertions(+), 12 deletions(-) + +--- a/plugins/enigma/config.inc.php.dist ++++ b/plugins/enigma/config.inc.php.dist +@@ -12,8 +12,8 @@ $config['enigma_smime_driver'] = 'phpssl + // Enables logging of enigma operations (including Crypt_GPG debug info) + $config['enigma_debug'] = false; + +-// Keys directory for all users. Default 'enigma/home'. +-// Must be writeable by PHP process ++// REQUIRED! Keys directory for all users. ++// Must be writeable by PHP process, and not in the web server document root + $config['enigma_pgp_homedir'] = null; + + // Location of gpg binary. By default it will be auto-detected. +--- a/plugins/enigma/home/.htaccess ++++ /dev/null +@@ -1,7 +0,0 @@ +-# deny webserver access to this directory +-<ifModule mod_authz_core.c> +- Require all denied +-</ifModule> +-<ifModule !mod_authz_core.c> +- Deny from all +-</ifModule> +--- a/plugins/enigma/lib/enigma_driver_gnupg.php ++++ b/plugins/enigma/lib/enigma_driver_gnupg.php +@@ -39,7 +39,7 @@ class enigma_driver_gnupg extends enigma + */ + function init() + { +- $homedir = $this->rc->config->get('enigma_pgp_homedir', INSTALL_PATH . 'plugins/enigma/home'); ++ $homedir = $this->rc->config->get('enigma_pgp_homedir'); + $debug = $this->rc->config->get('enigma_debug'); + $binary = $this->rc->config->get('enigma_pgp_binary'); + $agent = $this->rc->config->get('enigma_pgp_agent'); +--- a/plugins/enigma/README ++++ b/plugins/enigma/README +@@ -21,8 +21,19 @@ Implemented features: + + Attaching public keys to email + + +-TODO: +------ ++INSTALLATION ++------------ ++ ++1. Rename config.inc.php.dist to config.inc.php. ++2. Create a directory for keys storage that is writeable for the PHP process. ++ This directory should be out of the document root, so it is not accessible ++ from the web browser. Set it's location in $config['enigma_pgp_homedir']. ++3. Make sure GnuPG is installed. ++ ++ ++TODO ++---- ++ + - Handling of big messages with temp files + - Key info in contact details page (optional) + - Extended key management: diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch --- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch 1970-01-01 01:00:00.000000000 +0100 +++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch 2018-04-21 01:51:56.000000000 +0200 @@ -0,0 +1,84 @@ +--- + plugins/archive/archive.php | 6 ++++-- + plugins/managesieve/managesieve.php | 4 ++-- + plugins/markasjunk/markasjunk.php | 9 ++++++--- + program/lib/Roundcube/rcube_imap_generic.php | 10 ++++++---- + 4 files changed, 18 insertions(+), 11 deletions(-) + +--- a/program/lib/Roundcube/rcube_imap_generic.php ++++ b/program/lib/Roundcube/rcube_imap_generic.php +@@ -3836,13 +3836,13 @@ class rcube_imap_generic + + if (!is_array($messages)) { + // if less than 255 bytes long, let's not bother +- if (!$force && strlen($messages)<255) { +- return $messages; ++ if (!$force && strlen($messages) < 255) { ++ return preg_match('/[^0-9:,*]/', $messages) ? 'INVALID' : $messages; + } + + // see if it's already been compressed + if (strpos($messages, ':') !== false) { +- return $messages; ++ return preg_match('/[^0-9:,*]/', $messages) ? 'INVALID' : $messages; + } + + // separate, then sort +@@ -3877,7 +3877,9 @@ class rcube_imap_generic + } + + // return as comma separated string +- return implode(',', $result); ++ $result = implode(',', $result); ++ ++ return preg_match('/[^0-9:,]/', $result) ? 'INVALID' : $result; + } + + /** +--- a/plugins/archive/archive.php ++++ b/plugins/archive/archive.php +@@ -122,8 +122,10 @@ class archive extends rcube_plugin + $index = $storage->index(null, rcmail_sort_column(), rcmail_sort_order()); + $messageset = array($current_mbox => $index->get()); + } +- else { +- $messageset = rcmail::get_uids(); ++ else if (!empty($uids)) { ++ $messageset = rcmail::get_uids($uids, $current_mbox); ++ } else { ++ $messageset = array(); + } + + foreach ($messageset as $mbox => $uids) { +--- a/plugins/managesieve/managesieve.php ++++ b/plugins/managesieve/managesieve.php +@@ -190,8 +190,8 @@ class managesieve extends rcube_plugin + function managesieve_actions() + { + // handle fetching email headers for the new filter form +- if ($uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) { +- $uids = rcmail::get_uids(); ++ if ($_uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) { ++ $uids = rcmail::get_uids($_uid); + $mailbox = key($uids); + $message = new rcube_message($uids[$mailbox][0], $mailbox); + $headers = $this->parse_headers($message->headers); +--- a/plugins/markasjunk/markasjunk.php ++++ b/plugins/markasjunk/markasjunk.php +@@ -62,10 +62,13 @@ class markasjunk extends rcube_plugin + + $rcmail = rcmail::get_instance(); + $storage = $rcmail->get_storage(); ++ $uids = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST); + +- foreach (rcmail::get_uids() as $mbox => $uids) { +- $storage->unset_flag($uids, 'NONJUNK', $mbox); +- $storage->set_flag($uids, 'JUNK', $mbox); ++ if (!empty($uids)) { ++ foreach (rcmail::get_uids($uids) as $mbox => $uids) { ++ $storage->unset_flag($uids, 'NONJUNK', $mbox); ++ $storage->set_flag($uids, 'JUNK', $mbox); ++ } + } + + if (($junk_mbox = $rcmail->config->get('junk_mbox'))) { diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series --- roundcube-1.2.3+dfsg.1/debian/patches/series 2017-11-09 06:45:05.000000000 +0100 +++ roundcube-1.2.3+dfsg.1/debian/patches/series 2018-04-21 01:51:56.000000000 +0200 @@ -13,3 +13,5 @@ CVE-2017-6820.patch CVE-2017-8114.patch CVE-2017-16651.patch +CVE-2018-9846.patch +CVE-2018-1000071.patch
signature.asc
Description: PGP signature
