On Tue, 23 Dec 2008 18:23:02 +0100, Nico Golde <n...@debian.org> wrote:
> Package: roundcube
> Severity: grave
> Tags: security patch
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for roundcube.
>
> CVE-2008-5620[0]:
> | RoundCube Webmail (roundcubemail) before 0.2-beta allows remote
> | attackers to cause a denial of service (memory consumption) via
> | crafted size parameters that are used to create a large quota image.
>
> Attached is a patch I extracted from the bundled upstream
> patch on http://sourceforge.net/forum/forum.php?forum_id=898542
Thanks for the patch!
Here is a more minimal one for 0.1.1.
diff --git a/bin/quotaimg.php b/bin/quotaimg.php
index 354f4eb..4e73c21 100644
--- a/bin/quotaimg.php
+++ b/bin/quotaimg.php
@@ -18,10 +18,10 @@
*/
-$used = ((isset($_GET['u']) && !empty($_GET['u'])) ||
$_GET['u']=='0')?(int)$_GET['u']:'??';
-$quota = ((isset($_GET['q']) && !empty($_GET['q'])) ||
$_GET['q']=='0')?(int)$_GET['q']:'??';
-$width = empty($_GET['w']) ? 100 : (int)$_GET['w'];
-$height = empty($_GET['h']) ? 14 : (int)$_GET['h'];
+$used = isset($_GET['u']) ? intval($_GET['u']) : '??';
+$quota = isset($_GET['q']) ? intval($_GET['q']) : '??';
+$width = empty($_GET['w']) ? 100 : min(300, intval($_GET['w']));
+$height = empty($_GET['h']) ? 14 : min(50, intval($_GET['h']));
/**
* Quota display
@@ -159,7 +159,7 @@ function genQuota($used, $total, $width, $height)
}
$quota_width = $quota / 100 * $width;
- imagefilledrectangle($im, $border, 0, $quota,
$height-2*$border, $fill);
+ imagefilledrectangle($im, $border, 0, $quota_width,
$height-2*$border, $fill);
$string = $quota . '%';
$mid =
floor(($width-(strlen($string)*imagefontwidth($font)))/2)+1;
@@ -178,6 +178,12 @@ function genQuota($used, $total, $width, $height)
imagedestroy($im);
}
-genQuota($used, $quota, $width, $height);
+if ($width > 1 && $height > 1) {
+ genQuota($used, $quota, $width, $height);
+}
+else {
+ header("HTTP/1.0 404 Not Found");
+}
+
exit;
?>
\ No newline at end of file
