Bug#509596: marked as done (roundcube: CVE-2008-5620 massive memory consumption via crafted image)

Debian Bug Tracking System Tue, 23 Dec 2008 13:17:38 -0800

Your message dated Tue, 23 Dec 2008 20:47:12 +0000
with message-id <e1lfe9o-0003sk...@ries.debian.org>
and subject line Bug#509596: fixed in roundcube 0.1.1-10
has caused the Debian Bug report #509596,
regarding roundcube: CVE-2008-5620 massive memory consumption via crafted image
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
509596: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509596
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: roundcube
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for roundcube.

CVE-2008-5620[0]:
| RoundCube Webmail (roundcubemail) before 0.2-beta allows remote
| attackers to cause a denial of service (memory consumption) via
| crafted size parameters that are used to create a large quota image.

Attached is a patch I extracted from the bundled upstream 
patch on http://sourceforge.net/forum/forum.php?forum_id=898542

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5620
    http://security-tracker.debian.net/tracker/CVE-2008-5620

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

--- quotaimg.php.old	2008-12-23 18:06:58.000000000 +0100
+++ quotaimg.php	2008-12-16 18:21:30.000000000 +0100
@@ -14,14 +14,14 @@
  | Author: Brett Patterson <bre...@umbc.edu>                             |
  +-----------------------------------------------------------------------+
 
- $Id: $
+ $Id$
 
 */
 
-$used   = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??';
-$quota  = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??';
-$width  = empty($_GET['w']) ? 100 : (int)$_GET['w'];
-$height = empty($_GET['h']) ? 14 : (int)$_GET['h'];
+$used   = isset($_GET['u']) ? intval($_GET['u']) : '??';
+$quota  = isset($_GET['q']) ? intval($_GET['q']) : '??';
+$width  = empty($_GET['w']) ? 100 : min(300, intval($_GET['w']));
+$height = empty($_GET['h']) ? 14  : min(50,  intval($_GET['h']));
 
 /**
  * Quota display
@@ -96,12 +96,11 @@
     // @todo: Set to "??" instead?
 	if (ereg("^[^0-9?]*$", $used) || ereg("^[^0-9?]*$", $total)) {
 		return false; 
-    }
+	}
 
-	if (strpos($used, '?') !== false || strpos($total, '?') !== false
-        && $used != 0) {
+	if (strpos($used, '?') !== false || strpos($total, '?') !== false && $used != 0) {
 		$unknown = true; 
-    }
+	}
 
 	$im = imagecreate($width, $height);
 
@@ -153,31 +152,37 @@
 			list($r, $g, $b) = explode(',', $color['fill']['mid']);
 			$fill = imagecolorallocate($im, $r, $g, $b);
 		} else {
-		    // if($quota >= $limit['low'])
+			// if($quota >= $limit['low'])
 			list($r, $g, $b) = explode(',', $color['fill']['low']);
 			$fill = imagecolorallocate($im, $r, $g, $b);
 		}
 
 		$quota_width = $quota / 100 * $width;
-		imagefilledrectangle($im, $border, 0, $quota, $height-2*$border, $fill);
+		imagefilledrectangle($im, $border, 0, $quota_width, $height-2*$border, $fill);
 
 		$string = $quota . '%';
 		$mid    = floor(($width-(strlen($string)*imagefontwidth($font)))/2)+1;
-        // Print percent in black
+		// Print percent in black
 		imagestring($im, $font, $mid, $padding, $string, $text); 
 	}
 
 	header('Content-Type: image/gif');
-    
-    // @todo is harcoding GMT necessary?
-	header('Expires: ' . gmdate('D, d M Y H:i:s', mktime()+86400) . ' GMT');
-	header('Cache-Control: ');
-	header('Pragma: ');
+
+	// cache for 1 hour
+	$maxage = 3600;
+	header('Expires: ' . gmdate('D, d M Y H:i:s', time()+$maxage). ' GMT');
+	header('Cache-Control: max-age=' . $maxage);
 	
 	imagegif($im);
 	imagedestroy($im);
 }
 
-genQuota($used, $quota, $width, $height);
+if ($width > 1 && $height > 1) {
+	genQuota($used, $quota, $width, $height);  
+}
+else {
+	header("HTTP/1.0 404 Not Found");
+}
+
 exit;
-?>
\ No newline at end of file
+?>

pgpKAuJQYaeb5.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: roundcube
Source-Version: 0.1.1-10

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive:

roundcube-core_0.1.1-10_all.deb
  to pool/main/r/roundcube/roundcube-core_0.1.1-10_all.deb
roundcube-mysql_0.1.1-10_all.deb
  to pool/main/r/roundcube/roundcube-mysql_0.1.1-10_all.deb
roundcube-pgsql_0.1.1-10_all.deb
  to pool/main/r/roundcube/roundcube-pgsql_0.1.1-10_all.deb
roundcube-sqlite_0.1.1-10_all.deb
  to pool/main/r/roundcube/roundcube-sqlite_0.1.1-10_all.deb
roundcube_0.1.1-10.diff.gz
  to pool/main/r/roundcube/roundcube_0.1.1-10.diff.gz
roundcube_0.1.1-10.dsc
  to pool/main/r/roundcube/roundcube_0.1.1-10.dsc
roundcube_0.1.1-10_all.deb
  to pool/main/r/roundcube/roundcube_0.1.1-10_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 509...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Bernat <ber...@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 23 Dec 2008 20:52:39 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql 
roundcube-sqlite
Architecture: source all
Version: 0.1.1-10
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers 
<pkg-roundcube-maintain...@lists.alioth.debian.org>
Changed-By: Vincent Bernat <ber...@debian.org>
Description: 
 roundcube  - skinnable AJAX based webmail solution for IMAP servers
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-sqlite - metapackage providing sqlite dependencies for RoundCube
Closes: 509596
Changes: 
 roundcube (0.1.1-10) unstable; urgency=high
 .
   * Fix a vulnerability in quota image generation. This fixes
     CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
   * Add description to all patches.
   * Add missing ${misc:Depends} to debian/control.
   * Add missing dependency on php5-gd, used for quota bar.
Checksums-Sha1: 
 3cb20c77c5c731dd844fdffad0e98be062fdba2a 1383 roundcube_0.1.1-10.dsc
 1eb9adb2556aa545f4fa38a2a835af683fc28e05 27523 roundcube_0.1.1-10.diff.gz
 3521fa17d4e994246d87ef8562fc8f29cd56b5fa 579908 roundcube-core_0.1.1-10_all.deb
 2ba80fd8100c0aa3f457c90383cad5d42bc279bd 13572 roundcube_0.1.1-10_all.deb
 d66cd40615f64f78dec43cb7d54b0a12d97a0e65 12900 roundcube-mysql_0.1.1-10_all.deb
 1ba999f14e855f68b4cf061b642be46a6e27ddf1 12900 roundcube-pgsql_0.1.1-10_all.deb
 c91864383c196d67c6d034e023544cb0046a7bee 12866 
roundcube-sqlite_0.1.1-10_all.deb
Checksums-Sha256: 
 4cff71c7559309d349dccbcc14ded1e393f2c15740c5bae5e4f27ed290c626f8 1383 
roundcube_0.1.1-10.dsc
 c79d84045f6988410228c862722f165f793a4aafdbb4c8f968904a6837ad9f20 27523 
roundcube_0.1.1-10.diff.gz
 16dce6da8e7ab351c74ef2d9246d4dd72f4e3f7b7732b4f0a9453e0e94d9d9e6 579908 
roundcube-core_0.1.1-10_all.deb
 eeed6cd105e68c045b0df04aab88e9f374f3ae271b0c2c668e561dc5f7cecf46 13572 
roundcube_0.1.1-10_all.deb
 ea4f749e9ec1218746d5f0325e1aa7aa01d86508bb797f353819a47f845b5514 12900 
roundcube-mysql_0.1.1-10_all.deb
 a2c7019040a2f377cb5db74a932f919b76f36f673a2694f601aff41f946d3e8c 12900 
roundcube-pgsql_0.1.1-10_all.deb
 5227fe956b2ff8aef42112e967bc14e7de96cc34a7b5964268b15208523190d4 12866 
roundcube-sqlite_0.1.1-10_all.deb
Files: 
 467f646e88b921716886f92890c57c8b 1383 web extra roundcube_0.1.1-10.dsc
 476e6a67f577d03e74acc7d5d49a7472 27523 web extra roundcube_0.1.1-10.diff.gz
 409d460dfeff01cfddaa0868260f82a1 579908 web extra 
roundcube-core_0.1.1-10_all.deb
 1c2f1a6cea36d178089ab25c1853f759 13572 web extra roundcube_0.1.1-10_all.deb
 b82fa90dd4e4fddc93d2e3ff7987644d 12900 web extra 
roundcube-mysql_0.1.1-10_all.deb
 ebb52fca1ea900eb45dcaab44cd5cba0 12900 web extra 
roundcube-pgsql_0.1.1-10_all.deb
 31fcfdb9c576e032933641ba7166535e 12866 web extra 
roundcube-sqlite_0.1.1-10_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklRRioACgkQKFvXofIqeU4VEACeMs1kWBTIPJu24AdIME38AcOf
4yYAoIlghNEFiytWSPqSkbR6Lk08TPFI
=bN38
-----END PGP SIGNATURE-----

--- End Message ---

Bug#509596: marked as done (roundcube: CVE-2008-5620 massive memory consumption via crafted image)

Reply via email to