tags 727668 + pending thanks Dear Vincent and Romain,
I've prepared an NMU for roundcube (versioned as 0.9.4-1.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru roundcube-0.9.4/debian/changelog roundcube-0.9.4/debian/changelog --- roundcube-0.9.4/debian/changelog 2013-09-08 13:53:12.000000000 +0200 +++ roundcube-0.9.4/debian/changelog 2013-10-26 22:07:13.000000000 +0200 @@ -1,3 +1,13 @@ +roundcube (0.9.4-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-6172.patch patch. + CVE-2013-6172: An attacker can overwrite configuration settings using + user preferences. This can result in random file access and manipulated + SQL queries. (Closes: #727668) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 26 Oct 2013 21:47:22 +0200 + roundcube (0.9.4-1) unstable; urgency=low * New upstream version. diff -Nru roundcube-0.9.4/debian/patches/CVE-2013-6172.patch roundcube-0.9.4/debian/patches/CVE-2013-6172.patch --- roundcube-0.9.4/debian/patches/CVE-2013-6172.patch 1970-01-01 01:00:00.000000000 +0100 +++ roundcube-0.9.4/debian/patches/CVE-2013-6172.patch 2013-10-26 22:07:13.000000000 +0200 @@ -0,0 +1,72 @@ +Description: Fix vulnerability in handling _session argument of utils/save-prefs + CVE-2013-6172: An attacker can overwrite configuration settings using + user preferences. This can result in random file access and manipulated + SQL queries. +Origin: upstream, https://github.com/roundcube/roundcubemail/commit/4109bb26ce.diff +Bug: http://trac.roundcube.net/ticket/1489382 +Bug-Debian: http://bugs.debian.org/727668 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-10-26 + +--- a/program/lib/Roundcube/rcube_plugin_api.php ++++ b/program/lib/Roundcube/rcube_plugin_api.php +@@ -35,8 +35,9 @@ + public $url = 'plugins/'; + public $task = ''; + public $output; +- public $handlers = array(); +- public $allowed_prefs = array(); ++ public $handlers = array(); ++ public $allowed_prefs = array(); ++ public $allowed_session_prefs = array(); + + protected $plugins = array(); + protected $tasks = array(); +--- a/program/steps/utils/save_pref.inc ++++ b/program/steps/utils/save_pref.inc +@@ -19,16 +19,26 @@ + +-----------------------------------------------------------------------+ + */ + +-$name = get_input_value('_name', RCUBE_INPUT_POST); +-$value = get_input_value('_value', RCUBE_INPUT_POST); ++$name = get_input_value('_name', RCUBE_INPUT_POST); ++$value = get_input_value('_value', RCUBE_INPUT_POST); ++$sessname = get_input_value('_session', RCUBE_INPUT_POST); ++ ++// Whitelisted preferences and session variables, others ++// can be added by plugins + $whitelist = array( + 'preview_pane', + 'list_cols', + 'collapsed_folders', + 'collapsed_abooks', + ); ++$whitelist_sess = array( ++ 'list_attrib/columns', ++); ++ ++$whitelist = array_merge($whitelist, $RCMAIL->plugins->allowed_prefs); ++$whitelist_sess = array_merge($whitelist_sess, $RCMAIL->plugins->allowed_session_prefs); + +-if (!in_array($name, array_merge($whitelist, $RCMAIL->plugins->allowed_prefs))) { ++if (!in_array($name, $whitelist) || ($sessname && !in_array($sessname, $whitelist_sess))) { + raise_error(array('code' => 500, 'type' => 'php', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => sprintf("Hack attempt detected (user: %s)", $RCMAIL->get_user_name())), +@@ -42,7 +52,7 @@ + $RCMAIL->user->save_prefs(array($name => $value)); + + // update also session if requested +-if ($sessname = get_input_value('_session', RCUBE_INPUT_POST)) { ++if ($sessname) { + // Support multidimensional arrays... + $vars = explode('/', $sessname); + +@@ -57,5 +67,3 @@ + + $OUTPUT->reset(); + $OUTPUT->send(); +- +- diff -Nru roundcube-0.9.4/debian/patches/series roundcube-0.9.4/debian/patches/series --- roundcube-0.9.4/debian/patches/series 2013-09-08 13:53:12.000000000 +0200 +++ roundcube-0.9.4/debian/patches/series 2013-10-26 22:07:13.000000000 +0200 @@ -7,3 +7,4 @@ debianize_password_plugin.patch use-debian-jquery-ui.patch map-sqlite3-to-sqlite.patch +CVE-2013-6172.patch
signature.asc
Description: Digital signature
