Unblock roundcube

[Vincent Bernat <bernat@debian.org>]

Hi!

Due to CVE-2008-5620, a new  upload of roundcube is currently sitting in
unstable. Here is the changelog:

roundcube (0.1.1-10) unstable; urgency=high

  * Fix a vulnerability in quota image generation. This fixes
    CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
  * Add description to all patches.
  * Add missing ${misc:Depends} to debian/control.
  * Add missing dependency on php5-gd, used for quota bar.

 -- Vincent Bernat <bernat@debian.org>  Tue, 23 Dec 2008 20:52:39 +0100

The diffstat :

changelog                                  |   10 ++++++
 control                                    |   10 +++---
 control.in                                 |   10 +++---
 patches/correct-magic-path.patch           |    2 +
 patches/correct_install_path.patch         |    2 +
 patches/cve-2008-5620.patch                |   45 +++++++++++++++++++++++++++++
 patches/dbconfig-common_support.patch      |    2 +
 patches/disable-tinymce-spellchecker.patch |    2 +
 patches/dont-use-preg-e-option.patch       |    2 +
 patches/messageid-headers-ordering.patch   |    2 +
 patches/mysql-update-fix.patch             |    2 +
 patches/series                             |    1 
 patches/use-db-backend.patch               |    2 +
 patches/use_packaged_tinymce.patch         |    2 +

And I attach the real diff.

Index: debian/control
===================================================================
--- debian/control	(.../0.1.1-9)	(révision 189)
+++ debian/control	(.../0.1.1-10)	(révision 189)
@@ -11,7 +11,7 @@
 
 Package: roundcube-core
 Architecture: all
-Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce2 | tinymce (<< 3), ${misc:Depends}, libmagic1
+Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce2 | tinymce (<< 3), ${misc:Depends}, libmagic1
 Replaces: roundcube
 Conflicts: roundcube (<< 0.1~rc2-2)
 Description: skinnable AJAX based webmail solution for IMAP servers
@@ -27,7 +27,7 @@
 
 Package: roundcube
 Architecture: all
-Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version})
+Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version}), ${misc:Depends}
 Description: skinnable AJAX based webmail solution for IMAP servers
  RoundCube Webmail is a browser-based multilingual IMAP client with an
  application-like user interface. It provides full functionality
@@ -40,7 +40,7 @@
 
 Package: roundcube-mysql
 Architecture: all
-Depends: php5-mysql, mysql-client | virtual-mysql-client
+Depends: php5-mysql, mysql-client | virtual-mysql-client, ${misc:Depends}
 Suggests: mysql-server
 Provides: roundcube-db
 Description: metapackage providing MySQL dependencies for RoundCube
@@ -50,7 +50,7 @@
 
 Package: roundcube-pgsql
 Architecture: all
-Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client 
+Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client, ${misc:Depends}
 Suggests: postgresql-server
 Provides: roundcube-db
 Description: metapackage providing PostgreSQL dependencies for RoundCube
@@ -60,7 +60,7 @@
 
 Package: roundcube-sqlite
 Architecture: all
-Depends: php5-sqlite, sqlite
+Depends: php5-sqlite, sqlite, ${misc:Depends}
 Provides: roundcube-db
 Description: metapackage providing sqlite dependencies for RoundCube
  This package provides sqlite dependencies for RoundCube Webmail, a
Index: debian/control.in
===================================================================
--- debian/control.in	(.../0.1.1-9)	(révision 189)
+++ debian/control.in	(.../0.1.1-10)	(révision 189)
@@ -11,7 +11,7 @@
 
 Package: roundcube-core
 Architecture: all
-Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce2 | tinymce (<< 3), ${misc:Depends}, libmagic1
+Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce2 | tinymce (<< 3), ${misc:Depends}, libmagic1
 Replaces: roundcube
 Conflicts: roundcube (<< 0.1~rc2-2)
 Description: skinnable AJAX based webmail solution for IMAP servers
@@ -27,7 +27,7 @@
 
 Package: roundcube
 Architecture: all
-Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version})
+Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version}), ${misc:Depends}
 Description: skinnable AJAX based webmail solution for IMAP servers
  RoundCube Webmail is a browser-based multilingual IMAP client with an
  application-like user interface. It provides full functionality
@@ -40,7 +40,7 @@
 
 Package: roundcube-mysql
 Architecture: all
-Depends: php5-mysql, mysql-client | virtual-mysql-client
+Depends: php5-mysql, mysql-client | virtual-mysql-client, ${misc:Depends}
 Suggests: mysql-server
 Provides: roundcube-db
 Description: metapackage providing MySQL dependencies for RoundCube
@@ -50,7 +50,7 @@
 
 Package: roundcube-pgsql
 Architecture: all
-Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client 
+Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client, ${misc:Depends}
 Suggests: postgresql-server
 Provides: roundcube-db
 Description: metapackage providing PostgreSQL dependencies for RoundCube
@@ -60,7 +60,7 @@
 
 Package: roundcube-sqlite
 Architecture: all
-Depends: php5-sqlite, sqlite
+Depends: php5-sqlite, sqlite, ${misc:Depends}
 Provides: roundcube-db
 Description: metapackage providing sqlite dependencies for RoundCube
  This package provides sqlite dependencies for RoundCube Webmail, a
Index: debian/patches/dont-use-preg-e-option.patch
===================================================================
--- debian/patches/dont-use-preg-e-option.patch	(.../0.1.1-9)	(révision 189)
+++ debian/patches/dont-use-preg-e-option.patch	(.../0.1.1-10)	(révision 189)
@@ -1,3 +1,5 @@
+Fix a vulnerability due to the use of "e" option of preg_replace.
+
 --- roundcube/program/lib/html2text.inc	2008-04-12 15:54:45.000000000 +0200
 +++ roundcube/program/lib/html2text.inc	2008-12-13 14:21:44.000000000 +0100
 @@ -99,6 +99,22 @@
Index: debian/patches/messageid-headers-ordering.patch
===================================================================
--- debian/patches/messageid-headers-ordering.patch	(.../0.1.1-9)	(révision 189)
+++ debian/patches/messageid-headers-ordering.patch	(.../0.1.1-10)	(révision 189)
@@ -1,3 +1,5 @@
+Fix ordering of Message-ID headers to avoid to be reported as spam.
+
 --- roundcubemail/program/steps/mail/sendmail.inc (revision 1232)
 +++ roundcubemail/program/steps/mail/sendmail.inc (revision 1261)
 @@ -211,7 +211,4 @@
Index: debian/patches/correct_install_path.patch
===================================================================
--- debian/patches/correct_install_path.patch	(.../0.1.1-9)	(révision 189)
+++ debian/patches/correct_install_path.patch	(.../0.1.1-10)	(révision 189)
@@ -1,3 +1,5 @@
+Install path is /var/lib/roundcube for Debian. Don't try to guess it.
+
 --- roundcubemail-0.1~rc1~dfsg.orig/index.php~	2007-05-18 15:11:22.000000000 +0200
 +++ roundcubemail-0.1~rc1~dfsg.orig/index.php	2007-05-20 14:12:35.000000000 +0200
 @@ -47,7 +47,7 @@
Index: debian/patches/use_packaged_tinymce.patch
===================================================================
--- debian/patches/use_packaged_tinymce.patch	(.../0.1.1-9)	(révision 189)
+++ debian/patches/use_packaged_tinymce.patch	(.../0.1.1-10)	(révision 189)
@@ -1,3 +1,5 @@
+Use tinymce from tinycme package instead of the shipped one.
+
 Index: roundcube-0.1~rc2/program/steps/mail/sendmail.inc
 ===================================================================
 --- roundcube-0.1~rc2.orig/program/steps/mail/sendmail.inc	2007-11-26 11:42:36.000000000 +0100
Index: debian/patches/use-db-backend.patch
===================================================================
--- debian/patches/use-db-backend.patch	(.../0.1.1-9)	(révision 189)
+++ debian/patches/use-db-backend.patch	(.../0.1.1-10)	(révision 189)
@@ -1,3 +1,5 @@
+Use db backend since mdb2 is not yet available in Debian.
+
 --- roundcubemail-0.1-dep/config/db.inc.php.dist~	2008-03-03 22:32:15.000000000 +0100
 +++ roundcubemail-0.1-dep/config/db.inc.php.dist	2008-03-05 21:07:28.000000000 +0100
 @@ -27,7 +27,7 @@
Index: debian/patches/correct-magic-path.patch
===================================================================
--- debian/patches/correct-magic-path.patch	(.../0.1.1-9)	(révision 189)
+++ debian/patches/correct-magic-path.patch	(.../0.1.1-10)	(révision 189)
@@ -1,3 +1,5 @@
+On Debian, the magic file is in /usr/share/file/magic.
+
 --- roundcube-0.1/config/main.inc.php.dist~	2008-02-21 11:27:19.000000000 +0100
 +++ roundcube-0.1/config/main.inc.php.dist	2008-03-06 14:04:53.000000000 +0100
 @@ -277,7 +277,7 @@
Index: debian/patches/mysql-update-fix.patch
===================================================================
--- debian/patches/mysql-update-fix.patch	(.../0.1.1-9)	(révision 189)
+++ debian/patches/mysql-update-fix.patch	(.../0.1.1-10)	(révision 189)
@@ -1,3 +1,5 @@
+Fix a typo in MySQL update file.
+
 --- roundcubemail-0.1.1-dep/SQL/mysql.update.sql~	2008-04-05 14:49:21.000000000 +0200
 +++ roundcubemail-0.1.1-dep/SQL/mysql.update.sql	2008-04-05 18:09:10.000000000 +0200
 @@ -5,7 +5,7 @@
Index: debian/patches/disable-tinymce-spellchecker.patch
===================================================================
--- debian/patches/disable-tinymce-spellchecker.patch	(.../0.1.1-9)	(révision 189)
+++ debian/patches/disable-tinymce-spellchecker.patch	(.../0.1.1-10)	(révision 189)
@@ -1,3 +1,5 @@
+Don't use tinymce spellchecker, this plugin is not available in Debian package.
+
 --- roundcube-0.1/program/js/editor.js~	2008-02-13 04:31:05.000000000 +0100
 +++ roundcube-0.1/program/js/editor.js	2008-03-07 09:53:39.000000000 +0100
 @@ -21,7 +21,7 @@
Index: debian/patches/series
===================================================================
--- debian/patches/series	(.../0.1.1-9)	(révision 189)
+++ debian/patches/series	(.../0.1.1-10)	(révision 189)
@@ -7,3 +7,4 @@
 mysql-update-fix.patch
 messageid-headers-ordering.patch
 dont-use-preg-e-option.patch
+cve-2008-5620.patch
Index: debian/patches/dbconfig-common_support.patch
===================================================================
--- debian/patches/dbconfig-common_support.patch	(.../0.1.1-9)	(révision 189)
+++ debian/patches/dbconfig-common_support.patch	(.../0.1.1-10)	(révision 189)
@@ -1,3 +1,5 @@
+The default db.inc.php is modified to adapt it to the use of dbconfig-common package.
+
 --- roundcube_0.1~beta2.2/config/db.inc.php.dist        2006-03-20 23:08:51.000000000 +0100
 +++ roundcube_0.1~beta2.2/config/db.inc.php.dist  2007-03-13 14:33:38.000000000 +0100
 @@ -14,13 +14,20 @@
Index: debian/patches/cve-2008-5620.patch
===================================================================
--- debian/patches/cve-2008-5620.patch	(.../0.1.1-9)	(révision 0)
+++ debian/patches/cve-2008-5620.patch	(.../0.1.1-10)	(révision 189)
@@ -0,0 +1,45 @@
+Fix CVE-2008-5620 which was caused by insufficient input sanitizing for quota bar.
+
+diff --git a/bin/quotaimg.php b/bin/quotaimg.php
+index 354f4eb..4e73c21 100644
+--- a/bin/quotaimg.php
++++ b/bin/quotaimg.php
+@@ -18,10 +18,10 @@
+ 
+ */
+ 
+-$used   = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??';
+-$quota  = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??';
+-$width  = empty($_GET['w']) ? 100 : (int)$_GET['w'];
+-$height = empty($_GET['h']) ? 14 : (int)$_GET['h'];
++$used   = isset($_GET['u']) ? intval($_GET['u']) : '??';
++$quota  = isset($_GET['q']) ? intval($_GET['q']) : '??';
++$width  = empty($_GET['w']) ? 100 : min(300, intval($_GET['w']));
++$height = empty($_GET['h']) ? 14  : min(50,  intval($_GET['h']));
+ 
+ /**
+  * Quota display
+@@ -159,7 +159,7 @@ function genQuota($used, $total, $width, $height)
+ 		}
+ 
+ 		$quota_width = $quota / 100 * $width;
+-		imagefilledrectangle($im, $border, 0, $quota, $height-2*$border, $fill);
++		imagefilledrectangle($im, $border, 0, $quota_width, $height-2*$border, $fill);
+ 
+ 		$string = $quota . '%';
+ 		$mid    = floor(($width-(strlen($string)*imagefontwidth($font)))/2)+1;
+@@ -178,6 +178,12 @@ function genQuota($used, $total, $width, $height)
+ 	imagedestroy($im);
+ }
+ 
+-genQuota($used, $quota, $width, $height);
++if ($width > 1 && $height > 1) {
++	genQuota($used, $quota, $width, $height);
++}
++else {
++	header("HTTP/1.0 404 Not Found");
++}
++
+ exit;
+ ?>
+\ No newline at end of file
Index: debian/changelog
===================================================================
--- debian/changelog	(.../0.1.1-9)	(révision 189)
+++ debian/changelog	(.../0.1.1-10)	(révision 189)
@@ -1,3 +1,13 @@
+roundcube (0.1.1-10) unstable; urgency=high
+
+  * Fix a vulnerability in quota image generation. This fixes
+    CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
+  * Add description to all patches.
+  * Add missing ${misc:Depends} to debian/control.
+  * Add missing dependency on php5-gd, used for quota bar.
+
+ -- Vincent Bernat <bernat@debian.org>  Tue, 23 Dec 2008 20:52:39 +0100
+
 roundcube (0.1.1-9) unstable; urgency=high
 
   * Fix a vulnerability in preg_replace() use. Thanks to Andreas

Thanks.
-- 
panic("aha1740.c"); /* Goodbye */
	2.2.16 /usr/src/linux/drivers/scsi/aha1740.c

Attachment: pgpM446XpNExR.pgp
Description: PGP signature