Hi! Due to CVE-2008-5620, a new upload of roundcube is currently sitting in unstable. Here is the changelog: roundcube (0.1.1-10) unstable; urgency=high * Fix a vulnerability in quota image generation. This fixes CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596. * Add description to all patches. * Add missing ${misc:Depends} to debian/control. * Add missing dependency on php5-gd, used for quota bar. -- Vincent Bernat <bernat@debian.org> Tue, 23 Dec 2008 20:52:39 +0100 The diffstat : changelog | 10 ++++++ control | 10 +++--- control.in | 10 +++--- patches/correct-magic-path.patch | 2 + patches/correct_install_path.patch | 2 + patches/cve-2008-5620.patch | 45 +++++++++++++++++++++++++++++ patches/dbconfig-common_support.patch | 2 + patches/disable-tinymce-spellchecker.patch | 2 + patches/dont-use-preg-e-option.patch | 2 + patches/messageid-headers-ordering.patch | 2 + patches/mysql-update-fix.patch | 2 + patches/series | 1 patches/use-db-backend.patch | 2 + patches/use_packaged_tinymce.patch | 2 + And I attach the real diff.
Index: debian/control =================================================================== --- debian/control (.../0.1.1-9) (révision 189) +++ debian/control (.../0.1.1-10) (révision 189) @@ -11,7 +11,7 @@ Package: roundcube-core Architecture: all -Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce2 | tinymce (<< 3), ${misc:Depends}, libmagic1 +Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce2 | tinymce (<< 3), ${misc:Depends}, libmagic1 Replaces: roundcube Conflicts: roundcube (<< 0.1~rc2-2) Description: skinnable AJAX based webmail solution for IMAP servers @@ -27,7 +27,7 @@ Package: roundcube Architecture: all -Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version}) +Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version}), ${misc:Depends} Description: skinnable AJAX based webmail solution for IMAP servers RoundCube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality @@ -40,7 +40,7 @@ Package: roundcube-mysql Architecture: all -Depends: php5-mysql, mysql-client | virtual-mysql-client +Depends: php5-mysql, mysql-client | virtual-mysql-client, ${misc:Depends} Suggests: mysql-server Provides: roundcube-db Description: metapackage providing MySQL dependencies for RoundCube @@ -50,7 +50,7 @@ Package: roundcube-pgsql Architecture: all -Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client +Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client, ${misc:Depends} Suggests: postgresql-server Provides: roundcube-db Description: metapackage providing PostgreSQL dependencies for RoundCube @@ -60,7 +60,7 @@ Package: roundcube-sqlite Architecture: all -Depends: php5-sqlite, sqlite +Depends: php5-sqlite, sqlite, ${misc:Depends} Provides: roundcube-db Description: metapackage providing sqlite dependencies for RoundCube This package provides sqlite dependencies for RoundCube Webmail, a Index: debian/control.in =================================================================== --- debian/control.in (.../0.1.1-9) (révision 189) +++ debian/control.in (.../0.1.1-10) (révision 189) @@ -11,7 +11,7 @@ Package: roundcube-core Architecture: all -Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce2 | tinymce (<< 3), ${misc:Depends}, libmagic1 +Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce2 | tinymce (<< 3), ${misc:Depends}, libmagic1 Replaces: roundcube Conflicts: roundcube (<< 0.1~rc2-2) Description: skinnable AJAX based webmail solution for IMAP servers @@ -27,7 +27,7 @@ Package: roundcube Architecture: all -Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version}) +Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version}), ${misc:Depends} Description: skinnable AJAX based webmail solution for IMAP servers RoundCube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality @@ -40,7 +40,7 @@ Package: roundcube-mysql Architecture: all -Depends: php5-mysql, mysql-client | virtual-mysql-client +Depends: php5-mysql, mysql-client | virtual-mysql-client, ${misc:Depends} Suggests: mysql-server Provides: roundcube-db Description: metapackage providing MySQL dependencies for RoundCube @@ -50,7 +50,7 @@ Package: roundcube-pgsql Architecture: all -Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client +Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client, ${misc:Depends} Suggests: postgresql-server Provides: roundcube-db Description: metapackage providing PostgreSQL dependencies for RoundCube @@ -60,7 +60,7 @@ Package: roundcube-sqlite Architecture: all -Depends: php5-sqlite, sqlite +Depends: php5-sqlite, sqlite, ${misc:Depends} Provides: roundcube-db Description: metapackage providing sqlite dependencies for RoundCube This package provides sqlite dependencies for RoundCube Webmail, a Index: debian/patches/dont-use-preg-e-option.patch =================================================================== --- debian/patches/dont-use-preg-e-option.patch (.../0.1.1-9) (révision 189) +++ debian/patches/dont-use-preg-e-option.patch (.../0.1.1-10) (révision 189) @@ -1,3 +1,5 @@ +Fix a vulnerability due to the use of "e" option of preg_replace. + --- roundcube/program/lib/html2text.inc 2008-04-12 15:54:45.000000000 +0200 +++ roundcube/program/lib/html2text.inc 2008-12-13 14:21:44.000000000 +0100 @@ -99,6 +99,22 @@ Index: debian/patches/messageid-headers-ordering.patch =================================================================== --- debian/patches/messageid-headers-ordering.patch (.../0.1.1-9) (révision 189) +++ debian/patches/messageid-headers-ordering.patch (.../0.1.1-10) (révision 189) @@ -1,3 +1,5 @@ +Fix ordering of Message-ID headers to avoid to be reported as spam. + --- roundcubemail/program/steps/mail/sendmail.inc (revision 1232) +++ roundcubemail/program/steps/mail/sendmail.inc (revision 1261) @@ -211,7 +211,4 @@ Index: debian/patches/correct_install_path.patch =================================================================== --- debian/patches/correct_install_path.patch (.../0.1.1-9) (révision 189) +++ debian/patches/correct_install_path.patch (.../0.1.1-10) (révision 189) @@ -1,3 +1,5 @@ +Install path is /var/lib/roundcube for Debian. Don't try to guess it. + --- roundcubemail-0.1~rc1~dfsg.orig/index.php~ 2007-05-18 15:11:22.000000000 +0200 +++ roundcubemail-0.1~rc1~dfsg.orig/index.php 2007-05-20 14:12:35.000000000 +0200 @@ -47,7 +47,7 @@ Index: debian/patches/use_packaged_tinymce.patch =================================================================== --- debian/patches/use_packaged_tinymce.patch (.../0.1.1-9) (révision 189) +++ debian/patches/use_packaged_tinymce.patch (.../0.1.1-10) (révision 189) @@ -1,3 +1,5 @@ +Use tinymce from tinycme package instead of the shipped one. + Index: roundcube-0.1~rc2/program/steps/mail/sendmail.inc =================================================================== --- roundcube-0.1~rc2.orig/program/steps/mail/sendmail.inc 2007-11-26 11:42:36.000000000 +0100 Index: debian/patches/use-db-backend.patch =================================================================== --- debian/patches/use-db-backend.patch (.../0.1.1-9) (révision 189) +++ debian/patches/use-db-backend.patch (.../0.1.1-10) (révision 189) @@ -1,3 +1,5 @@ +Use db backend since mdb2 is not yet available in Debian. + --- roundcubemail-0.1-dep/config/db.inc.php.dist~ 2008-03-03 22:32:15.000000000 +0100 +++ roundcubemail-0.1-dep/config/db.inc.php.dist 2008-03-05 21:07:28.000000000 +0100 @@ -27,7 +27,7 @@ Index: debian/patches/correct-magic-path.patch =================================================================== --- debian/patches/correct-magic-path.patch (.../0.1.1-9) (révision 189) +++ debian/patches/correct-magic-path.patch (.../0.1.1-10) (révision 189) @@ -1,3 +1,5 @@ +On Debian, the magic file is in /usr/share/file/magic. + --- roundcube-0.1/config/main.inc.php.dist~ 2008-02-21 11:27:19.000000000 +0100 +++ roundcube-0.1/config/main.inc.php.dist 2008-03-06 14:04:53.000000000 +0100 @@ -277,7 +277,7 @@ Index: debian/patches/mysql-update-fix.patch =================================================================== --- debian/patches/mysql-update-fix.patch (.../0.1.1-9) (révision 189) +++ debian/patches/mysql-update-fix.patch (.../0.1.1-10) (révision 189) @@ -1,3 +1,5 @@ +Fix a typo in MySQL update file. + --- roundcubemail-0.1.1-dep/SQL/mysql.update.sql~ 2008-04-05 14:49:21.000000000 +0200 +++ roundcubemail-0.1.1-dep/SQL/mysql.update.sql 2008-04-05 18:09:10.000000000 +0200 @@ -5,7 +5,7 @@ Index: debian/patches/disable-tinymce-spellchecker.patch =================================================================== --- debian/patches/disable-tinymce-spellchecker.patch (.../0.1.1-9) (révision 189) +++ debian/patches/disable-tinymce-spellchecker.patch (.../0.1.1-10) (révision 189) @@ -1,3 +1,5 @@ +Don't use tinymce spellchecker, this plugin is not available in Debian package. + --- roundcube-0.1/program/js/editor.js~ 2008-02-13 04:31:05.000000000 +0100 +++ roundcube-0.1/program/js/editor.js 2008-03-07 09:53:39.000000000 +0100 @@ -21,7 +21,7 @@ Index: debian/patches/series =================================================================== --- debian/patches/series (.../0.1.1-9) (révision 189) +++ debian/patches/series (.../0.1.1-10) (révision 189) @@ -7,3 +7,4 @@ mysql-update-fix.patch messageid-headers-ordering.patch dont-use-preg-e-option.patch +cve-2008-5620.patch Index: debian/patches/dbconfig-common_support.patch =================================================================== --- debian/patches/dbconfig-common_support.patch (.../0.1.1-9) (révision 189) +++ debian/patches/dbconfig-common_support.patch (.../0.1.1-10) (révision 189) @@ -1,3 +1,5 @@ +The default db.inc.php is modified to adapt it to the use of dbconfig-common package. + --- roundcube_0.1~beta2.2/config/db.inc.php.dist 2006-03-20 23:08:51.000000000 +0100 +++ roundcube_0.1~beta2.2/config/db.inc.php.dist 2007-03-13 14:33:38.000000000 +0100 @@ -14,13 +14,20 @@ Index: debian/patches/cve-2008-5620.patch =================================================================== --- debian/patches/cve-2008-5620.patch (.../0.1.1-9) (révision 0) +++ debian/patches/cve-2008-5620.patch (.../0.1.1-10) (révision 189) @@ -0,0 +1,45 @@ +Fix CVE-2008-5620 which was caused by insufficient input sanitizing for quota bar. + +diff --git a/bin/quotaimg.php b/bin/quotaimg.php +index 354f4eb..4e73c21 100644 +--- a/bin/quotaimg.php ++++ b/bin/quotaimg.php +@@ -18,10 +18,10 @@ + + */ + +-$used = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??'; +-$quota = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??'; +-$width = empty($_GET['w']) ? 100 : (int)$_GET['w']; +-$height = empty($_GET['h']) ? 14 : (int)$_GET['h']; ++$used = isset($_GET['u']) ? intval($_GET['u']) : '??'; ++$quota = isset($_GET['q']) ? intval($_GET['q']) : '??'; ++$width = empty($_GET['w']) ? 100 : min(300, intval($_GET['w'])); ++$height = empty($_GET['h']) ? 14 : min(50, intval($_GET['h'])); + + /** + * Quota display +@@ -159,7 +159,7 @@ function genQuota($used, $total, $width, $height) + } + + $quota_width = $quota / 100 * $width; +- imagefilledrectangle($im, $border, 0, $quota, $height-2*$border, $fill); ++ imagefilledrectangle($im, $border, 0, $quota_width, $height-2*$border, $fill); + + $string = $quota . '%'; + $mid = floor(($width-(strlen($string)*imagefontwidth($font)))/2)+1; +@@ -178,6 +178,12 @@ function genQuota($used, $total, $width, $height) + imagedestroy($im); + } + +-genQuota($used, $quota, $width, $height); ++if ($width > 1 && $height > 1) { ++ genQuota($used, $quota, $width, $height); ++} ++else { ++ header("HTTP/1.0 404 Not Found"); ++} ++ + exit; + ?> +\ No newline at end of file Index: debian/changelog =================================================================== --- debian/changelog (.../0.1.1-9) (révision 189) +++ debian/changelog (.../0.1.1-10) (révision 189) @@ -1,3 +1,13 @@ +roundcube (0.1.1-10) unstable; urgency=high + + * Fix a vulnerability in quota image generation. This fixes + CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596. + * Add description to all patches. + * Add missing ${misc:Depends} to debian/control. + * Add missing dependency on php5-gd, used for quota bar. + + -- Vincent Bernat <bernat@debian.org> Tue, 23 Dec 2008 20:52:39 +0100 + roundcube (0.1.1-9) unstable; urgency=high * Fix a vulnerability in preg_replace() use. Thanks to Andreas
Thanks. -- panic("aha1740.c"); /* Goodbye */ 2.2.16 /usr/src/linux/drivers/scsi/aha1740.c
Attachment:
pgpM446XpNExR.pgp
Description: PGP signature