Bug#704106: marked as done (unblock: roundcube/0.7.2-9)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 28 Mar 2013 16:08:20 +0000
with message-id <4921ad54ee654f77e022247493a9dfe9@mail.adsl.funky-badger.org>
and subject line Re: Bug#704106: unblock: roundcube/0.7.2-9
has caused the Debian Bug report #704106,
regarding unblock: roundcube/0.7.2-9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
704106: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704106
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: roundcube/0.7.2-9
• From: Vincent Bernat <bernat@debian.org>
• Date: Wed, 27 Mar 2013 23:57:45 +0100
• Message-id: <[🔎] 20130327225745.13397.77965.reportbug@guybrush.luffy.cx>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Please unblock package roundcube

It include an important security fix. Without it, a logged user can
override any variable which can then be used to steal credentials or
read arbitrary files. I include the debdiff against the version
currently scheduled for Wheezy (0.7.2-8) but not yet in testing.

unblock roundcube/0.7.2-9

- -- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRU3lfAAoJEJWkL+g1NSX5qEgQAKLYKYF5tGmdRX2eyB8Is1Dw
gQuQ0lIzFndNF2ogU+G7uUqKK7ejF+rdjdb+paBwTw9OkjsklG0KJpnM+vE3ahMc
hnDWHqLb/rtIUYRPulcNJw7vDs6HwPf4OCB+blmd9ZdFzCQ16ymIj5gj54ZINbhZ
fwi4+qQrCQfQejobwsNohmdUIUOP7OA2BlHDOwzRhNvTtb2txnrTyCNyCsokUw2a
UVJFRObEZ00uIo8v7CLQzC/cV5WA2t7QO3xBUrjflAN4lKHm5wqGgiIQYRHL+Zes
LuFOT3R6KeomwRe22gsVaR13Fyl/EMGvf7lIc2cq68KSEag0n9bK3LzlOfOUCPzR
nHwTT6IktEVLG4Z9HEgqAWvD9YyKWlMJLiPxvQkl3sgts5wiRDPUgVMdtdMp7xJy
q8GjR297kRYRea2d5WFbHC0iHY0svdeA5hyPfViIe4Ufw+//+yWhChdd3aUe1vnJ
kwrbXwXEfyJsMoPqPF5WjDbCFtRazmL6x0By9WrIG+ebMN0YVQnxMmhUeYN2Di+s
nhPrhjEIF1Lqd8vD6b2usEik49IiGLUiZq5cI20x0kL1EUMMQD2p7ni/0nVzAOaY
qQUH8aQN4iOO/03UESaLR1bHNm7et+6t7IOhIjgZdzLKGiBsTpmS/9cRWuP7ynwZ
X3UF+isU1XdgnaABbMaA
=Jn7c
-----END PGP SIGNATURE-----

diff -Nru roundcube-0.7.2/debian/changelog roundcube-0.7.2/debian/changelog
--- roundcube-0.7.2/debian/changelog	2013-03-23 08:38:29.000000000 +0100
+++ roundcube-0.7.2/debian/changelog	2013-03-27 22:46:28.000000000 +0100
@@ -1,3 +1,11 @@
+roundcube (0.7.2-9) unstable; urgency=high
+
+  * Fix a vulnerability allowing logged users to override any variable
+    which may be used to steal credentials of other users or read
+    arbitrary files.
+
+ -- Vincent Bernat <bernat@debian.org>  Wed, 27 Mar 2013 22:01:25 +0100
+
 roundcube (0.7.2-8) unstable; urgency=low
 
   * In roundcube-core postinst, set appropriate rights on directory
diff -Nru roundcube-0.7.2/debian/patches/fix-save-pref-vulnerability.patch roundcube-0.7.2/debian/patches/fix-save-pref-vulnerability.patch
--- roundcube-0.7.2/debian/patches/fix-save-pref-vulnerability.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-0.7.2/debian/patches/fix-save-pref-vulnerability.patch	2013-03-27 22:46:28.000000000 +0100
@@ -0,0 +1,72 @@
+diff --git a/debian/patches/fix-save-pref-vulnerability.patch b/debian/patches/fix-save-pref-vulnerability.patch
+index 2cb5621..a31d378 100644
+diff --git a/program/include/rcube_plugin.php b/program/include/rcube_plugin.php
+index 748d958..bf1e0bc 100644
+--- a/program/include/rcube_plugin.php
++++ b/program/include/rcube_plugin.php
+@@ -61,6 +61,14 @@ abstract class rcube_plugin
+    */
+   public $noframe = false;
+ 
++  /**
++   * A list of config option names that can be modified
++   * by the user via user interface (with save-prefs command)
++   *
++   * @var array
++   */
++  public $allowed_prefs;
++
+   protected $home;
+   protected $urlbase;
+   private $mytask;
+diff --git a/program/include/rcube_plugin_api.php b/program/include/rcube_plugin_api.php
+index e762fff..fd339bc 100644
+--- a/program/include/rcube_plugin_api.php
++++ b/program/include/rcube_plugin_api.php
+@@ -34,6 +34,7 @@ class rcube_plugin_api
+   public $config;
+   
+   public $handlers = array();
++  public $allowed_prefs = array();
+   private $plugins = array();
+   private $tasks = array();
+   private $actions = array();
+@@ -182,6 +183,11 @@ class rcube_plugin_api
+             $plugin->init();
+             $this->plugins[$plugin_name] = $plugin;
+           }
++
++          if (!empty($plugin->allowed_prefs)) {
++              $this->allowed_prefs = array_merge($this->allowed_prefs, $plugin->allowed_prefs);
++          }
++
+           return true;
+         }
+       }
+diff --git a/program/steps/utils/save_pref.inc b/program/steps/utils/save_pref.inc
+index 49e99e0..f9e8e20 100644
+--- a/program/steps/utils/save_pref.inc
++++ b/program/steps/utils/save_pref.inc
+@@ -21,6 +21,22 @@
+ 
+ $name = get_input_value('_name', RCUBE_INPUT_POST);
+ $value = get_input_value('_value', RCUBE_INPUT_POST);
++$whitelist = array(
++    'preview_pane',
++    'list_cols',
++    'collapsed_folders',
++    'collapsed_abooks',
++);
++
++if (!in_array($name, array_merge($whitelist, $RCMAIL->plugins->allowed_prefs))) {
++    raise_error(array('code' => 500, 'type' => 'php',
++        'file' => __FILE__, 'line' => __LINE__,
++        'message' => sprintf("Hack attempt detected (user: %s)", $RCMAIL->get_user_name())),
++        true, false);
++
++    $OUTPUT->reset();
++    $OUTPUT->send();
++}
+ 
+ // save preference value
+ $RCMAIL->user->save_prefs(array($name => $value));
diff -Nru roundcube-0.7.2/debian/patches/series roundcube-0.7.2/debian/patches/series
--- roundcube-0.7.2/debian/patches/series	2013-03-23 08:38:29.000000000 +0100
+++ roundcube-0.7.2/debian/patches/series	2013-03-27 22:46:28.000000000 +0100
@@ -8,3 +8,4 @@
 use-debian-jquery-ui.patch
 cve-2012-3508.patch
 uuencoded-attachments.patch
+fix-save-pref-vulnerability.patch

--- End Message ---

--- Begin Message ---

• To: Vincent Bernat <bernat@debian.org>, <704106-done@bugs.debian.org>
• Subject: Re: Bug#704106: unblock: roundcube/0.7.2-9
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Thu, 28 Mar 2013 16:08:20 +0000
• Message-id: <4921ad54ee654f77e022247493a9dfe9@mail.adsl.funky-badger.org>
• In-reply-to: <[🔎] 20130327225745.13397.77965.reportbug@guybrush.luffy.cx>
• References: <[🔎] 20130327225745.13397.77965.reportbug@guybrush.luffy.cx>

On 27.03.2013 22:57, Vincent Bernat wrote:

Please unblock package roundcube

It include an important security fix. Without it, a logged user can
override any variable which can then be used to steal credentials or
read arbitrary files. I include the debdiff against the version
currently scheduled for Wheezy (0.7.2-8) but not yet in testing.

Unblocked by Julien.

Regards,

Adam

--- End Message ---