[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-1264{0,1}/roundcube as unimporant

Salvatore Bonaccorso carnil at debian.org
Wed May 6 15:35:00 BST 2020 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3fc5c0f4 by Salvatore Bonaccorso at 2020-05-06T16:30:30+02:00
Mark CVE-2020-1264{0,1}/roundcube as unimporant

no-dsa might be another option. To exploit the issues one would neet to
set $config['im_identify_path'] or $config['im_convert_path'] to a
string containing shell metacharacters.  The config files itself are
created in the Debian package and created with ownership root:www-data
and mode 0640 by default.

So this in order to be exploited, would already need elevated privileges
to write to those files crafted values.

This is the background for the non-issue decision. If a reviewer
disagrees on this reasoning please mark those no-dsa instead.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -79,12 +79,12 @@ CVE-2020-12643
 CVE-2020-12642 (An issue was discovered in service-api before 4.3.12 and 5.x before 5. ...)
 	NOT-FOR-US: Report Portal
 CVE-2020-12641 (rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to  ...)
-	- roundcube 1.4.4+dfsg.1-1
+	- roundcube 1.4.4+dfsg.1-1 (unimportant)
 	[buster] - roundcube 1.3.11+dfsg.1-1~deb10u1
 	NOTE: https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3
 	NOTE: https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10
 CVE-2020-12640 (Roundcube Webmail before 1.4.4 allows attackers to include local files ...)
-	- roundcube 1.4.4+dfsg.1-1
+	- roundcube 1.4.4+dfsg.1-1 (unimportant)
 	[buster] - roundcube 1.3.11+dfsg.1-1~deb10u1
 	NOTE: https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794
 	NOTE: https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fc5c0f476f86ce3ad08e5015d2222ebb4eb9c4a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fc5c0f476f86ce3ad08e5015d2222ebb4eb9c4a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200506/048045e4/attachment.html>

More information about the debian-security-tracker-commits mailing list