[Pkg-roundcube-maintainers] Bug#509596: roundcube: CVE-2008-5620 massive memory consumption via crafted image
Vincent Bernat
bernat at debian.org
Tue Dec 23 18:54:48 UTC 2008
On Tue, 23 Dec 2008 18:23:02 +0100, Nico Golde <nion at debian.org> wrote:
> Package: roundcube
> Severity: grave
> Tags: security patch
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for roundcube.
>
> CVE-2008-5620[0]:
> | RoundCube Webmail (roundcubemail) before 0.2-beta allows remote
> | attackers to cause a denial of service (memory consumption) via
> | crafted size parameters that are used to create a large quota image.
>
> Attached is a patch I extracted from the bundled upstream
> patch on http://sourceforge.net/forum/forum.php?forum_id=898542
Thanks for the patch!
Here is a more minimal one for 0.1.1.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: roundcube-cve-2008-5620.patch
Url: http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20081223/6d66f90b/attachment.txt
More information about the Pkg-roundcube-maintainers
mailing list