[Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

Juan Rossi juanrossi at gmail.com
Tue Dec 6 23:05:59 UTC 2016 

Package: roundcube
Version: 1.1.4+dfsg.1-1~bpo8+1
Severity: grave
Tags: upstream security
Justification: user security hole

Dear Maintainer,

I am reporting this as it is quite important as testing and unstable versions of roundcube are affected (and even all the backports offered, which hopefully will be updated via a bug report to the backport mailing list once the packages are upgraded or bug patch backported):

"malicious user can execute arbitrary commands on the underlying operating system remotely, simply by writing an email in Roundcube 1.2.2 (>= 1.0)"

"Requirements
The vulnerability has the following requirements for exploitation:

Roundcube must be configured to use PHP’s mail() function (by default, if no SMTP was specified 2 )
PHP’s mail() function is configured to use sendmail (by default, see sendmail_path 3 )
PHP is configured to have safe_mode turned off (by default, see safe_mode 4 )
An attacker must know or guess the absolute path of the webroot
These requirements are not particular demanding which in turn means that there were a lot of vulnerable systems in the wild.
"

The usage of php mail function it is the default in the package.

More details about this at:

https://blog.ripstech.com/2016/roundcube-command-execution-via-email/#fn:1

So probably it is important to update to upstream version 1.2.3

Regards

Juan.-


-- System Information:
Debian Release: 8.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 4.4.32-rh33-20161115070633.xenU.i386 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages roundcube depends on:
ii  roundcube-core  1.1.4+dfsg.1-1~bpo8+1

roundcube recommends no packages.

roundcube suggests no packages.

Versions of packages roundcube-core depends on:
ii  dbconfig-common        1.8.47+nmu3+deb8u1
ii  debconf [debconf-2.0]  1.5.56
ii  libapache2-mod-php5    5.6.19+dfsg-0+deb8u1
ii  libmagic1              1:5.22+15-2+deb8u1
ii  php-auth               1.6.4-1
ii  php-mail-mime          1.8.9-1+deb8u1
ii  php-mail-mimedecode    1.5.5-2+deb8u1
ii  php-net-smtp           1.6.2-2
ii  php-net-socket         1.0.14-1
ii  php5                   5.6.19+dfsg-0+deb8u1
ii  php5-cli               5.6.19+dfsg-0+deb8u1
ii  php5-common            5.6.19+dfsg-0+deb8u1
ii  php5-intl              5.6.19+dfsg-0+deb8u1
ii  php5-json              1.3.6-1
ii  php5-mcrypt            5.6.19+dfsg-0+deb8u1
ii  roundcube-mysql        1.1.4+dfsg.1-1~bpo8+1
ii  ucf                    3.0030

Versions of packages roundcube-core recommends:
ii  apache2 [httpd-cgi]              2.4.10-10+deb8u4
ii  apache2-mpm-prefork [httpd-cgi]  2.4.10-10+deb8u4
ii  php-net-ldap3                    1.0.3-1~bpo8+1
ii  php-net-sieve                    1.3.2-4
ii  php5-gd                          5.6.19+dfsg-0+deb8u1
ii  php5-pspell                      5.6.19+dfsg-0+deb8u1

Versions of packages roundcube-core suggests:
ii  php-auth-sasl      1.0.6-1+deb8u1
pn  php-crypt-gpg      <none>
ii  roundcube-plugins  1.1.4+dfsg.1-1~bpo8+1

-- debconf information excluded

More information about the Pkg-roundcube-maintainers mailing list