[Pkg-roundcube-maintainers] Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin

Guilhem Moulin guilhem at debian.org
Wed Apr 18 20:27:36 BST 2018 

Hi Salvatore,

On Sun, 08 Apr 2018 at 10:27:10 +0200, Salvatore Bonaccorso wrote:
> The following vulnerability was published for roundcube.
> 
> CVE-2018-9846[0]:
> | In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin
> | enabled and configured, it's possible to exploit the unsanitized,
> | user-controlled "_uid" parameter (in an archive.php
> | _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform
> | an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a
> | sequence. NOTE: this is less easily exploitable in 1.3.4 and later
> | because of a Same Origin Policy protection mechanism.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

1.2.8 was released yesterday.  Attached is a debdiff with the following
upstream commits cherry-picked (ignoring changes to CHANGELOG):

    https://github.com/roundcube/roundcubemail/commit/cdeb6234a2e029c499898c3432fdf5b2cf093640
    https://github.com/roundcube/roundcubemail/commit/5b7e9a2c960eb4fd2364921297020a5dcd2d7dbc
    https://github.com/roundcube/roundcubemail/commit/c69b851b8a704f6483ec9d1cae7cd1ecd33c3343
    https://github.com/roundcube/roundcubemail/commit/7901047474729a7f466eb8c59c92a36fc7cf0e70

Should we go via stretch-security, or aim for the next stable point
release?

-- 
Guilhem.
-------------- next part --------------
diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog	2017-11-09 06:45:05.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/changelog	2018-04-18 21:00:09.000000000 +0200
@@ -1,3 +1,13 @@
+roundcube (1.2.3+dfsg.1-4+deb9u2) stretch-security; urgency=high
+
+  * Backport fix for CVE-2018-9846: When the archive plugin enabled and
+    configured, it's possible to exploit the unsanitized, user-controlled
+    "_uid" parameter to perform an MX (IMAP) injection attack.
+    https://github.com/roundcube/roundcubemail/issues/6238
+    (Closes: #895184).
+
+ -- Guilhem Moulin <guilhem at debian.org>  Wed, 18 Apr 2018 21:00:09 +0200
+
 roundcube (1.2.3+dfsg.1-4+deb9u1) stretch-security; urgency=high
 
   * Backport fix for CVE-2017-16651: File disclosure vulnerability caused by
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch	2018-04-18 21:00:09.000000000 +0200
@@ -0,0 +1,84 @@
+---
+ plugins/archive/archive.php                  |    6 ++++--
+ plugins/managesieve/managesieve.php          |    4 ++--
+ plugins/markasjunk/markasjunk.php            |    9 ++++++---
+ program/lib/Roundcube/rcube_imap_generic.php |   10 ++++++----
+ 4 files changed, 18 insertions(+), 11 deletions(-)
+
+--- a/program/lib/Roundcube/rcube_imap_generic.php
++++ b/program/lib/Roundcube/rcube_imap_generic.php
+@@ -3836,13 +3836,13 @@ class rcube_imap_generic
+ 
+         if (!is_array($messages)) {
+             // if less than 255 bytes long, let's not bother
+-            if (!$force && strlen($messages)<255) {
+-                return $messages;
++            if (!$force && strlen($messages) < 255) {
++                return preg_match('/[^0-9:,*]/', $messages) ? 'INVALID' : $messages;
+             }
+ 
+             // see if it's already been compressed
+             if (strpos($messages, ':') !== false) {
+-                return $messages;
++                return preg_match('/[^0-9:,*]/', $messages) ? 'INVALID' : $messages;
+             }
+ 
+             // separate, then sort
+@@ -3877,7 +3877,9 @@ class rcube_imap_generic
+         }
+ 
+         // return as comma separated string
+-        return implode(',', $result);
++        $result = implode(',', $result);
++
++        return preg_match('/[^0-9:,]/', $result) ? 'INVALID' : $result;
+     }
+ 
+     /**
+--- a/plugins/archive/archive.php
++++ b/plugins/archive/archive.php
+@@ -122,8 +122,10 @@ class archive extends rcube_plugin
+       $index = $storage->index(null, rcmail_sort_column(), rcmail_sort_order());
+       $messageset = array($current_mbox => $index->get());
+     }
+-    else {
+-      $messageset = rcmail::get_uids();
++    else if (!empty($uids)) {
++      $messageset = rcmail::get_uids($uids, $current_mbox);
++    } else {
++      $messageset = array();
+     }
+ 
+     foreach ($messageset as $mbox => $uids) {
+--- a/plugins/managesieve/managesieve.php
++++ b/plugins/managesieve/managesieve.php
+@@ -190,8 +190,8 @@ class managesieve extends rcube_plugin
+     function managesieve_actions()
+     {
+         // handle fetching email headers for the new filter form
+-        if ($uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) {
+-            $uids    = rcmail::get_uids();
++        if ($_uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) {
++            $uids    = rcmail::get_uids($_uid);
+             $mailbox = key($uids);
+             $message = new rcube_message($uids[$mailbox][0], $mailbox);
+             $headers = $this->parse_headers($message->headers);
+--- a/plugins/markasjunk/markasjunk.php
++++ b/plugins/markasjunk/markasjunk.php
+@@ -62,10 +62,13 @@ class markasjunk extends rcube_plugin
+ 
+         $rcmail  = rcmail::get_instance();
+         $storage = $rcmail->get_storage();
++        $uids = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST);
+ 
+-        foreach (rcmail::get_uids() as $mbox => $uids) {
+-            $storage->unset_flag($uids, 'NONJUNK', $mbox);
+-            $storage->set_flag($uids, 'JUNK', $mbox);
++        if (!empty($uids)) {
++            foreach (rcmail::get_uids($uids) as $mbox => $uids) {
++                $storage->unset_flag($uids, 'NONJUNK', $mbox);
++                $storage->set_flag($uids, 'JUNK', $mbox);
++            }
+         }
+ 
+         if (($junk_mbox = $rcmail->config->get('junk_mbox'))) {
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series	2017-11-09 06:45:05.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/series	2018-04-18 21:00:09.000000000 +0200
@@ -13,3 +13,4 @@
 CVE-2017-6820.patch
 CVE-2017-8114.patch
 CVE-2017-16651.patch
+CVE-2018-9846.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20180418/382ca076/attachment.sig>

More information about the Pkg-roundcube-maintainers mailing list