[Pkg-roundcube-maintainers] Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin

Salvatore Bonaccorso carnil at debian.org
Fri Apr 20 04:18:36 BST 2018

Hi Guilhem,

Thanks for following up for stretch. First a quick comment. Please
always CC team at security.debian.org on such questions for if an update
is wanted for DSA. This alows team members to better share the load
for review, release, etc ... (and it's recorded futhermore on the team

On Wed, Apr 18, 2018 at 09:27:36PM +0200, Guilhem Moulin wrote:
> Hi Salvatore,
> On Sun, 08 Apr 2018 at 10:27:10 +0200, Salvatore Bonaccorso wrote:
> > The following vulnerability was published for roundcube.
> > 
> > CVE-2018-9846[0]:
> > | In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin
> > | enabled and configured, it's possible to exploit the unsanitized,
> > | user-controlled "_uid" parameter (in an archive.php
> > | _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform
> > | an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a
> > | sequence. NOTE: this is less easily exploitable in 1.3.4 and later
> > | because of a Same Origin Policy protection mechanism.
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 1.2.8 was released yesterday.  Attached is a debdiff with the following
> upstream commits cherry-picked (ignoring changes to CHANGELOG):
>     https://github.com/roundcube/roundcubemail/commit/cdeb6234a2e029c499898c3432fdf5b2cf093640
>     https://github.com/roundcube/roundcubemail/commit/5b7e9a2c960eb4fd2364921297020a5dcd2d7dbc
>     https://github.com/roundcube/roundcubemail/commit/c69b851b8a704f6483ec9d1cae7cd1ecd33c3343
>     https://github.com/roundcube/roundcubemail/commit/7901047474729a7f466eb8c59c92a36fc7cf0e70
> Should we go via stretch-security, or aim for the next stable point
> release?

I think we should release this through stretch-security. The debdiff
per se looks already good. Were you able to test the update in
production under stretch?

There is though one no-dsa issue,
https://security-tracker.debian.org/tracker/CVE-2018-1000071 which
would be good to be included. Could you backport that fix as well and
send a new debdiff for quick review+ack for upload?


More information about the Pkg-roundcube-maintainers mailing list