[Pkg-roundcube-maintainers] Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin

Guilhem Moulin guilhem at debian.org
Sat Apr 21 01:13:54 BST 2018 

On Fri, 20 Apr 2018 at 05:18:36 +0200, Salvatore Bonaccorso wrote:
> Thanks for following up for stretch. First a quick comment. Please
> always CC team at security.debian.org on such questions for if an update
> is wanted for DSA. This alows team members to better share the load
> for review, release, etc ... (and it's recorded futhermore on the team
> alias).

Oops, I assumed that the Security Team received all bugs tagged
‘security’ so I omitted the CC on purpose… my bad.
 
> I think we should release this through stretch-security. The debdiff
> per se looks already good. Were you able to test the update in
> production under stretch?

Yes, I did test the update.

> There is though one no-dsa issue,
> https://security-tracker.debian.org/tracker/CVE-2018-1000071 which
> would be good to be included. Could you backport that fix as well and
> send a new debdiff for quick review+ack for upload?

Sure, new debdiff attached.

-- 
Guilhem.
-------------- next part --------------
diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog	2017-11-09 06:45:05.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/changelog	2018-04-21 01:51:56.000000000 +0200
@@ -1,3 +1,16 @@
+roundcube (1.2.3+dfsg.1-4+deb9u2) stretch-security; urgency=high
+
+  * Backport fix for CVE-2018-9846: When the archive plugin enabled and
+    configured, it's possible to exploit the unsanitized, user-controlled
+    "_uid" parameter to perform an MX (IMAP) injection attack.
+    https://github.com/roundcube/roundcubemail/issues/6238
+    (Closes: #895184).
+  * Backport fix for CVE-2018-1000071: Insecure Permissions vulnerability in
+    enigma plugin that can result in exfiltration of gpg private key.
+    https://github.com/roundcube/roundcubemail/issues/6173
+
+ -- Guilhem Moulin <guilhem at debian.org>  Sat, 21 Apr 2018 01:51:56 +0200
+
 roundcube (1.2.3+dfsg.1-4+deb9u1) stretch-security; urgency=high
 
   * Backport fix for CVE-2017-16651: File disclosure vulnerability caused by
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-1000071.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-1000071.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-1000071.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-1000071.patch	2018-04-21 01:51:56.000000000 +0200
@@ -0,0 +1,74 @@
+commit 48417c5fc9f6eb4b90500c09596606d489c700b5
+Author: Aleksander Machniak <alec at alec.pl>
+Date:   Sun Mar 4 09:14:43 2018 +0100
+
+    Remove default for enigma_pgp_homedir (#6173)
+    
+    To make the default installation more secure force users to set the folder.
+    Added notes that it should be secured or not accessible from the web browser.
+
+---
+ plugins/enigma/README                      |   15 +++++++++++++--
+ plugins/enigma/config.inc.php.dist         |    4 ++--
+ plugins/enigma/home/.htaccess              |    7 -------
+ plugins/enigma/lib/enigma_driver_gnupg.php |    2 +-
+ 4 files changed, 16 insertions(+), 12 deletions(-)
+
+--- a/plugins/enigma/config.inc.php.dist
++++ b/plugins/enigma/config.inc.php.dist
+@@ -12,8 +12,8 @@ $config['enigma_smime_driver'] = 'phpssl
+ // Enables logging of enigma operations (including Crypt_GPG debug info)
+ $config['enigma_debug'] = false;
+ 
+-// Keys directory for all users. Default 'enigma/home'.
+-// Must be writeable by PHP process
++// REQUIRED! Keys directory for all users.
++// Must be writeable by PHP process, and not in the web server document root
+ $config['enigma_pgp_homedir'] = null;
+ 
+ // Location of gpg binary. By default it will be auto-detected.
+--- a/plugins/enigma/home/.htaccess
++++ /dev/null
+@@ -1,7 +0,0 @@
+-# deny webserver access to this directory
+-<ifModule mod_authz_core.c>
+-    Require all denied
+-</ifModule>
+-<ifModule !mod_authz_core.c>
+-    Deny from all
+-</ifModule>
+--- a/plugins/enigma/lib/enigma_driver_gnupg.php
++++ b/plugins/enigma/lib/enigma_driver_gnupg.php
+@@ -39,7 +39,7 @@ class enigma_driver_gnupg extends enigma
+      */
+     function init()
+     {
+-        $homedir = $this->rc->config->get('enigma_pgp_homedir', INSTALL_PATH . 'plugins/enigma/home');
++        $homedir = $this->rc->config->get('enigma_pgp_homedir');
+         $debug   = $this->rc->config->get('enigma_debug');
+         $binary  = $this->rc->config->get('enigma_pgp_binary');
+         $agent   = $this->rc->config->get('enigma_pgp_agent');
+--- a/plugins/enigma/README
++++ b/plugins/enigma/README
+@@ -21,8 +21,19 @@ Implemented features:
+ + Attaching public keys to email
+ 
+ 
+-TODO:
+------
++INSTALLATION
++------------
++
++1. Rename config.inc.php.dist to config.inc.php.
++2. Create a directory for keys storage that is writeable for the PHP process.
++   This directory should be out of the document root, so it is not accessible
++   from the web browser. Set it's location in $config['enigma_pgp_homedir'].
++3. Make sure GnuPG is installed.
++
++
++TODO
++----
++
+ - Handling of big messages with temp files
+ - Key info in contact details page (optional)
+ - Extended key management:
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch	2018-04-21 01:51:56.000000000 +0200
@@ -0,0 +1,84 @@
+---
+ plugins/archive/archive.php                  |    6 ++++--
+ plugins/managesieve/managesieve.php          |    4 ++--
+ plugins/markasjunk/markasjunk.php            |    9 ++++++---
+ program/lib/Roundcube/rcube_imap_generic.php |   10 ++++++----
+ 4 files changed, 18 insertions(+), 11 deletions(-)
+
+--- a/program/lib/Roundcube/rcube_imap_generic.php
++++ b/program/lib/Roundcube/rcube_imap_generic.php
+@@ -3836,13 +3836,13 @@ class rcube_imap_generic
+ 
+         if (!is_array($messages)) {
+             // if less than 255 bytes long, let's not bother
+-            if (!$force && strlen($messages)<255) {
+-                return $messages;
++            if (!$force && strlen($messages) < 255) {
++                return preg_match('/[^0-9:,*]/', $messages) ? 'INVALID' : $messages;
+             }
+ 
+             // see if it's already been compressed
+             if (strpos($messages, ':') !== false) {
+-                return $messages;
++                return preg_match('/[^0-9:,*]/', $messages) ? 'INVALID' : $messages;
+             }
+ 
+             // separate, then sort
+@@ -3877,7 +3877,9 @@ class rcube_imap_generic
+         }
+ 
+         // return as comma separated string
+-        return implode(',', $result);
++        $result = implode(',', $result);
++
++        return preg_match('/[^0-9:,]/', $result) ? 'INVALID' : $result;
+     }
+ 
+     /**
+--- a/plugins/archive/archive.php
++++ b/plugins/archive/archive.php
+@@ -122,8 +122,10 @@ class archive extends rcube_plugin
+       $index = $storage->index(null, rcmail_sort_column(), rcmail_sort_order());
+       $messageset = array($current_mbox => $index->get());
+     }
+-    else {
+-      $messageset = rcmail::get_uids();
++    else if (!empty($uids)) {
++      $messageset = rcmail::get_uids($uids, $current_mbox);
++    } else {
++      $messageset = array();
+     }
+ 
+     foreach ($messageset as $mbox => $uids) {
+--- a/plugins/managesieve/managesieve.php
++++ b/plugins/managesieve/managesieve.php
+@@ -190,8 +190,8 @@ class managesieve extends rcube_plugin
+     function managesieve_actions()
+     {
+         // handle fetching email headers for the new filter form
+-        if ($uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) {
+-            $uids    = rcmail::get_uids();
++        if ($_uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) {
++            $uids    = rcmail::get_uids($_uid);
+             $mailbox = key($uids);
+             $message = new rcube_message($uids[$mailbox][0], $mailbox);
+             $headers = $this->parse_headers($message->headers);
+--- a/plugins/markasjunk/markasjunk.php
++++ b/plugins/markasjunk/markasjunk.php
+@@ -62,10 +62,13 @@ class markasjunk extends rcube_plugin
+ 
+         $rcmail  = rcmail::get_instance();
+         $storage = $rcmail->get_storage();
++        $uids = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST);
+ 
+-        foreach (rcmail::get_uids() as $mbox => $uids) {
+-            $storage->unset_flag($uids, 'NONJUNK', $mbox);
+-            $storage->set_flag($uids, 'JUNK', $mbox);
++        if (!empty($uids)) {
++            foreach (rcmail::get_uids($uids) as $mbox => $uids) {
++                $storage->unset_flag($uids, 'NONJUNK', $mbox);
++                $storage->set_flag($uids, 'JUNK', $mbox);
++            }
+         }
+ 
+         if (($junk_mbox = $rcmail->config->get('junk_mbox'))) {
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series	2017-11-09 06:45:05.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/series	2018-04-21 01:51:56.000000000 +0200
@@ -13,3 +13,5 @@
 CVE-2017-6820.patch
 CVE-2017-8114.patch
 CVE-2017-16651.patch
+CVE-2018-9846.patch
+CVE-2018-1000071.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20180421/87122b20/attachment.sig>

More information about the Pkg-roundcube-maintainers mailing list