Bug#536498: Please backport roundcube CVE-2008-5619
On Mon, 13 Jul 2009 14:28:30 +0200 Nico Golde n...@debian.org wrote: * Gerfried Fuchs rho...@deb.at [2009-07-13 14:17]: * Benjamin Bannier benjamin.bann...@netronaut.de [2009-07-10 17:14:45 CEST]: thanks for your quick response. I see roundcube-0.1.1-10~bpo40+2 still in backports. I presume this doesn't include the patch to fix this specific issue. Erm, are you sure? According to Nico it was fixed in 0.1.1-9 which is older than 0.1.1-10. I'm now pretty puzzled about the whole fuzz and the issue at hand? I checked the package of backports and the issue you are reporting seems indeed to be fixed. Do you have any evidence that this or a similar issue is being exploited on your system? Sorry for not answering earlier, was struggling with this bugzilla interface and my message didn't go through. I see the exact same issue, somebody accessing roundcube's html2text with POST's and files are being uploaded (to /dev/shm in this particular case). And I also have no idea how they start their programs (a process httpd run by www-data that we caught quickly with tiger since on Debian we call it apache2). Benjamin signature.asc Description: PGP signature
Bug#536498: Please backport roundcube CVE-2008-5619
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 13 Jul 2009 14:27:31 +0200 Gerfried Fuchs rho...@deb.at wrote: ... which, in the case of this bugreport, is done. 0.1.1-9 did fix CVE-2008-5619 for etch-backports, so it rather seems to me that Benjamin got some things mixed up, unless the claimed patch in that upload wasn't complete. Maybe this isn't really about CVS-2008-5616, but that's hard to say from my logs. All I saw was POST's to roundcube-0.1.1-10~bpo40+2's admittedly horrible html2text.php and the same symptoms as reported for http://trac.roundcube.net/ticket/1485618 (i.e. file uploads and shell access as www-data). Would be great to get things straightened out. Benjamin, do you claim the package in etch-bpo affected by this bug and the fix to be incomplete, or what's the deal? I'm especially puzzled by your original version you reported it again to be 0.2.2-1 which is by far close to anything that's in bacports - or way over the version that it was fixed in already. Do you claim by that that the patch got removed again, or were you just puzzled? Debian bugreport is way to fancy for me: I reported a bug in roundcube-0.1.1-10~bpo40+2, while I already had 0.2.2-1 installed on that machine. Apparently this bug didn't get retagged in your bugzilla (?) incarnation. Thanks, Benjamin -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAkpbLvYACgkQVj4CPF3kbQzxggCfd9Mq1ebrFKGcQEpnwNPrX4os gt4AnAo/mt3KGgD4RSCkE34vIDpJKTD9 =5j4W -END PGP SIGNATURE-
Bug#536498: Please backport roundcube CVE-2008-5619
Package: roundcube Version: 0.2.2-1 Severity: grave Tags: security Justification: user security hole Hi, I have roundcube 0.1.1.10 installed from backports, and I see people exploiting roundcube CVE-2008-5619 (http://trac.roundcube.net/ticket/1485618). Any chances the fix mentioned there could be backported to etch? For now I pulled the version from unstable on my system. Best, Benjamin -- System Information: Debian Release: 4.0 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-amd64 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages roundcube depends on: ii roundcube-core0.2.2-1skinnable AJAX based webmail solut roundcube recommends no packages. Versions of packages roundcube-core depends on: ii apache2 2.2.3-4+etch8 Next generation, scalable, extenda ii apache2-mpm-prefork 2.2.3-4+etch8 Traditional model for Apache HTTPD ii dbconfig-common 1.8.29+etch1common framework for packaging dat ii debconf [debconf-2.0 1.5.11etch2 Debian configuration management sy ii libmagic14.17-5etch3 File type determination library us ii php-auth 1.2.4-0.1 PHP PEAR modules for creating an a ii php-mail-mime1.5.2-0.1 PHP PEAR module for creating MIME ii php-mdb2 2.5.0b2-1 PHP PEAR module to provide a commo ii php-net-smtp 1.2.6-2 PHP PEAR module implementing SMTP ii php-net-socket 1.0.6-2 PHP PEAR Network Socket Interface ii php5 5.2.0+dfsg-8+etch15 server-side, HTML-embedded scripti ii php5-gd 5.2.0+dfsg-8+etch15 GD module for php5 ii php5-mcrypt 5.2.0+dfsg-8+etch15 MCrypt module for php5 ii php5-pspell 5.2.0+dfsg-8+etch15 pspell module for php5 ii roundcube-sqlite 0.2.2-1 metapackage providing sqlite depen ii tinymce 3.2.1.1-0.1 platform independent web based Jav ii ucf 2.0020 Update Configuration File: preserv -- debconf information: * roundcube/dbconfig-install: true * roundcube/db/dbname: roundcube roundcube/pgsql/authmethod-admin: ident roundcube/pgsql/admin-user: postgres roundcube/internal/skip-preseed: false roundcube/db/app-user: roundcube/dbconfig-reinstall: false * roundcube/restart-webserver: false roundcube/dbconfig-upgrade: true roundcube/remote/port: roundcube/pgsql/no-empty-passwords: roundcube/passwords-do-not-match: roundcube/internal/reconfiguring: false roundcube/upgrade-error: abort roundcube/pgsql/authmethod-user: password roundcube/purge: false * roundcube/language: de_DE roundcube/remote/newhost: roundcube/pgsql/changeconf: false roundcube/upgrade-backup: true roundcube/install-error: abort roundcube/mysql/admin-user: root * roundcube/hosts: netronaut.de: roundcube/dbconfig-remove: roundcube/mysql/method: unix socket roundcube/remove-error: abort roundcube/pgsql/method: unix socket roundcube/pgsql/manualconf: * roundcube/db/basepath: /var/lib/dbconfig-common/sqlite/roundcube * roundcube/reconfigure-webserver: apache2 * roundcube/database-type: sqlite roundcube/remote/host: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#536498: closed by Nico Golde n...@debian.org (Re: Bug#536498: Please backport roundcube CVE-2008-5619)
Hi, thanks for your quick response. I see roundcube-0.1.1-10~bpo40+2 still in backports. I presume this doesn't include the patch to fix this specific issue. I urge you to please make a version bump to backports since this is a security issue. Thanks, Benjamin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#536498: closed by Nico Golde n...@debian.org (Re: Bug#536498: Please backport roundcube CVE-2008-5619)
On Fri, 10 Jul 2009 19:45:41 +0200 Nico Golde n...@debian.org wrote: I see roundcube-0.1.1-10~bpo40+2 still in backports. [..] That's why I marked this bug as done with the unstable version. Sorry, maybe I got confused. I reported this bug here because the backports version was listed in the list of Debian packages. If backports doesn't even have bugtracker (couldn't find one on their homepage) this is maybe the right time to dump if from my sources.list. I urge you to please make a version bump to backports since this is a security issue. The best would be probably to ping the one who did the initial backport. I CCed Alexander Wirt and Gerfried Fuchs (from backports.org), maybe they can help you. Thanks. This should really be fixed. Benjamin signature.asc Description: PGP signature