Bug#536498: Please backport roundcube CVE-2008-5619
On Mon, 13 Jul 2009 14:28:30 +0200 Nico Golde n...@debian.org wrote: * Gerfried Fuchs rho...@deb.at [2009-07-13 14:17]: * Benjamin Bannier benjamin.bann...@netronaut.de [2009-07-10 17:14:45 CEST]: thanks for your quick response. I see roundcube-0.1.1-10~bpo40+2 still in backports. I presume this doesn't include the patch to fix this specific issue. Erm, are you sure? According to Nico it was fixed in 0.1.1-9 which is older than 0.1.1-10. I'm now pretty puzzled about the whole fuzz and the issue at hand? I checked the package of backports and the issue you are reporting seems indeed to be fixed. Do you have any evidence that this or a similar issue is being exploited on your system? Sorry for not answering earlier, was struggling with this bugzilla interface and my message didn't go through. I see the exact same issue, somebody accessing roundcube's html2text with POST's and files are being uploaded (to /dev/shm in this particular case). And I also have no idea how they start their programs (a process httpd run by www-data that we caught quickly with tiger since on Debian we call it apache2). Benjamin signature.asc Description: PGP signature
Bug#536498: closed by Nico Golde n...@debian.org (Re: Bug#536498: Please backport roundcube CVE-2008-5619)
* Benjamin Bannier benjamin.bann...@netronaut.de [2009-07-10 20:08:57 CEST]: On Fri, 10 Jul 2009 19:45:41 +0200 Nico Golde n...@debian.org wrote: I see roundcube-0.1.1-10~bpo40+2 still in backports. [..] That's why I marked this bug as done with the unstable version. Sorry, maybe I got confused. I reported this bug here because the backports version was listed in the list of Debian packages. Yes, that's a service along the path to get backports more integrated and official. We unfortunately aren't there yet. If backports doesn't even have bugtracker (couldn't find one on their homepage) this is maybe the right time to dump if from my sources.list. The backports-us...@lists.backports.org mailinglist[1] is as good as you can get currently. A request tracker is in the works. Please also see the informations available on e.g. [2] about who did the actual backport - in this case it was Holger Levsen. Though, I just asked him and he said that he doesn't care about etch-backports. [1] http://lists.backports.org/mailman/listinfo/backports-users [2] http://www.backports.org/~formorer/changes/etch-backports.html I urge you to please make a version bump to backports since this is a security issue. The best would be probably to ping the one who did the initial backport. I CCed Alexander Wirt and Gerfried Fuchs (from backports.org), maybe they can help you. Thanks. This should really be fixed. I usually track things in backports and prod the people who uploaded the packages there or jump in myself. I'm though just one person and can only do as much as I can do and offer best effort. Thanks for bringing the issue directly to my attention, Nico. :) Given that Holger gives a damn I'm willing to invest the neccessary effort in case Alexander doesn't remove the package earlier than I am able to produce the working backport. So long, and sorry for the inconvenience. Rhonda -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#536498: closed by Nico Golde n...@debian.org (Re: Bug#536498: Please backport roundcube CVE-2008-5619)
On Montag, 13. Juli 2009, Gerfried Fuchs wrote: - in this case it was Holger Levsen. Though, I just asked him and he said that he doesn't care about etch-backports. Given that Holger gives a damn thanks for your understanding and your well done summary of my position. love, Holger, really motivated now signature.asc Description: This is a digitally signed message part.
Bug#536498: closed by Nico Golde n...@debian.org (Re: Bug#536498: Please backport roundcube CVE-2008-5619)
Hi, On Montag, 13. Juli 2009, Gerfried Fuchs wrote: - in this case it was Holger Levsen. Though, I just asked him and he said that he doesn't care about etch-backports. given that its not possible/desirable to have backports from squeeze in etch-bpo (see http://lists.backports.org/lurker-bpo/message/20090220.215045.8a623425.en.html) Alexander Wirt and me have decided last week, that it's best to remove the roundcube backport from etch-bpo. Of course, if Gerfried wants to cherrypick and backport the neeeded fixes to roundcube 0.1 and upload that to etch-bpo, he can do that. I'd still recommend to upgrade to lenny, but thats the beauty of free software: there is more than one way to do it and everybody can get involved :-) regards, Holger signature.asc Description: This is a digitally signed message part.
Bug#536498: Please backport roundcube CVE-2008-5619
* Benjamin Bannier benjamin.bann...@netronaut.de [2009-07-10 17:14:45 CEST]: thanks for your quick response. I see roundcube-0.1.1-10~bpo40+2 still in backports. I presume this doesn't include the patch to fix this specific issue. Erm, are you sure? According to Nico it was fixed in 0.1.1-9 which is older than 0.1.1-10. I'm now pretty puzzled about the whole fuzz and the issue at hand? Thanks for any clearification, Rhonda -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#536498: Please backport roundcube CVE-2008-5619
Hi again! * Holger Levsen hol...@layer-acht.org [2009-07-13 12:10:41 CEST]: On Montag, 13. Juli 2009, Gerfried Fuchs wrote: - in this case it was Holger Levsen. Though, I just asked him and he said that he doesn't care about etch-backports. given that its not possible/desirable to have backports from squeeze in etch-bpo (see http://lists.backports.org/lurker-bpo/message/20090220.215045.8a623425.en.html) Alexander Wirt and me have decided last week, that it's best to remove the roundcube backport from etch-bpo. Erm, you propably did misread that mail: , quote | But remember that contributors are now allowed to add packages to | etch-bpo which have a higher version than in lenny (because they are | allowed to add versions from squeeze). ` quote That's extremely far from not possible/desirable - and especially when it comes to security issues it is more than desirable to have them fixed. ... which, in the case of this bugreport, is done. 0.1.1-9 did fix CVE-2008-5619 for etch-backports, so it rather seems to me that Benjamin got some things mixed up, unless the claimed patch in that upload wasn't complete. Of course, if Gerfried wants to cherrypick and backport the neeeded fixes to roundcube 0.1 and upload that to etch-bpo, he can do that. I'd still recommend to upgrade to lenny, but thats the beauty of free software: there is more than one way to do it and everybody can get involved :-) Unfortunately, lenny doesn't ship roundcube so that doesn't buy one anything. Would be great to get things straightened out. Benjamin, do you claim the package in etch-bpo affected by this bug and the fix to be incomplete, or what's the deal? I'm especially puzzled by your original version you reported it again to be 0.2.2-1 which is by far close to anything that's in bacports - or way over the version that it was fixed in already. Do you claim by that that the patch got removed again, or were you just puzzled? Thanks! Rhonda -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#536498: Please backport roundcube CVE-2008-5619
Hi, * Gerfried Fuchs rho...@deb.at [2009-07-13 14:17]: * Benjamin Bannier benjamin.bann...@netronaut.de [2009-07-10 17:14:45 CEST]: thanks for your quick response. I see roundcube-0.1.1-10~bpo40+2 still in backports. I presume this doesn't include the patch to fix this specific issue. Erm, are you sure? According to Nico it was fixed in 0.1.1-9 which is older than 0.1.1-10. I'm now pretty puzzled about the whole fuzz and the issue at hand? I checked the package of backports and the issue you are reporting seems indeed to be fixed. Do you have any evidence that this or a similar issue is being exploited on your system? Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgp34700L8kO5.pgp Description: PGP signature
Bug#536498: Please backport roundcube CVE-2008-5619
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 13 Jul 2009 14:27:31 +0200 Gerfried Fuchs rho...@deb.at wrote: ... which, in the case of this bugreport, is done. 0.1.1-9 did fix CVE-2008-5619 for etch-backports, so it rather seems to me that Benjamin got some things mixed up, unless the claimed patch in that upload wasn't complete. Maybe this isn't really about CVS-2008-5616, but that's hard to say from my logs. All I saw was POST's to roundcube-0.1.1-10~bpo40+2's admittedly horrible html2text.php and the same symptoms as reported for http://trac.roundcube.net/ticket/1485618 (i.e. file uploads and shell access as www-data). Would be great to get things straightened out. Benjamin, do you claim the package in etch-bpo affected by this bug and the fix to be incomplete, or what's the deal? I'm especially puzzled by your original version you reported it again to be 0.2.2-1 which is by far close to anything that's in bacports - or way over the version that it was fixed in already. Do you claim by that that the patch got removed again, or were you just puzzled? Debian bugreport is way to fancy for me: I reported a bug in roundcube-0.1.1-10~bpo40+2, while I already had 0.2.2-1 installed on that machine. Apparently this bug didn't get retagged in your bugzilla (?) incarnation. Thanks, Benjamin -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAkpbLvYACgkQVj4CPF3kbQzxggCfd9Mq1ebrFKGcQEpnwNPrX4os gt4AnAo/mt3KGgD4RSCkE34vIDpJKTD9 =5j4W -END PGP SIGNATURE-
Bug#536498: Please backport roundcube CVE-2008-5619
On Montag, 13. Juli 2009, Gerfried Fuchs wrote: I'd still recommend to upgrade to lenny, but thats the beauty of free software: there is more than one way to do it and everybody can get involved :-) Unfortunately, lenny doesn't ship roundcube so that doesn't buy one anything. I ment: upgrade the system to lenny, use roundcube from lenny-bpo, which I (as announced) planned to upload in 6 days once its in squeeze. If by then I'm not sick of this package due to some stupic hectic and bad faith... signature.asc Description: This is a digitally signed message part.
Bug#536498: Please backport roundcube CVE-2008-5619
OoO Vers la fin de l'après-midi du vendredi 10 juillet 2009, vers 16:21, Benjamin Bannier be...@netronaut.de disait : I have roundcube 0.1.1.10 installed from backports, and I see people exploiting roundcube CVE-2008-5619 (http://trac.roundcube.net/ticket/1485618). Any chances the fix mentioned there could be backported to etch? Ubuntu has a patch for this version, so we should be able to provide a backport for Etch: https://bugs.launchpad.net/ubuntu/+source/roundcube/+bug/316550 However, the backport is really old and a lot of bugs have been fixed since then. Unfortunately, a more recent roundcube version would require to backport a lot of dependencies for PHP. Romain, would you like to apply the mentioned patch to the backport? -- L'avantage du fromage sur les amricains, c'est qu'il y a une culture dedans. -+- MZ in: Guide du Cabaliste Usenet - chapitre 9 - le gros 8 -+- pgpO3tQ89ShRa.pgp Description: PGP signature
Bug#536498: Please backport roundcube CVE-2008-5619
Package: roundcube Version: 0.2.2-1 Severity: grave Tags: security Justification: user security hole Hi, I have roundcube 0.1.1.10 installed from backports, and I see people exploiting roundcube CVE-2008-5619 (http://trac.roundcube.net/ticket/1485618). Any chances the fix mentioned there could be backported to etch? For now I pulled the version from unstable on my system. Best, Benjamin -- System Information: Debian Release: 4.0 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-amd64 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages roundcube depends on: ii roundcube-core0.2.2-1skinnable AJAX based webmail solut roundcube recommends no packages. Versions of packages roundcube-core depends on: ii apache2 2.2.3-4+etch8 Next generation, scalable, extenda ii apache2-mpm-prefork 2.2.3-4+etch8 Traditional model for Apache HTTPD ii dbconfig-common 1.8.29+etch1common framework for packaging dat ii debconf [debconf-2.0 1.5.11etch2 Debian configuration management sy ii libmagic14.17-5etch3 File type determination library us ii php-auth 1.2.4-0.1 PHP PEAR modules for creating an a ii php-mail-mime1.5.2-0.1 PHP PEAR module for creating MIME ii php-mdb2 2.5.0b2-1 PHP PEAR module to provide a commo ii php-net-smtp 1.2.6-2 PHP PEAR module implementing SMTP ii php-net-socket 1.0.6-2 PHP PEAR Network Socket Interface ii php5 5.2.0+dfsg-8+etch15 server-side, HTML-embedded scripti ii php5-gd 5.2.0+dfsg-8+etch15 GD module for php5 ii php5-mcrypt 5.2.0+dfsg-8+etch15 MCrypt module for php5 ii php5-pspell 5.2.0+dfsg-8+etch15 pspell module for php5 ii roundcube-sqlite 0.2.2-1 metapackage providing sqlite depen ii tinymce 3.2.1.1-0.1 platform independent web based Jav ii ucf 2.0020 Update Configuration File: preserv -- debconf information: * roundcube/dbconfig-install: true * roundcube/db/dbname: roundcube roundcube/pgsql/authmethod-admin: ident roundcube/pgsql/admin-user: postgres roundcube/internal/skip-preseed: false roundcube/db/app-user: roundcube/dbconfig-reinstall: false * roundcube/restart-webserver: false roundcube/dbconfig-upgrade: true roundcube/remote/port: roundcube/pgsql/no-empty-passwords: roundcube/passwords-do-not-match: roundcube/internal/reconfiguring: false roundcube/upgrade-error: abort roundcube/pgsql/authmethod-user: password roundcube/purge: false * roundcube/language: de_DE roundcube/remote/newhost: roundcube/pgsql/changeconf: false roundcube/upgrade-backup: true roundcube/install-error: abort roundcube/mysql/admin-user: root * roundcube/hosts: netronaut.de: roundcube/dbconfig-remove: roundcube/mysql/method: unix socket roundcube/remove-error: abort roundcube/pgsql/method: unix socket roundcube/pgsql/manualconf: * roundcube/db/basepath: /var/lib/dbconfig-common/sqlite/roundcube * roundcube/reconfigure-webserver: apache2 * roundcube/database-type: sqlite roundcube/remote/host: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#536498: closed by Nico Golde n...@debian.org (Re: Bug#536498: Please backport roundcube CVE-2008-5619)
Hi, thanks for your quick response. I see roundcube-0.1.1-10~bpo40+2 still in backports. I presume this doesn't include the patch to fix this specific issue. I urge you to please make a version bump to backports since this is a security issue. Thanks, Benjamin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#536498: closed by Nico Golde n...@debian.org (Re: Bug#536498: Please backport roundcube CVE-2008-5619)
Hi, * Benjamin Bannier benjamin.bann...@netronaut.de [2009-07-10 17:35]: thanks for your quick response. I see roundcube-0.1.1-10~bpo40+2 still in backports. I presume this doesn't include the patch to fix this specific issue. That's why I marked this bug as done with the unstable version. I urge you to please make a version bump to backports since this is a security issue. The best would be probably to ping the one who did the initial backport. I CCed Alexander Wirt and Gerfried Fuchs (from backports.org), maybe they can help you. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpBIbnOARuxP.pgp Description: PGP signature
Bug#536498: closed by Nico Golde n...@debian.org (Re: Bug#536498: Please backport roundcube CVE-2008-5619)
Benjamin Bannier schrieb am Friday, den 10. July 2009: On Fri, 10 Jul 2009 19:45:41 +0200 Nico Golde n...@debian.org wrote: I see roundcube-0.1.1-10~bpo40+2 still in backports. [..] That's why I marked this bug as done with the unstable version. Sorry, maybe I got confused. I reported this bug here because the backports version was listed in the list of Debian packages. If backports doesn't even have bugtracker (couldn't find one on their homepage) this is maybe the right time to dump if from my sources.list. I urge you to please make a version bump to backports since this is a security issue. The best would be probably to ping the one who did the initial backport. I CCed Alexander Wirt and Gerfried Fuchs (from backports.org), maybe they can help you. Thanks. This should really be fixed. Jupp I'll remove roundcube from bpo. The code quality is awfull and there are still several code fragments which quality and security is questionable. Alex -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#536498: closed by Nico Golde n...@debian.org (Re: Bug#536498: Please backport roundcube CVE-2008-5619)
On Fri, 10 Jul 2009 19:45:41 +0200 Nico Golde n...@debian.org wrote: I see roundcube-0.1.1-10~bpo40+2 still in backports. [..] That's why I marked this bug as done with the unstable version. Sorry, maybe I got confused. I reported this bug here because the backports version was listed in the list of Debian packages. If backports doesn't even have bugtracker (couldn't find one on their homepage) this is maybe the right time to dump if from my sources.list. I urge you to please make a version bump to backports since this is a security issue. The best would be probably to ping the one who did the initial backport. I CCed Alexander Wirt and Gerfried Fuchs (from backports.org), maybe they can help you. Thanks. This should really be fixed. Benjamin signature.asc Description: PGP signature