Bug#895184: [Pkg-roundcube-maintainers] Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin
Hi Guilhem, On Wed, Apr 25, 2018 at 11:07:25PM +0200, Guilhem Moulin wrote: > On Sat, 21 Apr 2018 at 13:03:04 +0200, Guilhem Moulin wrote: > > On Sat, 21 Apr 2018 at 08:23:55 +0200, Salvatore Bonaccorso wrote: > >> Looks good to me, please do upload to security-master. > > > > Done. > > Shy ping, in case you missed the upload (embargoed on Sat 21 Apr at > 10:50:21 UTC) :-) Not missed, but just lacking of time to finish up for the DSA release of it. Will try to take care of it ASAP. Regards, Salvatore
Bug#895184: [Pkg-roundcube-maintainers] Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin
On Sat, 21 Apr 2018 at 13:03:04 +0200, Guilhem Moulin wrote: > On Sat, 21 Apr 2018 at 08:23:55 +0200, Salvatore Bonaccorso wrote: >> Looks good to me, please do upload to security-master. > > Done. Shy ping, in case you missed the upload (embargoed on Sat 21 Apr at 10:50:21 UTC) :-) -- Guilhem. signature.asc Description: PGP signature
Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin
Hi, On Sat, 21 Apr 2018 at 08:23:55 +0200, Salvatore Bonaccorso wrote: > On Sat, Apr 21, 2018 at 02:13:54AM +0200, Guilhem Moulin wrote: >> On Fri, 20 Apr 2018 at 05:18:36 +0200, Salvatore Bonaccorso wrote: >>> Thanks for following up for stretch. First a quick comment. Please >>> always CC t...@security.debian.org on such questions for if an update >>> is wanted for DSA. This alows team members to better share the load >>> for review, release, etc ... (and it's recorded futhermore on the team >>> alias). >> >> Oops, I assumed that the Security Team received all bugs tagged >> ‘security’ so I omitted the CC on purpose… my bad. > > Unfortunately, or fortunately not (yet), getting all comunication with > Tag security set will overwhelm our mailboxes. But as an improvement > step we are planning to get initial submissions with security tag set. > Until now that happens only if someone uses reportbug to fill the > issue, adding a X-Debbugs-CC, but not if one fills wihout reportbug a > bug. Cf. #895661. Sorry, got now longer as I want. My only intention > was to quickly state that for future cases, so we might distributed > workload within the team better. I see, thanks for the info; I'll try to remember that next time :-) >>> There is though one no-dsa issue, >>> https://security-tracker.debian.org/tracker/CVE-2018-171 which >>> would be good to be included. Could you backport that fix as well and >>> send a new debdiff for quick review+ack for upload? >> >> Sure, new debdiff attached. > > Looks good to me, please do upload to security-master. Done. -- Guilhem. signature.asc Description: PGP signature
Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin
Hi Guilhem, On Sat, Apr 21, 2018 at 02:13:54AM +0200, Guilhem Moulin wrote: > On Fri, 20 Apr 2018 at 05:18:36 +0200, Salvatore Bonaccorso wrote: > > Thanks for following up for stretch. First a quick comment. Please > > always CC t...@security.debian.org on such questions for if an update > > is wanted for DSA. This alows team members to better share the load > > for review, release, etc ... (and it's recorded futhermore on the team > > alias). > > Oops, I assumed that the Security Team received all bugs tagged > ‘security’ so I omitted the CC on purpose… my bad. Unfortunately, or fortunately not (yet), getting all comunication with Tag security set will overwhelm our mailboxes. But as an improvement step we are planning to get initial submissions with security tag set. Until now that happens only if someone uses reportbug to fill the issue, adding a X-Debbugs-CC, but not if one fills wihout reportbug a bug. Cf. #895661. Sorry, got now longer as I want. My only intention was to quickly state that for future cases, so we might distributed workload within the team better. > > > I think we should release this through stretch-security. The debdiff > > per se looks already good. Were you able to test the update in > > production under stretch? > > Yes, I did test the update. Perfect. > > There is though one no-dsa issue, > > https://security-tracker.debian.org/tracker/CVE-2018-171 which > > would be good to be included. Could you backport that fix as well and > > send a new debdiff for quick review+ack for upload? > > Sure, new debdiff attached. Looks good to me, please do upload to security-master. Regards, Salvatore
Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin
On Fri, 20 Apr 2018 at 05:18:36 +0200, Salvatore Bonaccorso wrote:
> Thanks for following up for stretch. First a quick comment. Please
> always CC t...@security.debian.org on such questions for if an update
> is wanted for DSA. This alows team members to better share the load
> for review, release, etc ... (and it's recorded futhermore on the team
> alias).
Oops, I assumed that the Security Team received all bugs tagged
‘security’ so I omitted the CC on purpose… my bad.
> I think we should release this through stretch-security. The debdiff
> per se looks already good. Were you able to test the update in
> production under stretch?
Yes, I did test the update.
> There is though one no-dsa issue,
> https://security-tracker.debian.org/tracker/CVE-2018-171 which
> would be good to be included. Could you backport that fix as well and
> send a new debdiff for quick review+ack for upload?
Sure, new debdiff attached.
--
Guilhem.
diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog
roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog 2017-11-09 06:45:05.0
+0100
+++ roundcube-1.2.3+dfsg.1/debian/changelog 2018-04-21 01:51:56.0
+0200
@@ -1,3 +1,16 @@
+roundcube (1.2.3+dfsg.1-4+deb9u2) stretch-security; urgency=high
+
+ * Backport fix for CVE-2018-9846: When the archive plugin enabled and
+configured, it's possible to exploit the unsanitized, user-controlled
+"_uid" parameter to perform an MX (IMAP) injection attack.
+https://github.com/roundcube/roundcubemail/issues/6238
+(Closes: #895184).
+ * Backport fix for CVE-2018-171: Insecure Permissions vulnerability in
+enigma plugin that can result in exfiltration of gpg private key.
+https://github.com/roundcube/roundcubemail/issues/6173
+
+ -- Guilhem Moulin Sat, 21 Apr 2018 01:51:56 +0200
+
roundcube (1.2.3+dfsg.1-4+deb9u1) stretch-security; urgency=high
* Backport fix for CVE-2017-16651: File disclosure vulnerability caused by
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-171.patch
roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-171.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-171.patch
1970-01-01 01:00:00.0 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-171.patch
2018-04-21 01:51:56.0 +0200
@@ -0,0 +1,74 @@
+commit 48417c5fc9f6eb4b90500c09596606d489c700b5
+Author: Aleksander Machniak
+Date: Sun Mar 4 09:14:43 2018 +0100
+
+Remove default for enigma_pgp_homedir (#6173)
+
+To make the default installation more secure force users to set the folder.
+Added notes that it should be secured or not accessible from the web
browser.
+
+---
+ plugins/enigma/README | 15 +--
+ plugins/enigma/config.inc.php.dist |4 ++--
+ plugins/enigma/home/.htaccess |7 ---
+ plugins/enigma/lib/enigma_driver_gnupg.php |2 +-
+ 4 files changed, 16 insertions(+), 12 deletions(-)
+
+--- a/plugins/enigma/config.inc.php.dist
b/plugins/enigma/config.inc.php.dist
+@@ -12,8 +12,8 @@ $config['enigma_smime_driver'] = 'phpssl
+ // Enables logging of enigma operations (including Crypt_GPG debug info)
+ $config['enigma_debug'] = false;
+
+-// Keys directory for all users. Default 'enigma/home'.
+-// Must be writeable by PHP process
++// REQUIRED! Keys directory for all users.
++// Must be writeable by PHP process, and not in the web server document root
+ $config['enigma_pgp_homedir'] = null;
+
+ // Location of gpg binary. By default it will be auto-detected.
+--- a/plugins/enigma/home/.htaccess
/dev/null
+@@ -1,7 +0,0 @@
+-# deny webserver access to this directory
+-
+-Require all denied
+-
+-
+-Deny from all
+-
+--- a/plugins/enigma/lib/enigma_driver_gnupg.php
b/plugins/enigma/lib/enigma_driver_gnupg.php
+@@ -39,7 +39,7 @@ class enigma_driver_gnupg extends enigma
+ */
+ function init()
+ {
+-$homedir = $this->rc->config->get('enigma_pgp_homedir', INSTALL_PATH
. 'plugins/enigma/home');
++$homedir = $this->rc->config->get('enigma_pgp_homedir');
+ $debug = $this->rc->config->get('enigma_debug');
+ $binary = $this->rc->config->get('enigma_pgp_binary');
+ $agent = $this->rc->config->get('enigma_pgp_agent');
+--- a/plugins/enigma/README
b/plugins/enigma/README
+@@ -21,8 +21,19 @@ Implemented features:
+ + Attaching public keys to email
+
+
+-TODO:
+--
++INSTALLATION
++
++
++1. Rename config.inc.php.dist to config.inc.php.
++2. Create a directory for keys storage that is writeable for the PHP process.
++ This directory should be out of the document root, so it is not accessible
++ from the web browser. Set it's location in $config['enigma_pgp_homedir'].
++3. Make sure GnuPG is installed.
++
++
++TODO
++
++
+ - Handling of big messages with temp files
+ - Key info in contact details page (optional)
+ - Extended key management:
diff
Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin
Hi Guilhem, Thanks for following up for stretch. First a quick comment. Please always CC t...@security.debian.org on such questions for if an update is wanted for DSA. This alows team members to better share the load for review, release, etc ... (and it's recorded futhermore on the team alias). On Wed, Apr 18, 2018 at 09:27:36PM +0200, Guilhem Moulin wrote: > Hi Salvatore, > > On Sun, 08 Apr 2018 at 10:27:10 +0200, Salvatore Bonaccorso wrote: > > The following vulnerability was published for roundcube. > > > > CVE-2018-9846[0]: > > | In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin > > | enabled and configured, it's possible to exploit the unsanitized, > > | user-controlled "_uid" parameter (in an archive.php > > | _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to > > perform > > | an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a > > | sequence. NOTE: this is less easily exploitable in 1.3.4 and later > > | because of a Same Origin Policy protection mechanism. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > 1.2.8 was released yesterday. Attached is a debdiff with the following > upstream commits cherry-picked (ignoring changes to CHANGELOG): > > > https://github.com/roundcube/roundcubemail/commit/cdeb6234a2e029c499898c3432fdf5b2cf093640 > > https://github.com/roundcube/roundcubemail/commit/5b7e9a2c960eb4fd2364921297020a5dcd2d7dbc > > https://github.com/roundcube/roundcubemail/commit/c69b851b8a704f6483ec9d1cae7cd1ecd33c3343 > > https://github.com/roundcube/roundcubemail/commit/7901047474729a7f466eb8c59c92a36fc7cf0e70 > > Should we go via stretch-security, or aim for the next stable point > release? I think we should release this through stretch-security. The debdiff per se looks already good. Were you able to test the update in production under stretch? There is though one no-dsa issue, https://security-tracker.debian.org/tracker/CVE-2018-171 which would be good to be included. Could you backport that fix as well and send a new debdiff for quick review+ack for upload? Regards, Salvatore
Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin
Hi Salvatore,
On Sun, 08 Apr 2018 at 10:27:10 +0200, Salvatore Bonaccorso wrote:
> The following vulnerability was published for roundcube.
>
> CVE-2018-9846[0]:
> | In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin
> | enabled and configured, it's possible to exploit the unsanitized,
> | user-controlled "_uid" parameter (in an archive.php
> | _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to
> perform
> | an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a
> | sequence. NOTE: this is less easily exploitable in 1.3.4 and later
> | because of a Same Origin Policy protection mechanism.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
1.2.8 was released yesterday. Attached is a debdiff with the following
upstream commits cherry-picked (ignoring changes to CHANGELOG):
https://github.com/roundcube/roundcubemail/commit/cdeb6234a2e029c499898c3432fdf5b2cf093640
https://github.com/roundcube/roundcubemail/commit/5b7e9a2c960eb4fd2364921297020a5dcd2d7dbc
https://github.com/roundcube/roundcubemail/commit/c69b851b8a704f6483ec9d1cae7cd1ecd33c3343
https://github.com/roundcube/roundcubemail/commit/7901047474729a7f466eb8c59c92a36fc7cf0e70
Should we go via stretch-security, or aim for the next stable point
release?
--
Guilhem.
diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog
roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog 2017-11-09 06:45:05.0
+0100
+++ roundcube-1.2.3+dfsg.1/debian/changelog 2018-04-18 21:00:09.0
+0200
@@ -1,3 +1,13 @@
+roundcube (1.2.3+dfsg.1-4+deb9u2) stretch-security; urgency=high
+
+ * Backport fix for CVE-2018-9846: When the archive plugin enabled and
+configured, it's possible to exploit the unsanitized, user-controlled
+"_uid" parameter to perform an MX (IMAP) injection attack.
+https://github.com/roundcube/roundcubemail/issues/6238
+(Closes: #895184).
+
+ -- Guilhem Moulin Wed, 18 Apr 2018 21:00:09 +0200
+
roundcube (1.2.3+dfsg.1-4+deb9u1) stretch-security; urgency=high
* Backport fix for CVE-2017-16651: File disclosure vulnerability caused by
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch
roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch 1970-01-01
01:00:00.0 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2018-9846.patch 2018-04-18
21:00:09.0 +0200
@@ -0,0 +1,84 @@
+---
+ plugins/archive/archive.php |6 --
+ plugins/managesieve/managesieve.php |4 ++--
+ plugins/markasjunk/markasjunk.php|9 ++---
+ program/lib/Roundcube/rcube_imap_generic.php | 10 ++
+ 4 files changed, 18 insertions(+), 11 deletions(-)
+
+--- a/program/lib/Roundcube/rcube_imap_generic.php
b/program/lib/Roundcube/rcube_imap_generic.php
+@@ -3836,13 +3836,13 @@ class rcube_imap_generic
+
+ if (!is_array($messages)) {
+ // if less than 255 bytes long, let's not bother
+-if (!$force && strlen($messages)<255) {
+-return $messages;
++if (!$force && strlen($messages) < 255) {
++return preg_match('/[^0-9:,*]/', $messages) ? 'INVALID' :
$messages;
+ }
+
+ // see if it's already been compressed
+ if (strpos($messages, ':') !== false) {
+-return $messages;
++return preg_match('/[^0-9:,*]/', $messages) ? 'INVALID' :
$messages;
+ }
+
+ // separate, then sort
+@@ -3877,7 +3877,9 @@ class rcube_imap_generic
+ }
+
+ // return as comma separated string
+-return implode(',', $result);
++$result = implode(',', $result);
++
++return preg_match('/[^0-9:,]/', $result) ? 'INVALID' : $result;
+ }
+
+ /**
+--- a/plugins/archive/archive.php
b/plugins/archive/archive.php
+@@ -122,8 +122,10 @@ class archive extends rcube_plugin
+ $index = $storage->index(null, rcmail_sort_column(),
rcmail_sort_order());
+ $messageset = array($current_mbox => $index->get());
+ }
+-else {
+- $messageset = rcmail::get_uids();
++else if (!empty($uids)) {
++ $messageset = rcmail::get_uids($uids, $current_mbox);
++} else {
++ $messageset = array();
+ }
+
+ foreach ($messageset as $mbox => $uids) {
+--- a/plugins/managesieve/managesieve.php
b/plugins/managesieve/managesieve.php
+@@ -190,8 +190,8 @@ class managesieve extends rcube_plugin
+ function managesieve_actions()
+ {
+ // handle fetching email headers for the new filter form
+-if ($uid = rcube_utils::get_input_value('_uid',
rcube_utils::INPUT_POST)) {
+-$uids= rcmail::get_uids();
++if ($_uid = rcube_utils::get_input_value('_uid',
rcube_utils::INPUT_POST))
Bug#895184: [Pkg-roundcube-maintainers] Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin
On Mon, 09 Apr 2018 at 12:25:20 +0200, Guilhem Moulin wrote: > Thanks for the poke! Upstream fixed this earlier today: > > https://github.com/roundcube/roundcubemail/commit/e3dd5b66d236867572e68fcb80281e9268a0cfb0 My bad, it's only fixed in master and 1.3. Since 1.2 is still supported and e3dd5b6 doesn't trivially apply there, IMHO it's best to wait for an official upstream fix. -- Guilhem. signature.asc Description: PGP signature
Bug#895184: [Pkg-roundcube-maintainers] Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin
Hi Salvatore, Thanks for the poke! Upstream fixed this earlier today: https://github.com/roundcube/roundcubemail/commit/e3dd5b66d236867572e68fcb80281e9268a0cfb0 > If you fix the vulnerability please also make sure to include the CVE > (Common Vulnerabilities & Exposures) id in your changelog entry. Can upload in one hour or two. Cheers, -- Guilhem. signature.asc Description: PGP signature
Bug#895184: roundcube: CVE-2018-9846: check_request() bypass in archive plugin
Source: roundcube Version: 1.2.3+dfsg.1-1 Severity: important Tags: security upstream Forwarded: https://github.com/roundcube/roundcubemail/issues/6238 Hi, The following vulnerability was published for roundcube. CVE-2018-9846[0]: | In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin | enabled and configured, it's possible to exploit the unsanitized, | user-controlled "_uid" parameter (in an archive.php | _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform | an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a | sequence. NOTE: this is less easily exploitable in 1.3.4 and later | because of a Same Origin Policy protection mechanism. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-9846 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9846 [1] https://github.com/roundcube/roundcubemail/issues/6238 Regards, Salvatore
