Bug#847287: [Pkg-roundcube-maintainers] Bug#847287:

[Guilhem Moulin]

On Thu, 08 Dec 2016 at 19:46:32 +0100, Reiner Buehl wrote:
> Sorry if I ask a stupid question, but do I understand correct, that if I
> have 1.1.5+dfsg.1-1~bpo8+2 installed, then the fix is applied?

That's correct, cf.


https://anonscm.debian.org/cgit/pkg-roundcube/roundcube.git/commit/?h=debian/1.1.5%2bdfsg.1-1_bpo8%2b2=1a45de6cabae3124a8bcb3f72c0265de5ad10efc

-- 
Guilhem.


signature.asc
Description: PGP signature

Bug#847287:

[Reiner Buehl]

Sorry if I ask a stupid question, but do I understand correct, that if I
have 1.1.5+dfsg.1-1~bpo8+2 installed, then the fix is applied?

 

Best regards,

Reiner

 

 

Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

[Chris Lamb]

Hi,

> What about wheezy / wheezy-backports? Are these packages affected too?

Yes. Am updating wheezy now with my "LTS" hat on and issuing the
corresponding DLA. :)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

[Darshaka Pathirana]

On Wed, 07 Dec 2016 12:16:14 +0100 Vincent Bernat
 wrote:
>  ❦  7 décembre 2016 12:08 +0100, Guilhem Moulin  :
>
> >> Is the tag for debian/1.1.5+dfsg.1-1_bpo8+1? The diff for it is pretty
> >> big.
> >
> > 1.1.5+dfsg.1-1_bpo8+1 is the current version from jessie-backports (since
> > April 29).  The diff between 1.1.5+dfsg.1-1_bpo8+1 and 1.1.5+dfsg.1-1_bpo8+2
> > is merely the upstream fix
> >
> > 
> > https://anonscm.debian.org/cgit/pkg-roundcube/roundcube.git/diff/?id=debian/1.1.5%2bdfsg.1-1_bpo8%2b2=debian/1.1.5%2bdfsg.1-1_bpo8%2b1
> 
> I deleted the tag on my side, fetched it again and the diff is now
> OK. I'll upload in the next hour.

Wow. That was quick! Thanks to you all.

What about wheezy / wheezy-backports? Are these packages affected too?

Regards,
 - Darsha



signature.asc
Description: OpenPGP digital signature

Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

[Vincent Bernat]

 ❦  7 décembre 2016 12:08 +0100, Guilhem Moulin  :

>> Is the tag for debian/1.1.5+dfsg.1-1_bpo8+1? The diff for it is pretty
>> big.
>
> 1.1.5+dfsg.1-1_bpo8+1 is the current version from jessie-backports (since
> April 29).  The diff between 1.1.5+dfsg.1-1_bpo8+1 and 1.1.5+dfsg.1-1_bpo8+2
> is merely the upstream fix
>
> 
> https://anonscm.debian.org/cgit/pkg-roundcube/roundcube.git/diff/?id=debian/1.1.5%2bdfsg.1-1_bpo8%2b2=debian/1.1.5%2bdfsg.1-1_bpo8%2b1

I deleted the tag on my side, fetched it again and the diff is now
OK. I'll upload in the next hour.
-- 
How apt the poor are to be proud.
-- William Shakespeare, "Twelfth-Night"


signature.asc
Description: PGP signature

Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

[Guilhem Moulin]

On Wed, 07 Dec 2016 at 11:55:50 +0100, Vincent Bernat wrote:
> ❦  7 décembre 2016 11:27 +0100, Guilhem Moulin  :
> 
 Unfortunately 1.2.x has many dependencies that aren't in
 jessie-backports yet.  I personally don't have the time nor energy to
 maintain said dependencies, so we asked backports folks for an exception
 to stick to 1.1.x for the bpo version, exception which was rejected.
 I'm afraid the remaining alternative is to take remove the package from
 jessie-backports :-(
>>> 
>>> Since the problem is quite serious, could you push the fix in bpo8+2
>>> nonetheless? Then wait a bit before asking for removal from backports to
>>> let actual users get an updated version. It seems far better than just
>>> leaving some people with vulnerable versions on their systems.
>>
>> Just tagged and pushed ‘debian/1.1.5+dfsg.1-1_bpo8+2’.  Note that I
>> moved jessie-backports's HEAD to its parent first as is was on
>> debian/1.1.6+dfsg.1-1_bpo8+1 which didn't make it to bpo.  Running
>>
>>git branch jessie-backports debian/1.1.5+dfsg.1-1_bpo8+1
>>
>> before pull should fix this.  Sorry for the inconvenience.
> 
> Is the tag for debian/1.1.5+dfsg.1-1_bpo8+1? The diff for it is pretty
> big.

1.1.5+dfsg.1-1_bpo8+1 is the current version from jessie-backports (since
April 29).  The diff between 1.1.5+dfsg.1-1_bpo8+1 and 1.1.5+dfsg.1-1_bpo8+2
is merely the upstream fix


https://anonscm.debian.org/cgit/pkg-roundcube/roundcube.git/diff/?id=debian/1.1.5%2bdfsg.1-1_bpo8%2b2=debian/1.1.5%2bdfsg.1-1_bpo8%2b1

-- 
Guilhem.


signature.asc
Description: PGP signature

Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

[Vincent Bernat]

 ❦  7 décembre 2016 11:27 +0100, Guilhem Moulin  :

>>> Unfortunately 1.2.x has many dependencies that aren't in
>>> jessie-backports yet.  I personally don't have the time nor energy to
>>> maintain said dependencies, so we asked backports folks for an exception
>>> to stick to 1.1.x for the bpo version, exception which was rejected.
>>> I'm afraid the remaining alternative is to take remove the package from
>>> jessie-backports :-(
>> 
>> Since the problem is quite serious, could you push the fix in bpo8+2
>> nonetheless? Then wait a bit before asking for removal from backports to
>> let actual users get an updated version. It seems far better than just
>> leaving some people with vulnerable versions on their systems.
>
> Just tagged and pushed ‘debian/1.1.5+dfsg.1-1_bpo8+2’.  Note that I
> moved jessie-backports's HEAD to its parent first as is was on
> debian/1.1.6+dfsg.1-1_bpo8+1 which didn't make it to bpo.  Running
>
> git branch jessie-backports debian/1.1.5+dfsg.1-1_bpo8+1
>
> before pull should fix this.  Sorry for the inconvenience.

Is the tag for debian/1.1.5+dfsg.1-1_bpo8+1? The diff for it is pretty
big.
-- 
Follow each decision as closely as possible with its associated action.
- The Elements of Programming Style (Kernighan & Plauger)


signature.asc
Description: PGP signature

Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

[Guilhem Moulin]

On Wed, 07 Dec 2016 at 07:46:06 +0100, Vincent Bernat wrote:
> ❦  7 décembre 2016 00:30 +0100, Guilhem Moulin  :
> 
>>> Version: 1.1.4+dfsg.1-1~bpo8+1
>>> […]
>>> So probably it is important to update to upstream version 1.2.3
>>
>> Unfortunately 1.2.x has many dependencies that aren't in
>> jessie-backports yet.  I personally don't have the time nor energy to
>> maintain said dependencies, so we asked backports folks for an exception
>> to stick to 1.1.x for the bpo version, exception which was rejected.
>> I'm afraid the remaining alternative is to take remove the package from
>> jessie-backports :-(
> 
> Since the problem is quite serious, could you push the fix in bpo8+2
> nonetheless? Then wait a bit before asking for removal from backports to
> let actual users get an updated version. It seems far better than just
> leaving some people with vulnerable versions on their systems.

Just tagged and pushed ‘debian/1.1.5+dfsg.1-1_bpo8+2’.  Note that I
moved jessie-backports's HEAD to its parent first as is was on
debian/1.1.6+dfsg.1-1_bpo8+1 which didn't make it to bpo.  Running

git branch jessie-backports debian/1.1.5+dfsg.1-1_bpo8+1

before pull should fix this.  Sorry for the inconvenience.

-- 
Guilhem.


signature.asc
Description: PGP signature

Bug#847287: Security Update for roundcube -- planning

[Sandro Knauß]

Hey,

we are discussing how we should handle the security issue for roundcube. It 
has currently now CVE it is tracked as:
TEMP-0847287-64604E on security.debian.org
or #847287 on BTS

Because we should not upload a new 1.1.X version to bpo, we thought to only 
push an update that fixes only this issue and afterwards request a removal from 
backports. Cause the version in backports is outdated and updates to this 
package are not allowed as discussed in 
debian-backpo...@lists.debian.org and 
splitting the upstream package to sec updates/not sec updates is work, we are 
not able to provide.

Is this a way to go?

Best Regards,

sandro

PS: maybe we should move the discussion to debian-backpo...@lists.debian.org. 
This inital mail should go to team, because the issue is a security issue and 
how to handle this, the other stuff can be handled later...



signature.asc
Description: This is a digitally signed message part.

Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

[Vincent Bernat]

 ❦  7 décembre 2016 00:30 +0100, Guilhem Moulin  :

>> Version: 1.1.4+dfsg.1-1~bpo8+1
>> […]
>> So probably it is important to update to upstream version 1.2.3
>
> Unfortunately 1.2.x has many dependencies that aren't in
> jessie-backports yet.  I personally don't have the time nor energy to
> maintain said dependencies, so we asked backports folks for an exception
> to stick to 1.1.x for the bpo version, exception which was rejected.
> I'm afraid the remaining alternative is to take remove the package from
> jessie-backports :-(

Since the problem is quite serious, could you push the fix in bpo8+2
nonetheless? Then wait a bit before asking for removal from backports to
let actual users get an updated version. It seems far better than just
leaving some people with vulnerable versions on their systems.
-- 
"Not Hercules could have knock'd out his brains, for he had none."
-- Shakespeare


signature.asc
Description: PGP signature

Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

[Salvatore Bonaccorso]

Hi,

On Wed, Dec 07, 2016 at 12:30:42AM +0100, Guilhem Moulin wrote:
> Hi,
> 
> On Tue, 06 Dec 2016 at 23:05:59 +, Juan Rossi wrote:
> > Version: 1.1.4+dfsg.1-1~bpo8+1
> > […]
> > So probably it is important to update to upstream version 1.2.3
> 
> Unfortunately 1.2.x has many dependencies that aren't in
> jessie-backports yet.  I personally don't have the time nor energy to
> maintain said dependencies, so we asked backports folks for an exception
> to stick to 1.1.x for the bpo version, exception which was rejected.
> I'm afraid the remaining alternative is to take remove the package from
> jessie-backports :-(

Upstream fix:

https://github.com/roundcube/roundcubemail/commit/f84233785ddeed01445fc855f3ae1e8a62f167e1

Regards,
Salvatore

Bug#847287:

[Juan Augusto Rossi]

Hi

I guess if package 1.2.3 cannot be back ported to jessie due dependencies
issues, and there is no exception that would leave jessie users to backport
manually to 1.1.7 that includes the fix

https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released

Issue it is quite severe, I wonder if they would reconsider the exception
to stay on 1.1.X.

Regards

Juan.-

Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

[Guilhem Moulin]

Hi,

On Tue, 06 Dec 2016 at 23:05:59 +, Juan Rossi wrote:
> Version: 1.1.4+dfsg.1-1~bpo8+1
> […]
> So probably it is important to update to upstream version 1.2.3

Unfortunately 1.2.x has many dependencies that aren't in
jessie-backports yet.  I personally don't have the time nor energy to
maintain said dependencies, so we asked backports folks for an exception
to stick to 1.1.x for the bpo version, exception which was rejected.
I'm afraid the remaining alternative is to take remove the package from
jessie-backports :-(

-- 
Guilhem.


signature.asc
Description: PGP signature

Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing

[Juan Rossi]

Package: roundcube
Version: 1.1.4+dfsg.1-1~bpo8+1
Severity: grave
Tags: upstream security
Justification: user security hole

Dear Maintainer,

I am reporting this as it is quite important as testing and unstable versions 
of roundcube are affected (and even all the backports offered, which hopefully 
will be updated via a bug report to the backport mailing list once the packages 
are upgraded or bug patch backported):

"malicious user can execute arbitrary commands on the underlying operating 
system remotely, simply by writing an email in Roundcube 1.2.2 (>= 1.0)"

"Requirements
The vulnerability has the following requirements for exploitation:

Roundcube must be configured to use PHP’s mail() function (by default, if no 
SMTP was specified 2 )
PHP’s mail() function is configured to use sendmail (by default, see 
sendmail_path 3 )
PHP is configured to have safe_mode turned off (by default, see safe_mode 4 )
An attacker must know or guess the absolute path of the webroot
These requirements are not particular demanding which in turn means that there 
were a lot of vulnerable systems in the wild.
"

The usage of php mail function it is the default in the package.

More details about this at:

https://blog.ripstech.com/2016/roundcube-command-execution-via-email/#fn:1

So probably it is important to update to upstream version 1.2.3

Regards

Juan.-


-- System Information:
Debian Release: 8.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 4.4.32-rh33-20161115070633.xenU.i386 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages roundcube depends on:
ii  roundcube-core  1.1.4+dfsg.1-1~bpo8+1

roundcube recommends no packages.

roundcube suggests no packages.

Versions of packages roundcube-core depends on:
ii  dbconfig-common1.8.47+nmu3+deb8u1
ii  debconf [debconf-2.0]  1.5.56
ii  libapache2-mod-php55.6.19+dfsg-0+deb8u1
ii  libmagic1  1:5.22+15-2+deb8u1
ii  php-auth   1.6.4-1
ii  php-mail-mime  1.8.9-1+deb8u1
ii  php-mail-mimedecode1.5.5-2+deb8u1
ii  php-net-smtp   1.6.2-2
ii  php-net-socket 1.0.14-1
ii  php5   5.6.19+dfsg-0+deb8u1
ii  php5-cli   5.6.19+dfsg-0+deb8u1
ii  php5-common5.6.19+dfsg-0+deb8u1
ii  php5-intl  5.6.19+dfsg-0+deb8u1
ii  php5-json  1.3.6-1
ii  php5-mcrypt5.6.19+dfsg-0+deb8u1
ii  roundcube-mysql1.1.4+dfsg.1-1~bpo8+1
ii  ucf3.0030

Versions of packages roundcube-core recommends:
ii  apache2 [httpd-cgi]  2.4.10-10+deb8u4
ii  apache2-mpm-prefork [httpd-cgi]  2.4.10-10+deb8u4
ii  php-net-ldap31.0.3-1~bpo8+1
ii  php-net-sieve1.3.2-4
ii  php5-gd  5.6.19+dfsg-0+deb8u1
ii  php5-pspell  5.6.19+dfsg-0+deb8u1

Versions of packages roundcube-core suggests:
ii  php-auth-sasl  1.0.6-1+deb8u1
pn  php-crypt-gpg  
ii  roundcube-plugins  1.1.4+dfsg.1-1~bpo8+1

-- debconf information excluded