Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Please unblock package roundcube It include an important security fix. Without it, a logged user can override any variable which can then be used to steal credentials or read arbitrary files. I include the debdiff against the version currently scheduled for Wheezy (0.7.2-8) but not yet in testing. unblock roundcube/0.7.2-9 - -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (101, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJRU3lfAAoJEJWkL+g1NSX5qEgQAKLYKYF5tGmdRX2eyB8Is1Dw gQuQ0lIzFndNF2ogU+G7uUqKK7ejF+rdjdb+paBwTw9OkjsklG0KJpnM+vE3ahMc hnDWHqLb/rtIUYRPulcNJw7vDs6HwPf4OCB+blmd9ZdFzCQ16ymIj5gj54ZINbhZ fwi4+qQrCQfQejobwsNohmdUIUOP7OA2BlHDOwzRhNvTtb2txnrTyCNyCsokUw2a UVJFRObEZ00uIo8v7CLQzC/cV5WA2t7QO3xBUrjflAN4lKHm5wqGgiIQYRHL+Zes LuFOT3R6KeomwRe22gsVaR13Fyl/EMGvf7lIc2cq68KSEag0n9bK3LzlOfOUCPzR nHwTT6IktEVLG4Z9HEgqAWvD9YyKWlMJLiPxvQkl3sgts5wiRDPUgVMdtdMp7xJy q8GjR297kRYRea2d5WFbHC0iHY0svdeA5hyPfViIe4Ufw+//+yWhChdd3aUe1vnJ kwrbXwXEfyJsMoPqPF5WjDbCFtRazmL6x0By9WrIG+ebMN0YVQnxMmhUeYN2Di+s nhPrhjEIF1Lqd8vD6b2usEik49IiGLUiZq5cI20x0kL1EUMMQD2p7ni/0nVzAOaY qQUH8aQN4iOO/03UESaLR1bHNm7et+6t7IOhIjgZdzLKGiBsTpmS/9cRWuP7ynwZ X3UF+isU1XdgnaABbMaA =Jn7c -----END PGP SIGNATURE-----
diff -Nru roundcube-0.7.2/debian/changelog roundcube-0.7.2/debian/changelog --- roundcube-0.7.2/debian/changelog 2013-03-23 08:38:29.000000000 +0100 +++ roundcube-0.7.2/debian/changelog 2013-03-27 22:46:28.000000000 +0100 @@ -1,3 +1,11 @@ +roundcube (0.7.2-9) unstable; urgency=high + + * Fix a vulnerability allowing logged users to override any variable + which may be used to steal credentials of other users or read + arbitrary files. + + -- Vincent Bernat <ber...@debian.org> Wed, 27 Mar 2013 22:01:25 +0100 + roundcube (0.7.2-8) unstable; urgency=low * In roundcube-core postinst, set appropriate rights on directory diff -Nru roundcube-0.7.2/debian/patches/fix-save-pref-vulnerability.patch roundcube-0.7.2/debian/patches/fix-save-pref-vulnerability.patch --- roundcube-0.7.2/debian/patches/fix-save-pref-vulnerability.patch 1970-01-01 01:00:00.000000000 +0100 +++ roundcube-0.7.2/debian/patches/fix-save-pref-vulnerability.patch 2013-03-27 22:46:28.000000000 +0100 @@ -0,0 +1,72 @@ +diff --git a/debian/patches/fix-save-pref-vulnerability.patch b/debian/patches/fix-save-pref-vulnerability.patch +index 2cb5621..a31d378 100644 +diff --git a/program/include/rcube_plugin.php b/program/include/rcube_plugin.php +index 748d958..bf1e0bc 100644 +--- a/program/include/rcube_plugin.php ++++ b/program/include/rcube_plugin.php +@@ -61,6 +61,14 @@ abstract class rcube_plugin + */ + public $noframe = false; + ++ /** ++ * A list of config option names that can be modified ++ * by the user via user interface (with save-prefs command) ++ * ++ * @var array ++ */ ++ public $allowed_prefs; ++ + protected $home; + protected $urlbase; + private $mytask; +diff --git a/program/include/rcube_plugin_api.php b/program/include/rcube_plugin_api.php +index e762fff..fd339bc 100644 +--- a/program/include/rcube_plugin_api.php ++++ b/program/include/rcube_plugin_api.php +@@ -34,6 +34,7 @@ class rcube_plugin_api + public $config; + + public $handlers = array(); ++ public $allowed_prefs = array(); + private $plugins = array(); + private $tasks = array(); + private $actions = array(); +@@ -182,6 +183,11 @@ class rcube_plugin_api + $plugin->init(); + $this->plugins[$plugin_name] = $plugin; + } ++ ++ if (!empty($plugin->allowed_prefs)) { ++ $this->allowed_prefs = array_merge($this->allowed_prefs, $plugin->allowed_prefs); ++ } ++ + return true; + } + } +diff --git a/program/steps/utils/save_pref.inc b/program/steps/utils/save_pref.inc +index 49e99e0..f9e8e20 100644 +--- a/program/steps/utils/save_pref.inc ++++ b/program/steps/utils/save_pref.inc +@@ -21,6 +21,22 @@ + + $name = get_input_value('_name', RCUBE_INPUT_POST); + $value = get_input_value('_value', RCUBE_INPUT_POST); ++$whitelist = array( ++ 'preview_pane', ++ 'list_cols', ++ 'collapsed_folders', ++ 'collapsed_abooks', ++); ++ ++if (!in_array($name, array_merge($whitelist, $RCMAIL->plugins->allowed_prefs))) { ++ raise_error(array('code' => 500, 'type' => 'php', ++ 'file' => __FILE__, 'line' => __LINE__, ++ 'message' => sprintf("Hack attempt detected (user: %s)", $RCMAIL->get_user_name())), ++ true, false); ++ ++ $OUTPUT->reset(); ++ $OUTPUT->send(); ++} + + // save preference value + $RCMAIL->user->save_prefs(array($name => $value)); diff -Nru roundcube-0.7.2/debian/patches/series roundcube-0.7.2/debian/patches/series --- roundcube-0.7.2/debian/patches/series 2013-03-23 08:38:29.000000000 +0100 +++ roundcube-0.7.2/debian/patches/series 2013-03-27 22:46:28.000000000 +0100 @@ -8,3 +8,4 @@ use-debian-jquery-ui.patch cve-2012-3508.patch uuencoded-attachments.patch +fix-save-pref-vulnerability.patch