Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Please unblock package roundcube
It include an important security fix. Without it, a logged user can
override any variable which can then be used to steal credentials or
read arbitrary files. I include the debdiff against the version
currently scheduled for Wheezy (0.7.2-8) but not yet in testing.
unblock roundcube/0.7.2-9
- -- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJRU3lfAAoJEJWkL+g1NSX5qEgQAKLYKYF5tGmdRX2eyB8Is1Dw
gQuQ0lIzFndNF2ogU+G7uUqKK7ejF+rdjdb+paBwTw9OkjsklG0KJpnM+vE3ahMc
hnDWHqLb/rtIUYRPulcNJw7vDs6HwPf4OCB+blmd9ZdFzCQ16ymIj5gj54ZINbhZ
fwi4+qQrCQfQejobwsNohmdUIUOP7OA2BlHDOwzRhNvTtb2txnrTyCNyCsokUw2a
UVJFRObEZ00uIo8v7CLQzC/cV5WA2t7QO3xBUrjflAN4lKHm5wqGgiIQYRHL+Zes
LuFOT3R6KeomwRe22gsVaR13Fyl/EMGvf7lIc2cq68KSEag0n9bK3LzlOfOUCPzR
nHwTT6IktEVLG4Z9HEgqAWvD9YyKWlMJLiPxvQkl3sgts5wiRDPUgVMdtdMp7xJy
q8GjR297kRYRea2d5WFbHC0iHY0svdeA5hyPfViIe4Ufw+//+yWhChdd3aUe1vnJ
kwrbXwXEfyJsMoPqPF5WjDbCFtRazmL6x0By9WrIG+ebMN0YVQnxMmhUeYN2Di+s
nhPrhjEIF1Lqd8vD6b2usEik49IiGLUiZq5cI20x0kL1EUMMQD2p7ni/0nVzAOaY
qQUH8aQN4iOO/03UESaLR1bHNm7et+6t7IOhIjgZdzLKGiBsTpmS/9cRWuP7ynwZ
X3UF+isU1XdgnaABbMaA
=Jn7c
-----END PGP SIGNATURE-----
diff -Nru roundcube-0.7.2/debian/changelog roundcube-0.7.2/debian/changelog
--- roundcube-0.7.2/debian/changelog 2013-03-23 08:38:29.000000000 +0100
+++ roundcube-0.7.2/debian/changelog 2013-03-27 22:46:28.000000000 +0100
@@ -1,3 +1,11 @@
+roundcube (0.7.2-9) unstable; urgency=high
+
+ * Fix a vulnerability allowing logged users to override any variable
+ which may be used to steal credentials of other users or read
+ arbitrary files.
+
+ -- Vincent Bernat <ber...@debian.org> Wed, 27 Mar 2013 22:01:25 +0100
+
roundcube (0.7.2-8) unstable; urgency=low
* In roundcube-core postinst, set appropriate rights on directory
diff -Nru roundcube-0.7.2/debian/patches/fix-save-pref-vulnerability.patch roundcube-0.7.2/debian/patches/fix-save-pref-vulnerability.patch
--- roundcube-0.7.2/debian/patches/fix-save-pref-vulnerability.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-0.7.2/debian/patches/fix-save-pref-vulnerability.patch 2013-03-27 22:46:28.000000000 +0100
@@ -0,0 +1,72 @@
+diff --git a/debian/patches/fix-save-pref-vulnerability.patch b/debian/patches/fix-save-pref-vulnerability.patch
+index 2cb5621..a31d378 100644
+diff --git a/program/include/rcube_plugin.php b/program/include/rcube_plugin.php
+index 748d958..bf1e0bc 100644
+--- a/program/include/rcube_plugin.php
++++ b/program/include/rcube_plugin.php
+@@ -61,6 +61,14 @@ abstract class rcube_plugin
+ */
+ public $noframe = false;
+
++ /**
++ * A list of config option names that can be modified
++ * by the user via user interface (with save-prefs command)
++ *
++ * @var array
++ */
++ public $allowed_prefs;
++
+ protected $home;
+ protected $urlbase;
+ private $mytask;
+diff --git a/program/include/rcube_plugin_api.php b/program/include/rcube_plugin_api.php
+index e762fff..fd339bc 100644
+--- a/program/include/rcube_plugin_api.php
++++ b/program/include/rcube_plugin_api.php
+@@ -34,6 +34,7 @@ class rcube_plugin_api
+ public $config;
+
+ public $handlers = array();
++ public $allowed_prefs = array();
+ private $plugins = array();
+ private $tasks = array();
+ private $actions = array();
+@@ -182,6 +183,11 @@ class rcube_plugin_api
+ $plugin->init();
+ $this->plugins[$plugin_name] = $plugin;
+ }
++
++ if (!empty($plugin->allowed_prefs)) {
++ $this->allowed_prefs = array_merge($this->allowed_prefs, $plugin->allowed_prefs);
++ }
++
+ return true;
+ }
+ }
+diff --git a/program/steps/utils/save_pref.inc b/program/steps/utils/save_pref.inc
+index 49e99e0..f9e8e20 100644
+--- a/program/steps/utils/save_pref.inc
++++ b/program/steps/utils/save_pref.inc
+@@ -21,6 +21,22 @@
+
+ $name = get_input_value('_name', RCUBE_INPUT_POST);
+ $value = get_input_value('_value', RCUBE_INPUT_POST);
++$whitelist = array(
++ 'preview_pane',
++ 'list_cols',
++ 'collapsed_folders',
++ 'collapsed_abooks',
++);
++
++if (!in_array($name, array_merge($whitelist, $RCMAIL->plugins->allowed_prefs))) {
++ raise_error(array('code' => 500, 'type' => 'php',
++ 'file' => __FILE__, 'line' => __LINE__,
++ 'message' => sprintf("Hack attempt detected (user: %s)", $RCMAIL->get_user_name())),
++ true, false);
++
++ $OUTPUT->reset();
++ $OUTPUT->send();
++}
+
+ // save preference value
+ $RCMAIL->user->save_prefs(array($name => $value));
diff -Nru roundcube-0.7.2/debian/patches/series roundcube-0.7.2/debian/patches/series
--- roundcube-0.7.2/debian/patches/series 2013-03-23 08:38:29.000000000 +0100
+++ roundcube-0.7.2/debian/patches/series 2013-03-27 22:46:28.000000000 +0100
@@ -8,3 +8,4 @@
use-debian-jquery-ui.patch
cve-2012-3508.patch
uuencoded-attachments.patch
+fix-save-pref-vulnerability.patch
