Bug#508628: marked as done (roundcube: remote code execution vuln in html2text.php, uses preg_replace with "e".)

Debian Bug Tracking System Sat, 13 Dec 2008 06:19:23 -0800

Your message dated Sat, 13 Dec 2008 13:47:17 +0000
with message-id <e1lbupx-0000r8...@ries.debian.org>
and subject line Bug#508628: fixed in roundcube 0.2~alpha-3
has caused the Debian Bug report #508628,
regarding roundcube: remote code execution vuln in html2text.php, uses 
preg_replace with "e".
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
508628: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508628
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: roundcube
Version: 0.1.1-8
Severity: serious
Tags: security, fixed-upstream
Justification: user security hole

I was recently targeted by a spammer exploiting a hole in my roundcube
installation. I got help from Atomo64 to try to analyze this but
we where unable to find how html2text.php could be exploited. Today
Atomo64 notified me that someone else had reported this upstream and now
they have found the problem and fixed it.

See http://trac.roundcube.net/ticket/1485618

(No CVE identifier has yet been assigned as far as I'm aware.)

Now some google juice:
This is how my access.log looked like, and the upstream bug reported had
a similar looking access log.

my.host.name 200.171.152.187 - - [08/Dec/2008:18:36:54 +0100] "POST 
//roundcube/bin/html2text.php HTTP/1.1" 200 83 "-" "Googlebot/2.1 ( 
http://www.google.com/bot.html)"
my.host.name 200.171.152.187 - - [08/Dec/2008:18:37:03 +0100] "POST 
//roundcube/bin/html2text.php HTTP/1.1" 200 79 "-" "Googlebot/2.1 ( 
http://www.google.com/bot.html)"
my.host.name 200.171.152.187 - - [08/Dec/2008:18:37:29 +0100] "POST 
//roundcube/bin/html2text.php HTTP/1.1" 200 88 "-" "Googlebot/2.1 ( 
http://www.google.com/bot.html)"


-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (300, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages roundcube depends on:
ii  roundcube-core                0.1.1-8    skinnable AJAX based webmail solut
ii  roundcube-mysql [roundcube-db 0.1.1-8    metapackage providing MySQL depend

roundcube recommends no packages.

roundcube suggests no packages.

Versions of packages roundcube-core depends on:
ii  apache2-mpm-prefork  2.2.9-11            Apache HTTP Server - traditional n
ii  dbconfig-common      1.8.40              common framework for packaging dat
ii  debconf [debconf-2.0 1.5.24              Debian configuration management sy
ii  libmagic1            4.26-2              File type determination library us
ii  php-auth             1.6.1-1             PHP PEAR modules for creating an a
ii  php-db               1.7.13-2            PHP PEAR Database Abstraction Laye
ii  php-mail-mime        1.5.2-0.1           PHP PEAR module for creating MIME 
ii  php-net-smtp         1.3.1-1             PHP PEAR module implementing SMTP 
ii  php-net-socket       1.0.9-1             PHP PEAR Network Socket Interface 
ii  php5                 5.2.6.dfsg.1-0.1    server-side, HTML-embedded scripti
ii  php5-mcrypt          5.2.6.dfsg.1-0.1+b1 MCrypt module for php5
ii  roundcube-mysql [rou 0.1.1-8             metapackage providing MySQL depend
ii  tinymce2             2.1.3-1             platform independent web based Jav
ii  ucf                  3.0011              Update Configuration File: preserv

-- debconf information excluded

--- End Message ---

--- Begin Message ---

Source: roundcube
Source-Version: 0.2~alpha-3

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive:

roundcube-core_0.2~alpha-3_all.deb
  to pool/main/r/roundcube/roundcube-core_0.2~alpha-3_all.deb
roundcube-mysql_0.2~alpha-3_all.deb
  to pool/main/r/roundcube/roundcube-mysql_0.2~alpha-3_all.deb
roundcube-pgsql_0.2~alpha-3_all.deb
  to pool/main/r/roundcube/roundcube-pgsql_0.2~alpha-3_all.deb
roundcube-sqlite_0.2~alpha-3_all.deb
  to pool/main/r/roundcube/roundcube-sqlite_0.2~alpha-3_all.deb
roundcube_0.2~alpha-3.diff.gz
  to pool/main/r/roundcube/roundcube_0.2~alpha-3.diff.gz
roundcube_0.2~alpha-3.dsc
  to pool/main/r/roundcube/roundcube_0.2~alpha-3.dsc
roundcube_0.2~alpha-3_all.deb
  to pool/main/r/roundcube/roundcube_0.2~alpha-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 508...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Bernat <ber...@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 13 Dec 2008 14:36:02 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql 
roundcube-sqlite
Architecture: source all
Version: 0.2~alpha-3
Distribution: experimental
Urgency: high
Maintainer: Debian Roundcube Maintainers 
<pkg-roundcube-maintain...@lists.alioth.debian.org>
Changed-By: Vincent Bernat <ber...@debian.org>
Description: 
 roundcube  - skinnable AJAX based webmail solution for IMAP servers
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-sqlite - metapackage providing sqlite dependencies for RoundCube
Closes: 495434 499108 500202 508628
Changes: 
 roundcube (0.2~alpha-3) experimental; urgency=high
 .
   [ Vincent Bernat ]
   * Fix a vulnerability in the use of preg_replace (Closes: #508628).
   * Adapt descriptions of roundcube-database packages to refer them as
     metapackages instead of virtual package (Closes: #495434).
   * Add robots.txt from upstream, even if in some configuration, it will
     not be considered (Closes: #499108).
   * Do not ship .htaccess files. Restrictions are set in Apache or
     Lighttpd configuration files (Closes: #500202).
 .
   [ Romain Beauxis ]
   * Changed versioned dependency of rouncube from binary:Version to
     source:Version since these are all architecture independent packages.
Checksums-Sha1: 
 c02d14f7e8772394a0767de9ccf30fafa31218c8 1407 roundcube_0.2~alpha-3.dsc
 1937a335c627c6802969a15cfadbbecb58d61edc 26173 roundcube_0.2~alpha-3.diff.gz
 f6187ed65a1639e7e6189dcbd2860483449f98a0 596736 
roundcube-core_0.2~alpha-3_all.deb
 dd03b1b359d953561e1e110a488b3ce75b022b71 14796 roundcube_0.2~alpha-3_all.deb
 d90c2b3f17b084552522ac5ebbb3ff14a5560ae0 14120 
roundcube-mysql_0.2~alpha-3_all.deb
 9e6a4968b21ae9f67d5009a764cf655ea7b92329 14126 
roundcube-pgsql_0.2~alpha-3_all.deb
 e3e9387d17bdd238dca493282966f376fea5d870 14100 
roundcube-sqlite_0.2~alpha-3_all.deb
Checksums-Sha256: 
 873056aac74806d0b8db6207e213e68590e5a06018d67b2a24825896ac1bfc81 1407 
roundcube_0.2~alpha-3.dsc
 4a25c8a4d3d37e079ffdaf80cb6ecf7c24db8d70ea02e590ec8ac4754b3a468f 26173 
roundcube_0.2~alpha-3.diff.gz
 932ead16c3bf83995fde707564c451421bc340fecbfc073f7d1765494c13e87a 596736 
roundcube-core_0.2~alpha-3_all.deb
 89c05f0e81abcb78954981aad826bd63883b9c0ea4d7e637baf6be39f64d040b 14796 
roundcube_0.2~alpha-3_all.deb
 a4f13648e12dfb2e21c2057f71270c46645d669ac351e18847fc308fc2939c00 14120 
roundcube-mysql_0.2~alpha-3_all.deb
 28a371c2f732d81cac122ead7aab1fa3eb98bfcb91f965d93f81430c7977e94d 14126 
roundcube-pgsql_0.2~alpha-3_all.deb
 f291223abc6b0c00acc915a1e25d67699b7055dd61e5ce5a4df76e137de94026 14100 
roundcube-sqlite_0.2~alpha-3_all.deb
Files: 
 4e4d80af0d944c9aa34d83a225df5322 1407 web extra roundcube_0.2~alpha-3.dsc
 9ac28c3d598af906cd9c87c5e81ac059 26173 web extra roundcube_0.2~alpha-3.diff.gz
 e7392a06d3a9d6fd19ae1a860e7fddc9 596736 web extra 
roundcube-core_0.2~alpha-3_all.deb
 fcb6b60e0c1d573b2b864d4a8df80640 14796 web extra roundcube_0.2~alpha-3_all.deb
 5492353076cd0150fbf63feec950f92b 14120 web extra 
roundcube-mysql_0.2~alpha-3_all.deb
 f74a4b9decd8e8a2cdb9d8cc9c6b7222 14126 web extra 
roundcube-pgsql_0.2~alpha-3_all.deb
 6d28580b0a0ac86624a73542d4de5550 14100 web extra 
roundcube-sqlite_0.2~alpha-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklDu0UACgkQKFvXofIqeU4fkQCeOP3Ragto3aCAOi1tWMHcYUEN
2OsAoMPlgVXrmwOsPzKq3zX2S/2MTuQW
=1EKh
-----END PGP SIGNATURE-----

--- End Message ---

Bug#508628: marked as done (roundcube: remote code execution vuln in html2text.php, uses preg_replace with "e".)

Reply via email to