Your message dated Thu, 25 Dec 2008 10:47:10 +0000
with message-id <[email protected]>
and subject line Bug#509596: fixed in roundcube 0.2~alpha-4
has caused the Debian Bug report #509596,
regarding roundcube: CVE-2008-5620 massive memory consumption via crafted image
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
509596: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509596
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: roundcube
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for roundcube.
CVE-2008-5620[0]:
| RoundCube Webmail (roundcubemail) before 0.2-beta allows remote
| attackers to cause a denial of service (memory consumption) via
| crafted size parameters that are used to create a large quota image.
Attached is a patch I extracted from the bundled upstream
patch on http://sourceforge.net/forum/forum.php?forum_id=898542
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5620
http://security-tracker.debian.net/tracker/CVE-2008-5620
--
Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
--- quotaimg.php.old 2008-12-23 18:06:58.000000000 +0100
+++ quotaimg.php 2008-12-16 18:21:30.000000000 +0100
@@ -14,14 +14,14 @@
| Author: Brett Patterson <[email protected]> |
+-----------------------------------------------------------------------+
- $Id: $
+ $Id$
*/
-$used = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??';
-$quota = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??';
-$width = empty($_GET['w']) ? 100 : (int)$_GET['w'];
-$height = empty($_GET['h']) ? 14 : (int)$_GET['h'];
+$used = isset($_GET['u']) ? intval($_GET['u']) : '??';
+$quota = isset($_GET['q']) ? intval($_GET['q']) : '??';
+$width = empty($_GET['w']) ? 100 : min(300, intval($_GET['w']));
+$height = empty($_GET['h']) ? 14 : min(50, intval($_GET['h']));
/**
* Quota display
@@ -96,12 +96,11 @@
// @todo: Set to "??" instead?
if (ereg("^[^0-9?]*$", $used) || ereg("^[^0-9?]*$", $total)) {
return false;
- }
+ }
- if (strpos($used, '?') !== false || strpos($total, '?') !== false
- && $used != 0) {
+ if (strpos($used, '?') !== false || strpos($total, '?') !== false && $used != 0) {
$unknown = true;
- }
+ }
$im = imagecreate($width, $height);
@@ -153,31 +152,37 @@
list($r, $g, $b) = explode(',', $color['fill']['mid']);
$fill = imagecolorallocate($im, $r, $g, $b);
} else {
- // if($quota >= $limit['low'])
+ // if($quota >= $limit['low'])
list($r, $g, $b) = explode(',', $color['fill']['low']);
$fill = imagecolorallocate($im, $r, $g, $b);
}
$quota_width = $quota / 100 * $width;
- imagefilledrectangle($im, $border, 0, $quota, $height-2*$border, $fill);
+ imagefilledrectangle($im, $border, 0, $quota_width, $height-2*$border, $fill);
$string = $quota . '%';
$mid = floor(($width-(strlen($string)*imagefontwidth($font)))/2)+1;
- // Print percent in black
+ // Print percent in black
imagestring($im, $font, $mid, $padding, $string, $text);
}
header('Content-Type: image/gif');
-
- // @todo is harcoding GMT necessary?
- header('Expires: ' . gmdate('D, d M Y H:i:s', mktime()+86400) . ' GMT');
- header('Cache-Control: ');
- header('Pragma: ');
+
+ // cache for 1 hour
+ $maxage = 3600;
+ header('Expires: ' . gmdate('D, d M Y H:i:s', time()+$maxage). ' GMT');
+ header('Cache-Control: max-age=' . $maxage);
imagegif($im);
imagedestroy($im);
}
-genQuota($used, $quota, $width, $height);
+if ($width > 1 && $height > 1) {
+ genQuota($used, $quota, $width, $height);
+}
+else {
+ header("HTTP/1.0 404 Not Found");
+}
+
exit;
-?>
\ No newline at end of file
+?>
pgp7L8mOzQmJY.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 0.2~alpha-4
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive:
roundcube-core_0.2~alpha-4_all.deb
to pool/main/r/roundcube/roundcube-core_0.2~alpha-4_all.deb
roundcube-mysql_0.2~alpha-4_all.deb
to pool/main/r/roundcube/roundcube-mysql_0.2~alpha-4_all.deb
roundcube-pgsql_0.2~alpha-4_all.deb
to pool/main/r/roundcube/roundcube-pgsql_0.2~alpha-4_all.deb
roundcube-sqlite_0.2~alpha-4_all.deb
to pool/main/r/roundcube/roundcube-sqlite_0.2~alpha-4_all.deb
roundcube_0.2~alpha-4.diff.gz
to pool/main/r/roundcube/roundcube_0.2~alpha-4.diff.gz
roundcube_0.2~alpha-4.dsc
to pool/main/r/roundcube/roundcube_0.2~alpha-4.dsc
roundcube_0.2~alpha-4_all.deb
to pool/main/r/roundcube/roundcube_0.2~alpha-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Bernat <[email protected]> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 25 Dec 2008 11:38:13 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql
roundcube-sqlite
Architecture: source all
Version: 0.2~alpha-4
Distribution: experimental
Urgency: low
Maintainer: Debian Roundcube Maintainers
<[email protected]>
Changed-By: Vincent Bernat <[email protected]>
Description:
roundcube - skinnable AJAX based webmail solution for IMAP servers
roundcube-core - skinnable AJAX based webmail solution for IMAP servers
roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
roundcube-sqlite - metapackage providing sqlite dependencies for RoundCube
Closes: 508633 509596
Changes:
roundcube (0.2~alpha-4) experimental; urgency=low
.
* Add missing ${misc:Depends} to make Lintian happy.
* Add description to each patch.
* Execute cron job only if the directory to clean exists.
* Reload web server configuration instead of restart, thanks to a patch
from Tiago Bortoletto Vaz. Closes: #508633.
* Fix a vulnerability in quota image generation. This fixes
CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
* Add missing dependency on php5-gd, used for quota bar.
* For roundcube-pgsql, depends on postgresql-client only. This package
is provided by the currently supported real package.
Checksums-Sha1:
69e71dea89873e34708ce5d09a2db71f1383e779 1407 roundcube_0.2~alpha-4.dsc
3ab7efe8e578c48376ebeaa4fd3ea4f1c37471d6 27345 roundcube_0.2~alpha-4.diff.gz
82c68c3456b4fb4ee343712a3e8788fa4baf0abe 597126
roundcube-core_0.2~alpha-4_all.deb
66f2b9f5c1b7601784838b2a233fef8ff05704fc 15054 roundcube_0.2~alpha-4_all.deb
47cd3d13291c1c7454b2d2648b49b388b12ae0ff 14380
roundcube-mysql_0.2~alpha-4_all.deb
cdc921ee15ba481932e08d730a9ecaef50994cec 14372
roundcube-pgsql_0.2~alpha-4_all.deb
f429bab6bf24d299629b4f728d6d3f5f5c898183 14348
roundcube-sqlite_0.2~alpha-4_all.deb
Checksums-Sha256:
5df5ad1e94f27485dc43d1627cc84103c0ca89f5c0c62d95781d45a4e3ef383a 1407
roundcube_0.2~alpha-4.dsc
048fc61edc06cc9d54d2069fe9b6f7ec29a348ad513358b7de4245958e165d0c 27345
roundcube_0.2~alpha-4.diff.gz
85d233b124d4b9c6146dfab839f56371dd24bb07bf211bf7908dadbc5eb604df 597126
roundcube-core_0.2~alpha-4_all.deb
485d6d2cf341ec502779e641170e3954fbce9d61b73271264f43a0b18b9e8fa7 15054
roundcube_0.2~alpha-4_all.deb
5d2d2d4ce3b2606d87878b15e1f3dd56285feff691cfa6f6ca5194626a607672 14380
roundcube-mysql_0.2~alpha-4_all.deb
2209bcaf6cae4fb9ed8902aacdaa63f7b37b070ddee26172c9efc813517c5d80 14372
roundcube-pgsql_0.2~alpha-4_all.deb
f076e06b01a54a9b25741608dc8b21225ad7f34701f8496ff60f8bb88acb9db5 14348
roundcube-sqlite_0.2~alpha-4_all.deb
Files:
e6dc8acbf361e143aa855b9421ca1177 1407 web extra roundcube_0.2~alpha-4.dsc
a82323d8bfdbdc6013d2cf17537c07c4 27345 web extra roundcube_0.2~alpha-4.diff.gz
6d595e02268a5ef3004597eccc1ee6b0 597126 web extra
roundcube-core_0.2~alpha-4_all.deb
209bc10c163ab35680941247a81c8ba1 15054 web extra roundcube_0.2~alpha-4_all.deb
78bcaaaed23789bc0fabfabf10b255e1 14380 web extra
roundcube-mysql_0.2~alpha-4_all.deb
d8133fbf877d562ceee599fd2814e01f 14372 web extra
roundcube-pgsql_0.2~alpha-4_all.deb
c45dd82f5a534f455bc2b95b4b24be32 14348 web extra
roundcube-sqlite_0.2~alpha-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklTYwoACgkQKFvXofIqeU4UiwCfQJt23jkcoretrrcvdrUqPXwu
hZoAoKXNPfS+RYkXyjeA64x47+rVp/hL
=aqjt
-----END PGP SIGNATURE-----
--- End Message ---
