Bug#646675: marked as done (CVE-2011-3379: is_a() will trigger autoload in PHP 5.3.8)

Mon, 23 Jan 2012 02:33:12 -0800 

Your message dated Mon, 23 Jan 2012 11:31:30 +0100
with message-id 
<CALjhHG_47CDpVge2zzHxK9Mec2GBLdq9RZT1mZFEv==9rwo...@mail.gmail.com>
and subject line Fixed in 5.3.9-1
has caused the Debian Bug report #646675,
regarding CVE-2011-3379: is_a() will trigger autoload in PHP 5.3.8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
646675: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646675
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: roundcube
Version: 0.6+dfsg-1
Severity: serious
Tags: security
X-Debbugs-CC: [email protected]

--- Please enter the report below this line. ---

Hi!
Well, yesterday out of nothing my webmailer roundcube started to refuse to work. At least as I remember it. For some reasons reloading the Inbox just showed the "Loading..." message on the screen, but there was no list of mails anymore. Funny enough other folders do actually work as before. But anyway, doing an update did not help and improve anything. (I really don't know whether I updated before or after because of the first occurence of this issue.) 

There's an entry in syslog when loading the Inbox folder:
Oct 26 07:24:59 muaddib suhosin[32432]: ALERT - Include filename ('http://www.gnu.org/s/hello/manual/automake/ ?.php') is an URL that is not allowed (attacker '127.0.0.1', file '/usr/share/roundcube/program/include/iniset.php', line 110 

This lead to bug #1488086 in the Roundcube issue tracker which states:
This messages made me wonder why suhosin thinks there's an include going on. Line 111 of iniset.php shows: 

    include_once("$filename.php");
It seems like roundcube wants to include what is displayed in the subject, which happens to be a url - and suhosin legitimately blocks this attempt.
In short, I can send an email to a user on a suhosin protected mail server and make his inbox unavailable. Needless to say, the user cannot delete this email himself via RoundCube. In my case, I had to delete the email file on the server to make roundcube show the inbox again.
In Debian there's bug #619411 that is related to PATH setting in iniset.php, but I'm not sure if this is really related to #1488086 in the Roundcube issue tracker and my problem? However, disabling suhosin doesn't seem the right way to "solve" this issue and the trac issue tracker suggests a security related problem. 

Regards,
Ingo

--- System information. ---
Architecture: amd64
Kernel:       Linux 3.0.0-2-amd64

Debian Release: wheezy/sid
  500 unstable        www.debian-multimedia.org
  500 unstable        ftp.de.debian.org

--- Package information. ---
Depends                    (Version) | Installed
====================================-+-================
roundcube-core        (= 0.6+dfsg-1) | 0.6+dfsg-1
dbconfig-common                      | 1.8.47
debconf                    (>= 0.5)  | 1.5.41
 OR debconf-2.0                      |
ucf                                  | 3.0025+nmu2
apache2                              | 2.2.21-2
 OR lighttpd                         |
 OR httpd                            |
php5                                 | 5.3.8-2
php5-mcrypt                          | 5.3.8-2
php5-gd                              | 5.3.8-2
php5-intl                            | 5.3.8-2
php-mdb2                  (>= 2.5.0) | 2.5.0b2-1
php-auth                             | 1.6.2-1
php-net-smtp              (>= 1.4.2) | 1.6.0-1
php-net-socket                       | 1.0.9-2
php-mail-mime             (>= 1.8.0) | 1.8.0-2
php5-pspell                          | 5.3.8-2
tinymce                       (>= 3) | 3.4.3.2+dfsg0-1
libjs-jquery              (>= 1.6.4) | 1.6.4-1
libmagic1                            | 5.09-2
roundcube-sqlite     (= 0.6+dfsg-1)  | 0.6+dfsg-1
 OR roundcube-mysql  (= 0.6+dfsg-1)  | 0.6+dfsg-1
 OR roundcube-pgsql   (= 0.6+dfsg-1) | 0.6+dfsg-1


Package's Recommends field is empty.

Suggests               (Version) | Installed
================================-+-===========
php-auth-sasl         (>= 1.0.3) |
php-crypt-gpg                    |
roundcube-plugins                |


--
Ciao...            //      Fon: 0381-2744150
      Ingo       \X/       http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc

--- End Message ---
--- Begin Message --- 
Version: 5.3.9-1

 php5 (5.3.9-1) unstable; urgency=low
 .
   * Remove obsolete sqlite(2) module from php5-sqlite
   * Use correct signals in php5-fpm init script (Closes: #645934)
   * Imported Upstream version 5.3.9
   * Adapt debian/patches to 5.3.9 release

-- 
Ondřej Surý <[email protected]>

--- End Message ---

Reply via email to