Bug#847287: marked as done (roundcube: CVE-2016-9920: Remote command execution via malicious email composing)

[Debian Bug Tracking System]

Your message dated Fri, 16 Dec 2016 11:48:53 +0000
with message-id <e1chr0p-00045z...@fasolo.debian.org>
and subject line Bug#847287: fixed in roundcube 1.2.3+dfsg.1-1
has caused the Debian Bug report #847287,
regarding roundcube: CVE-2016-9920: Remote command execution via malicious 
email composing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
847287: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847287
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: roundcube
Version: 1.1.4+dfsg.1-1~bpo8+1
Severity: grave
Tags: upstream security
Justification: user security hole

Dear Maintainer,

I am reporting this as it is quite important as testing and unstable versions 
of roundcube are affected (and even all the backports offered, which hopefully 
will be updated via a bug report to the backport mailing list once the packages 
are upgraded or bug patch backported):

"malicious user can execute arbitrary commands on the underlying operating 
system remotely, simply by writing an email in Roundcube 1.2.2 (>= 1.0)"

"Requirements
The vulnerability has the following requirements for exploitation:

Roundcube must be configured to use PHP’s mail() function (by default, if no 
SMTP was specified 2 )
PHP’s mail() function is configured to use sendmail (by default, see 
sendmail_path 3 )
PHP is configured to have safe_mode turned off (by default, see safe_mode 4 )
An attacker must know or guess the absolute path of the webroot
These requirements are not particular demanding which in turn means that there 
were a lot of vulnerable systems in the wild.
"

The usage of php mail function it is the default in the package.

More details about this at:

https://blog.ripstech.com/2016/roundcube-command-execution-via-email/#fn:1

So probably it is important to update to upstream version 1.2.3

Regards

Juan.-


-- System Information:
Debian Release: 8.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 4.4.32-rh33-20161115070633.xenU.i386 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages roundcube depends on:
ii  roundcube-core  1.1.4+dfsg.1-1~bpo8+1

roundcube recommends no packages.

roundcube suggests no packages.

Versions of packages roundcube-core depends on:
ii  dbconfig-common        1.8.47+nmu3+deb8u1
ii  debconf [debconf-2.0]  1.5.56
ii  libapache2-mod-php5    5.6.19+dfsg-0+deb8u1
ii  libmagic1              1:5.22+15-2+deb8u1
ii  php-auth               1.6.4-1
ii  php-mail-mime          1.8.9-1+deb8u1
ii  php-mail-mimedecode    1.5.5-2+deb8u1
ii  php-net-smtp           1.6.2-2
ii  php-net-socket         1.0.14-1
ii  php5                   5.6.19+dfsg-0+deb8u1
ii  php5-cli               5.6.19+dfsg-0+deb8u1
ii  php5-common            5.6.19+dfsg-0+deb8u1
ii  php5-intl              5.6.19+dfsg-0+deb8u1
ii  php5-json              1.3.6-1
ii  php5-mcrypt            5.6.19+dfsg-0+deb8u1
ii  roundcube-mysql        1.1.4+dfsg.1-1~bpo8+1
ii  ucf                    3.0030

Versions of packages roundcube-core recommends:
ii  apache2 [httpd-cgi]              2.4.10-10+deb8u4
ii  apache2-mpm-prefork [httpd-cgi]  2.4.10-10+deb8u4
ii  php-net-ldap3                    1.0.3-1~bpo8+1
ii  php-net-sieve                    1.3.2-4
ii  php5-gd                          5.6.19+dfsg-0+deb8u1
ii  php5-pspell                      5.6.19+dfsg-0+deb8u1

Versions of packages roundcube-core suggests:
ii  php-auth-sasl      1.0.6-1+deb8u1
pn  php-crypt-gpg      <none>
ii  roundcube-plugins  1.1.4+dfsg.1-1~bpo8+1

-- debconf information excluded

--- End Message ---

--- Begin Message ---

Source: roundcube
Source-Version: 1.2.3+dfsg.1-1

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 847...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Knauß <he...@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 16 Dec 2016 12:17:54 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql 
roundcube-sqlite3 roundcube-plugins
Architecture: source
Version: 1.2.3+dfsg.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers 
<pkg-roundcube-maintain...@lists.alioth.debian.org>
Changed-By: Sandro Knauß <he...@debian.org>
Description:
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - 
plugins
 roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube
Closes: 847287
Changes:
 roundcube (1.2.3+dfsg.1-1) unstable; urgency=high
 .
   [ Guilhem Moulin ]
   * New upstream release (closes: #847287).
Checksums-Sha1:
 2b1727b2f11fc71920c1571fd8c187216897ae4a 2470 roundcube_1.2.3+dfsg.1-1.dsc
 46e0444f23e53269e3db43797005400d3a447b06 3350260 
roundcube_1.2.3+dfsg.1.orig.tar.gz
 45f3d00452395b17f9e30b1bc1c23ce0d0008ed4 4441524 
roundcube_1.2.3+dfsg.1-1.debian.tar.xz
Checksums-Sha256:
 7da8cac1577685016c4a2bf2de88c368907970732fffa2870f314ccb55dbc8c9 2470 
roundcube_1.2.3+dfsg.1-1.dsc
 f3c4b66ee33edc92025e3fad003ea9cf92f2577b5a0ca6acfd5168d67abd6a20 3350260 
roundcube_1.2.3+dfsg.1.orig.tar.gz
 3867f83231933d28df7636131cd87f009117029cef786d40d6bc6e2de466a967 4441524 
roundcube_1.2.3+dfsg.1-1.debian.tar.xz
Files:
 55c403db03ece825733b0f01e4d75c5c 2470 web extra roundcube_1.2.3+dfsg.1-1.dsc
 1fc2fd165ffa1a5baf73c992058cb1ea 3350260 web extra 
roundcube_1.2.3+dfsg.1.orig.tar.gz
 09100a747aa89e5ec56b1a789df3956d 4441524 web extra 
roundcube_1.2.3+dfsg.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEOewRoCAWtykmSRoG462wCFBgVjYFAlhTzXURHGhlZmVlQGRl
Ymlhbi5vcmcACgkQ462wCFBgVjbsvw/+KomBy6ZvSkQIVDQbf+8kJvbrz3lqADdi
8xgTP0Qnnzgf1/yL9LAQ++/4ZV37v+UllYQdWqJv8ruObBANVr4JuH7rKeAN9E2K
tS9mPnOaSq/xkDAPguJgvsZmKxHds+o7OtGUiCL4s9727kLnNPRI3b6B/gxh2w1o
NydaC7PGBR9fw1uaOuMRIJ/+Ruut01JtfrWQ7IsscaognGP73M92ugzAmCkgno3V
UKr8DFs1Ug+yVrJKzT/H0RbCUzRnllnXXdolzyeIvKm7BJZqP5X4B8G9oKKodj3L
MVHk8x5pMt4GGozl/SGSXnJFRVLqdf32vaUmF+xo0znAZ3pSepFHJp7sZp20Kp54
AO4M9ys+RwT2B/HwmJYX3JVxyyzzDsOgaIWlB8kzcc+GA4i4sIjnODkiPJWJfz0V
lErd4hi8osSEOgFZltcs23lFUbKraSsFd1H1p0IX7AaM1hia5/Hx9o56OjpzQOAz
uk8jx/FBH947g/P0ytRewVEHZ/mSklQc6v7jnV7vdWTenV2aNGBzOBqqCtfB1E6c
F0QhaeXaWL+qOAADcJlaRqbVFGVDnVPjPiLG6eK585rbzP0eulW+4ptltZzlioKq
Asnr6zmZfDvszoB4Y5z7T2SFySUEQZDt/L5jOdY7dGh1q0+XOpDkObcqr0m1F6ZH
S/ABtOthJYU=
=1u38
-----END PGP SIGNATURE-----

--- End Message ---