Debian Bug report logs - #508628
roundcube: remote code execution vuln in html2text.php, uses preg_replace with "e".

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: roundcube: remote code execution vuln in html2text.php, uses preg_replace with "e".

Date: Sat, 13 Dec 2008 12:38:16 +0100

Package: roundcube
Version: 0.1.1-8
Severity: serious
Tags: security, fixed-upstream
Justification: user security hole

I was recently targeted by a spammer exploiting a hole in my roundcube
installation. I got help from Atomo64 to try to analyze this but
we where unable to find how html2text.php could be exploited. Today
Atomo64 notified me that someone else had reported this upstream and now
they have found the problem and fixed it.

See http://trac.roundcube.net/ticket/1485618

(No CVE identifier has yet been assigned as far as I'm aware.)

Now some google juice:
This is how my access.log looked like, and the upstream bug reported had
a similar looking access log.

my.host.name 200.171.152.187 - - [08/Dec/2008:18:36:54 +0100] "POST //roundcube/bin/html2text.php HTTP/1.1" 200 83 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
my.host.name 200.171.152.187 - - [08/Dec/2008:18:37:03 +0100] "POST //roundcube/bin/html2text.php HTTP/1.1" 200 79 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
my.host.name 200.171.152.187 - - [08/Dec/2008:18:37:29 +0100] "POST //roundcube/bin/html2text.php HTTP/1.1" 200 88 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"


-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (300, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages roundcube depends on:
ii  roundcube-core                0.1.1-8    skinnable AJAX based webmail solut
ii  roundcube-mysql [roundcube-db 0.1.1-8    metapackage providing MySQL depend

roundcube recommends no packages.

roundcube suggests no packages.

Versions of packages roundcube-core depends on:
ii  apache2-mpm-prefork  2.2.9-11            Apache HTTP Server - traditional n
ii  dbconfig-common      1.8.40              common framework for packaging dat
ii  debconf [debconf-2.0 1.5.24              Debian configuration management sy
ii  libmagic1            4.26-2              File type determination library us
ii  php-auth             1.6.1-1             PHP PEAR modules for creating an a
ii  php-db               1.7.13-2            PHP PEAR Database Abstraction Laye
ii  php-mail-mime        1.5.2-0.1           PHP PEAR module for creating MIME 
ii  php-net-smtp         1.3.1-1             PHP PEAR module implementing SMTP 
ii  php-net-socket       1.0.9-1             PHP PEAR Network Socket Interface 
ii  php5                 5.2.6.dfsg.1-0.1    server-side, HTML-embedded scripti
ii  php5-mcrypt          5.2.6.dfsg.1-0.1+b1 MCrypt module for php5
ii  roundcube-mysql [rou 0.1.1-8             metapackage providing MySQL depend
ii  tinymce2             2.1.3-1             platform independent web based Jav
ii  ucf                  3.0011              Update Configuration File: preserv

-- debconf information excluded

Message #10 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: 508628@bugs.debian.org

Subject: nmudiff for roundcube.

Date: Sat, 13 Dec 2008 13:47:57 +0100

[Message part 1 (text/plain, inline)]

I modified the upstream changeset 2148 to apply to the 0.1.1 version in debian.
The debdiff is attached...

-- 
Andreas Henriksson

[roundcube-html2text-nmu.diff (text/x-diff, attachment)]

Message #15 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Andreas Henriksson <andreas@fatal.se>

Cc: 508628@bugs.debian.org

Subject: Re: Bug#508628: nmudiff for roundcube.

Date: Sat, 13 Dec 2008 14:29:08 +0100

[Message part 1 (text/plain, inline)]

OoO Peu avant le début de  l'après-midi du samedi 13 décembre 2008, vers
13:47, Andreas Henriksson <andreas@fatal.se> disait :

> I modified the upstream changeset 2148 to apply to the 0.1.1 version in debian.
> The debdiff is attached...

Hi!

Please, don't upload. I am preparing an upload. You seem to have skipped
the  modification of  $replace  pattern as  well.  $search and  $replace
should be synced.
-- 
Moi, troller ? Jamais ;)
-+- QL in Guide du Fmblien Assassin : "Bah quoi???" -+-

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Vincent Bernat <bernat@debian.org>

Cc: 508628@bugs.debian.org

Subject: Re: Bug#508628: nmudiff for roundcube.

Date: Sat, 13 Dec 2008 14:36:57 +0100

On lör, 2008-12-13 at 14:29 +0100, Vincent Bernat wrote:
> Please, don't upload. I am preparing an upload. You seem to have skipped
> the  modification of  $replace  pattern as  well.  $search and  $replace
> should be synced.

My intention was only to share what I have done. I'm not planning an
upload. Thanks for taking care of this so quickly! :)

-- 
Regards,
Andreas Henriksson

Message #25 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Andreas Henriksson <andreas@fatal.se>

Cc: 508628@bugs.debian.org

Subject: Re: Bug#508628: nmudiff for roundcube.

Date: Sat, 13 Dec 2008 14:51:18 +0100

[Message part 1 (text/plain, inline)]

OoO En  ce début d'après-midi nuageux  du samedi 13  décembre 2008, vers
14:36, Andreas Henriksson <andreas@fatal.se> disait :

>> Please, don't upload. I am preparing an upload. You seem to have skipped
>> the  modification of  $replace  pattern as  well.  $search and  $replace
>> should be synced.

> My intention was only to share what I have done. I'm not planning an
> upload. Thanks for taking care of this so quickly! :)

Hi Andreas!

Here is the debdiff  that I would upload in a few  hours. Tell me if you
are OK  with it. This  is mostly  the same as  yours but some  lines are
removed from $replace as well.

[patch-roundcube-preg.patch (text/x-diff, inline)]

Index: debian/patches/dont-use-preg-e-option.patch
===================================================================
--- debian/patches/dont-use-preg-e-option.patch	(révision 0)
+++ debian/patches/dont-use-preg-e-option.patch	(révision 175)
@@ -0,0 +1,121 @@
+--- roundcube/program/lib/html2text.inc	2008-04-12 15:54:45.000000000 +0200
++++ roundcube/program/lib/html2text.inc	2008-12-13 14:21:44.000000000 +0100
+@@ -99,6 +99,22 @@
+      */
+     var $width = 70;
+ 
++    /** 
++	 *  List of preg* regular expression patterns to search for 
++	 *  and replace using callback function. 
++	 * 
++	 *  @var array $callback_search 
++	 *  @access public 
++	 */ 
++     var $callback_search = array( 
++        '/<(h)[123456][^>]*>(.*?)<\/h[123456]>/i', // H1 - H3 
++        '/<(b)[^>]*>(.*?)<\/b>/i',                 // <b> 
++        '/<(strong)[^>]*>(.*?)<\/strong>/i',       // <strong> 
++        '/<(a) [^>]*href=("|\')([^"\']+)\2[^>]*>(.*?)<\/a>/i', 
++                                                   // <a href=""> 
++        '/<(th)[^>]*>(.*?)<\/th>/i',               // <th> and </th> 
++    ); 
++
+     /**
+      *  List of preg* regular expression patterns to search for,
+      *  used in conjunction with $replace.
+@@ -112,12 +128,8 @@
+         "/[\n\t]+/",                             // Newlines and tabs
+         '/<script[^>]*>.*?<\/script>/i',         // <script>s -- which strip_tags supposedly has problems with
+         //'/<!-- .* -->/',                         // Comments -- which strip_tags might have problem a with
+-        '/<a [^>]*href=("|\')([^"\']+)\1[^>]*>(.+?)<\/a>/ie', // <a href="">
+-        '/<h[123][^>]*>(.+?)<\/h[123]>/ie',      // H1 - H3
+-        '/<h[456][^>]*>(.+?)<\/h[456]>/ie',      // H4 - H6
+         '/<p[^>]*>/i',                           // <P>
+         '/<br[^>]*>/i',                          // <br>
+-        '/<b[^>]*>(.+?)<\/b>/ie',                // <b>
+         '/<i[^>]*>(.+?)<\/i>/i',                 // <i>
+         '/(<ul[^>]*>|<\/ul>)/i',                 // <ul> and </ul>
+         '/(<ol[^>]*>|<\/ol>)/i',                 // <ol> and </ol>
+@@ -126,7 +138,6 @@
+         '/(<table[^>]*>|<\/table>)/i',           // <table> and </table>
+         '/(<tr[^>]*>|<\/tr>)/i',                 // <tr> and </tr>
+         '/<td[^>]*>(.+?)<\/td>/i',               // <td> and </td>
+-        '/<th[^>]*>(.+?)<\/th>/ie',              // <th> and </th>
+         '/&nbsp;/i',
+         '/&quot;/i',
+         '/&gt;/i',
+@@ -161,12 +172,8 @@
+         ' ',                                    // Newlines and tabs
+         '',                                     // <script>s -- which strip_tags supposedly has problems with
+         //'',                                  // Comments -- which strip_tags might have problem a with
+-        '$this->_build_link_list("\\2", "\\3")', // <a href="">
+-        "strtoupper(\"\n\n\\1\n\n\")",          // H1 - H3
+-        "ucwords(\"\n\n\\1\n\")",               // H4 - H6
+         "\n\n",                                 // <P>
+         "\n",                                   // <br>
+-        'strtoupper("\\1")',                    // <b>
+         '_\\1_',                                // <i>
+         "\n\n",                                 // <ul> and </ul>
+         "\n\n",                                 // <ol> and </ol>
+@@ -175,7 +182,6 @@
+         "\n\n",                                 // <table> and </table>
+         "\n",                                   // <tr> and </tr>
+         "\t\t\\1\n",                            // <td> and </td>
+-        "strtoupper(\"\t\t\\1\n\")",            // <th> and </th>
+         ' ',
+         '"',
+         '>',
+@@ -379,6 +385,7 @@
+ 
+         // Run our defined search-and-replace
+         $text = preg_replace($this->search, $this->replace, $text);
++        $text = preg_replace_callback($this->callback_search, array('html2text', '_preg_callback'), $text);
+ 
+         // Strip any other HTML tags
+         $text = strip_tags($text, $this->allowed_tags);
+@@ -446,6 +453,44 @@
+               
+       return $display . ' [' . ($index+1) . ']';
+       }
++
++    /**
++     *  Callback function for preg_replace_callback use.
++     *
++     *  @param  array PREG matches
++     *  @return string
++     *  @access private
++     */
++    function _preg_callback($matches)
++    {
++		switch($matches[1])
++		{
++	    case 'b':
++	    case 'strong':
++			return $this->_strtoupper($matches[2]);
++	    case 'hr':
++		return $this->_strtoupper("\t\t". $matches[2] ."\n");
++	    case 'h':
++			return $this->_strtoupper("\n\n". $matches[2] ."\n\n");
++	    case 'a':
++			return $this->_build_link_list($matches[3], $matches[4]);
++        }
++    }
++    
++    /**
++     *  Strtoupper multibyte wrapper function
++     *
++     *  @param  string
++     *  @return string
++     *  @access private
++     */
++    function _strtoupper($str)
++    {
++		if (function_exists('mb_strtoupper'))
++    	    return mb_strtoupper($str);
++    	else
++			return strtoupper($str);
++    }
+ }
+ 
+ ?>
+\ Pas de fin de ligne à la fin du fichier.
Index: debian/patches/series
===================================================================
--- debian/patches/series	(révision 174)
+++ debian/patches/series	(révision 175)
@@ -6,3 +6,4 @@
 disable-tinymce-spellchecker.patch
 mysql-update-fix.patch
 messageid-headers-ordering.patch
+dont-use-preg-e-option.patch
Index: debian/changelog
===================================================================
--- debian/changelog	(révision 174)
+++ debian/changelog	(révision 175)
@@ -1,3 +1,10 @@
+roundcube (0.1.1-9) unstable; urgency=high
+
+  * Fix a vulnerability in preg_replace() use. Thanks to Andreas
+    Henriksson for the report. Closes: #508628.
+
+ -- Vincent Bernat <bernat@debian.org>  Sat, 13 Dec 2008 14:04:57 +0100
+
 roundcube (0.1.1-8) unstable; urgency=low
 
   [ Vincent Bernat ]

[Message part 3 (text/plain, inline)]

Thanks.
-- 
BOFH excuse #47:
Complete Transient Lockout

[Message part 4 (application/pgp-signature, inline)]

Message #30 received at 508628-close@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: 508628-close@bugs.debian.org

Subject: Bug#508628: fixed in roundcube 0.2~alpha-3

Date: Sat, 13 Dec 2008 13:47:17 +0000

Source: roundcube
Source-Version: 0.2~alpha-3

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive:

roundcube-core_0.2~alpha-3_all.deb
  to pool/main/r/roundcube/roundcube-core_0.2~alpha-3_all.deb
roundcube-mysql_0.2~alpha-3_all.deb
  to pool/main/r/roundcube/roundcube-mysql_0.2~alpha-3_all.deb
roundcube-pgsql_0.2~alpha-3_all.deb
  to pool/main/r/roundcube/roundcube-pgsql_0.2~alpha-3_all.deb
roundcube-sqlite_0.2~alpha-3_all.deb
  to pool/main/r/roundcube/roundcube-sqlite_0.2~alpha-3_all.deb
roundcube_0.2~alpha-3.diff.gz
  to pool/main/r/roundcube/roundcube_0.2~alpha-3.diff.gz
roundcube_0.2~alpha-3.dsc
  to pool/main/r/roundcube/roundcube_0.2~alpha-3.dsc
roundcube_0.2~alpha-3_all.deb
  to pool/main/r/roundcube/roundcube_0.2~alpha-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 508628@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 13 Dec 2008 14:36:02 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-sqlite
Architecture: source all
Version: 0.2~alpha-3
Distribution: experimental
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description: 
 roundcube  - skinnable AJAX based webmail solution for IMAP servers
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-sqlite - metapackage providing sqlite dependencies for RoundCube
Closes: 495434 499108 500202 508628
Changes: 
 roundcube (0.2~alpha-3) experimental; urgency=high
 .
   [ Vincent Bernat ]
   * Fix a vulnerability in the use of preg_replace (Closes: #508628).
   * Adapt descriptions of roundcube-database packages to refer them as
     metapackages instead of virtual package (Closes: #495434).
   * Add robots.txt from upstream, even if in some configuration, it will
     not be considered (Closes: #499108).
   * Do not ship .htaccess files. Restrictions are set in Apache or
     Lighttpd configuration files (Closes: #500202).
 .
   [ Romain Beauxis ]
   * Changed versioned dependency of rouncube from binary:Version to
     source:Version since these are all architecture independent packages.
Checksums-Sha1: 
 c02d14f7e8772394a0767de9ccf30fafa31218c8 1407 roundcube_0.2~alpha-3.dsc
 1937a335c627c6802969a15cfadbbecb58d61edc 26173 roundcube_0.2~alpha-3.diff.gz
 f6187ed65a1639e7e6189dcbd2860483449f98a0 596736 roundcube-core_0.2~alpha-3_all.deb
 dd03b1b359d953561e1e110a488b3ce75b022b71 14796 roundcube_0.2~alpha-3_all.deb
 d90c2b3f17b084552522ac5ebbb3ff14a5560ae0 14120 roundcube-mysql_0.2~alpha-3_all.deb
 9e6a4968b21ae9f67d5009a764cf655ea7b92329 14126 roundcube-pgsql_0.2~alpha-3_all.deb
 e3e9387d17bdd238dca493282966f376fea5d870 14100 roundcube-sqlite_0.2~alpha-3_all.deb
Checksums-Sha256: 
 873056aac74806d0b8db6207e213e68590e5a06018d67b2a24825896ac1bfc81 1407 roundcube_0.2~alpha-3.dsc
 4a25c8a4d3d37e079ffdaf80cb6ecf7c24db8d70ea02e590ec8ac4754b3a468f 26173 roundcube_0.2~alpha-3.diff.gz
 932ead16c3bf83995fde707564c451421bc340fecbfc073f7d1765494c13e87a 596736 roundcube-core_0.2~alpha-3_all.deb
 89c05f0e81abcb78954981aad826bd63883b9c0ea4d7e637baf6be39f64d040b 14796 roundcube_0.2~alpha-3_all.deb
 a4f13648e12dfb2e21c2057f71270c46645d669ac351e18847fc308fc2939c00 14120 roundcube-mysql_0.2~alpha-3_all.deb
 28a371c2f732d81cac122ead7aab1fa3eb98bfcb91f965d93f81430c7977e94d 14126 roundcube-pgsql_0.2~alpha-3_all.deb
 f291223abc6b0c00acc915a1e25d67699b7055dd61e5ce5a4df76e137de94026 14100 roundcube-sqlite_0.2~alpha-3_all.deb
Files: 
 4e4d80af0d944c9aa34d83a225df5322 1407 web extra roundcube_0.2~alpha-3.dsc
 9ac28c3d598af906cd9c87c5e81ac059 26173 web extra roundcube_0.2~alpha-3.diff.gz
 e7392a06d3a9d6fd19ae1a860e7fddc9 596736 web extra roundcube-core_0.2~alpha-3_all.deb
 fcb6b60e0c1d573b2b864d4a8df80640 14796 web extra roundcube_0.2~alpha-3_all.deb
 5492353076cd0150fbf63feec950f92b 14120 web extra roundcube-mysql_0.2~alpha-3_all.deb
 f74a4b9decd8e8a2cdb9d8cc9c6b7222 14126 web extra roundcube-pgsql_0.2~alpha-3_all.deb
 6d28580b0a0ac86624a73542d4de5550 14100 web extra roundcube-sqlite_0.2~alpha-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklDu0UACgkQKFvXofIqeU4fkQCeOP3Ragto3aCAOi1tWMHcYUEN
2OsAoMPlgVXrmwOsPzKq3zX2S/2MTuQW
=1EKh
-----END PGP SIGNATURE-----

Message #35 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Vincent Bernat <bernat@debian.org>

Cc: 508628@bugs.debian.org

Subject: Re: Bug#508628: nmudiff for roundcube.

Date: Sat, 13 Dec 2008 15:28:43 +0100

On lör, 2008-12-13 at 14:51 +0100, Vincent Bernat wrote:
> Here is the debdiff  that I would upload in a few  hours. Tell me if you
> are OK  with it. This  is mostly  the same as  yours but some  lines are
> removed from $replace as well.

I have no deeper understanding of the code in question. In my own
attempt I was mainly looking to make sure all the "e" modifiers for
preg_replace are gone to close the hole. I've verified that this is true
also in your patch.
... in other words, atleast I can't find anything wrong with it (except
for introducing some harmless whitespace damage). :)


-- 
Regards,
Andreas Henriksson

Message #40 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Andreas Henriksson <andreas@fatal.se>

Cc: 508628@bugs.debian.org

Subject: Re: Bug#508628: nmudiff for roundcube.

Date: Sat, 13 Dec 2008 15:39:20 +0100

[Message part 1 (text/plain, inline)]

OoO En ce début d'après-midi ensoleillé du samedi 13 décembre 2008, vers
15:28, Andreas Henriksson <andreas@fatal.se> disait :

> ... in other words, atleast I can't find anything wrong with it (except
> for introducing some harmless whitespace damage). :)

Yeah, I  did not succeed in  sorting this out. The  original patch taken
From trac  is mixing  tab and spaces,  I don't  know how to  handle this
properly.
-- 
#define BB_STAT2_TMP_INTR    0x10    /* My Penguins are burning. 
Are you able to smell it? */
        2.2.16 /usr/src/linux/include/asm-sparc/obio.h

[Message part 2 (application/pgp-signature, inline)]

Message #45 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Vincent Bernat <bernat@debian.org>

Cc: 508628@bugs.debian.org

Subject: Re: Bug#508628: nmudiff for roundcube.

Date: Sat, 13 Dec 2008 15:50:28 +0100

On lör, 2008-12-13 at 15:39 +0100, Vincent Bernat wrote:
> OoO En ce début d'après-midi ensoleillé du samedi 13 décembre 2008, vers
> 15:28, Andreas Henriksson <andreas@fatal.se> disait :
> 
> > ... in other words, atleast I can't find anything wrong with it (except
> > for introducing some harmless whitespace damage). :)
> 
> Yeah, I  did not succeed in  sorting this out. The  original patch taken
> From trac  is mixing  tab and spaces,  I don't  know how to  handle this
> properly.

I used the "download as unified diff" link (this one:
http://trac.roundcube.net/changeset/2148/trunk/roundcubemail/program/lib/html2text.php?format=diff&new=2148 ) and didn't get any tabs, all spaces....

-- 
Regards,
Andreas Henriksson

Message #50 received at 508628-close@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: 508628-close@bugs.debian.org

Subject: Bug#508628: fixed in roundcube 0.1.1-9

Date: Sat, 13 Dec 2008 17:47:04 +0000

Source: roundcube
Source-Version: 0.1.1-9

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive:

roundcube-core_0.1.1-9_all.deb
  to pool/main/r/roundcube/roundcube-core_0.1.1-9_all.deb
roundcube-mysql_0.1.1-9_all.deb
  to pool/main/r/roundcube/roundcube-mysql_0.1.1-9_all.deb
roundcube-pgsql_0.1.1-9_all.deb
  to pool/main/r/roundcube/roundcube-pgsql_0.1.1-9_all.deb
roundcube-sqlite_0.1.1-9_all.deb
  to pool/main/r/roundcube/roundcube-sqlite_0.1.1-9_all.deb
roundcube_0.1.1-9.diff.gz
  to pool/main/r/roundcube/roundcube_0.1.1-9.diff.gz
roundcube_0.1.1-9.dsc
  to pool/main/r/roundcube/roundcube_0.1.1-9.dsc
roundcube_0.1.1-9_all.deb
  to pool/main/r/roundcube/roundcube_0.1.1-9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 508628@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 13 Dec 2008 14:04:57 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-sqlite
Architecture: source all
Version: 0.1.1-9
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description: 
 roundcube  - skinnable AJAX based webmail solution for IMAP servers
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-sqlite - metapackage providing sqlite dependencies for RoundCube
Closes: 508628
Changes: 
 roundcube (0.1.1-9) unstable; urgency=high
 .
   * Fix a vulnerability in preg_replace() use. Thanks to Andreas
     Henriksson for the report. Closes: #508628.
Checksums-Sha1: 
 a7130beb20a797f758a321c9f67e200cd8418bf1 1379 roundcube_0.1.1-9.dsc
 ab5c4d09982db598f7644912026fac652e12f7dc 26562 roundcube_0.1.1-9.diff.gz
 430b737df4d6a2b07bb29d79df962087644e6e98 579768 roundcube-core_0.1.1-9_all.deb
 111c536175720f2feda75fa545a0011203babab0 13458 roundcube_0.1.1-9_all.deb
 7e9448a1e4150eadac1b513a4138db6ac607048e 12792 roundcube-mysql_0.1.1-9_all.deb
 0814da1165fae1002022b1bdb6b271c23058d64b 12796 roundcube-pgsql_0.1.1-9_all.deb
 cefe4d2ac4e666f3a9c644b67c7b46a84038c2b8 12766 roundcube-sqlite_0.1.1-9_all.deb
Checksums-Sha256: 
 c184fa99c1db48019fc59f52578d66893e67bb313358960811906add45e4d18a 1379 roundcube_0.1.1-9.dsc
 ad034ced6d3baa81a9063278ed58f7b1792f4ccd9cb6e97fd2de7e3e290d4c73 26562 roundcube_0.1.1-9.diff.gz
 a3996bda0121595fd7b4684ec87942cf38ddc6519a12b52ab00299b21c36371d 579768 roundcube-core_0.1.1-9_all.deb
 8d9b776263e5cbb7d9a09ea2048d16bc1d533229b264f470613aa2bc69fc6ca0 13458 roundcube_0.1.1-9_all.deb
 bc94579c77145eb7fa1193a0239fca258713b5d7a0d732337d5c5f6dd509c3e9 12792 roundcube-mysql_0.1.1-9_all.deb
 549932b6482472e8670727ed9ef60526ac18ad6e483c98b1acd46cd16df59457 12796 roundcube-pgsql_0.1.1-9_all.deb
 74f3a3b92e5b37dd7863cb20bc6ae906e81d867080f1667052104fbc28d72b6a 12766 roundcube-sqlite_0.1.1-9_all.deb
Files: 
 0c57eb4fee5c248533f50636160f77b4 1379 web extra roundcube_0.1.1-9.dsc
 79662e9dc5c5f2e11d75df0bb13c1c03 26562 web extra roundcube_0.1.1-9.diff.gz
 24763af97e4000cf7c4d7806019a4320 579768 web extra roundcube-core_0.1.1-9_all.deb
 4b08dd2ea92be9556b8d00168f8632d7 13458 web extra roundcube_0.1.1-9_all.deb
 392a02b8b5d2ba4a398b9a4f39103a1b 12792 web extra roundcube-mysql_0.1.1-9_all.deb
 a0d6669797fd7a3d868b2db8d6374a54 12796 web extra roundcube-pgsql_0.1.1-9_all.deb
 e955f1aac4915a443b98178fdc231eac 12766 web extra roundcube-sqlite_0.1.1-9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklD87MACgkQKFvXofIqeU5FqQCgjLZptMCuQqZCd6dCGsDJjki4
V/UAmwQ4oDgyuBovINdCYJe75htKKaPy
=EozQ
-----END PGP SIGNATURE-----

Message #55 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Andreas Henriksson <andreas@fatal.se>

Cc: 508628@bugs.debian.org

Subject: Re: Bug#508628: roundcube: remote code execution vuln in html2text.php, uses preg_replace with "e".

Date: Sat, 13 Dec 2008 19:28:56 +0100

* Andreas Henriksson:

> my.host.name 200.171.152.187 - - [08/Dec/2008:18:36:54 +0100] "POST //roundcube/bin/html2text.php HTTP/1.1" 200 83 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
> my.host.name 200.171.152.187 - - [08/Dec/2008:18:37:03 +0100] "POST //roundcube/bin/html2text.php HTTP/1.1" 200 79 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
> my.host.name 200.171.152.187 - - [08/Dec/2008:18:37:29 +0100] "POST //roundcube/bin/html2text.php HTTP/1.1" 200 88 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"

This might be unrelated.

Could we get more logs from a larger timespan, including error logs?

Message #60 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: 508628@bugs.debian.org

Subject: Re: Bug#508628: roundcube: remote code execution vuln in html2text.php, uses preg_replace with "e".

Date: Sun, 14 Dec 2008 18:34:44 +0100

On lör, 2008-12-13 at 19:28 +0100, Florian Weimer wrote:
> * Andreas Henriksson:
> 
> > my.host.name 200.171.152.187 - - [08/Dec/2008:18:36:54 +0100] "POST //roundcube/bin/html2text.php HTTP/1.1" 200 83 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
> > my.host.name 200.171.152.187 - - [08/Dec/2008:18:37:03 +0100] "POST //roundcube/bin/html2text.php HTTP/1.1" 200 79 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
> > my.host.name 200.171.152.187 - - [08/Dec/2008:18:37:29 +0100] "POST //roundcube/bin/html2text.php HTTP/1.1" 200 88 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
> 
> This might be unrelated.
> 
> Could we get more logs from a larger timespan, including error logs?

I'm quite certain it's not unrelated. I have very little access to my
SSL-enabled vhost and the other hits definitely have nothing to do with
it. Upstream bug reporter also reports exactly 3 hits from the same ip
for his attack. Why do you think it would be anything else? The problem
has been found and fixed already.

-- 
Regards,
Andreas Henriksson

Message #65 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Andreas Henriksson <andreas@fatal.se>

Cc: 508628@bugs.debian.org

Subject: Re: Bug#508628: roundcube: remote code execution vuln in html2text.php, uses preg_replace with "e".

Date: Sun, 14 Dec 2008 19:13:24 +0100

* Andreas Henriksson:

>> Could we get more logs from a larger timespan, including error logs?
>
> I'm quite certain it's not unrelated. I have very little access to my
> SSL-enabled vhost and the other hits definitely have nothing to do with
> it. Upstream bug reporter also reports exactly 3 hits from the same ip
> for his attack. Why do you think it would be anything else?

The dates did not match.

> The problem has been found and fixed already.

A problem has been fixed, right, but not necessarily the correct
one. 8-/

In the meantime, I've received data from another attack (again without
POST data, unfortunately).  But in that case, the time stamps match
up, so I'm inclined to believe that the issue is indeed in
html2text.php, and precisely the one fixed by upstream (there doesn't
seem to be any other vector in that script).

Message #70 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: 508628@bugs.debian.org

Subject: Re: Bug#508628: roundcube: remote code execution vuln in html2text.php, uses preg_replace with "e".

Date: Sun, 14 Dec 2008 19:33:05 +0100

On sön, 2008-12-14 at 19:13 +0100, Florian Weimer wrote:
> A problem has been fixed, right, but not necessarily the correct
> one. 8-/
> 
> In the meantime, I've received data from another attack (again without
> POST data, unfortunately).  But in that case, the time stamps match

In my case, the first outgoing mail in the spambomb started exactly 2
minutes 10 seconds after the third POST.

> up, so I'm inclined to believe that the issue is indeed in
> html2text.php, and precisely the one fixed by upstream (there doesn't
> seem to be any other vector in that script).

If you want something to investigate, both moodle and horde3 have
"html2text.php" files, although different - they both use the e modifier
together with preg_replace.

-- 
Regards,
Andreas Henriksson

Message #75 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Andreas Henriksson <andreas@fatal.se>

Cc: 508628@bugs.debian.org

Subject: Re: Bug#508628: roundcube: remote code execution vuln in html2text.php, uses preg_replace with "e".

Date: Sun, 14 Dec 2008 19:31:03 +0100

* Andreas Henriksson:

> If you want something to investigate, both moodle and horde3 have
> "html2text.php" files, although different - they both use the e modifier
> together with preg_replace.

I think we need to prevent exploitation at the PHP level, even if it
breaks backwards compatibility. 8-/

Message #80 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Marco Solieri <soujak@xt3.it>

To: 508628@bugs.debian.org

Subject: Bug#508628: etch-backports still vulnerable

Date: Mon, 29 Dec 2008 02:31:46 +0100

[Message part 1 (text/plain, inline)]

Roundcube version in etch-backports is still to version
0.1-4~bpo40+1: it is still unpatched and vulnerable.

Bug has been reopened.

-- 
Marco Solieri
 aka SoujaK

[signature.asc (application/pgp-signature, inline)]

Message #87 received at 508628@bugs.debian.org (full text, mbox, reply):

From: "Kingsley Masters" <Kingsley@rm-ca.co.uk>

To: <508628@bugs.debian.org>

Subject: RE:Bug#508628: etch-backports still vulnerable

Date: Tue, 13 Jan 2009 12:30:08 -0000

[Message part 1 (text/plain, inline)]

I'd like to comfirm this bug still exists on etch-backports and is being
actively exploited.  Our Debian server running roundcube was comprimised
yesterday though this bug.


____________________________________________________________________
RMCA Limited registered in England and Wales No. 5145853.  Accounts & Tax Solutions Limited registered in England and Wales No. 5293501.  This e-mail and any files transmitted with it are strictly confidential and intended solely for the person or organisation to whom it is addressed. It may contain privileged and confidential information and if you are not the intended recipient, you must not use, disclose, copy, distribute, print or take any action in reference to it. Any advice given by us is not intended to be relied upon without our subsequent written confirmation. Accordingly, we disclaim all responsibility and accept no liability for the consequences of any person acting without our subsequent written confirmation of advice contained herein. If you have received this e-mail in error, please notify us as soon as possible at sue@rm-ca.co.uk or telephone on +44(0)1442 891919 and delete this message from your system. Thank you. We take reasonable precautions to ensure our e-mail and attachments are virus free; however, we accept no responsibility for any virus transmitted by us.

[Message part 2 (text/html, inline)]

Message #92 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 508628@bugs.debian.org, "Kingsley Masters" <Kingsley@rm-ca.co.uk>

Subject: Re: Bug#508628: etch-backports still vulnerable

Date: Thu, 15 Jan 2009 14:04:02 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Dienstag, 13. Januar 2009, Kingsley Masters wrote:
> I'd like to comfirm this bug still exists on etch-backports and is being
> actively exploited.  Our Debian server running roundcube was comprimised
> yesterday though this bug.

Kingsley, out of curiosity, do you have suhosin installed?

to the roundcube maintainers: do you plan an upload to bpo? I have a backport 
ready (well, needs testing, but I'm about to do this) which I could upload...


regards,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #97 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Kalev Kadak <myller@gmail.com>

To: Holger Levsen <holger@layer-acht.org>, 508628@bugs.debian.org

Subject: Re: Bug#508628: etch-backports still vulnerable

Date: Thu, 15 Jan 2009 15:27:25 +0200

Holger Levsen wrote:
> Hi,
>
> On Dienstag, 13. Januar 2009, Kingsley Masters wrote:
>   
>> I'd like to comfirm this bug still exists on etch-backports and is being
>> actively exploited.  Our Debian server running roundcube was comprimised
>> yesterday though this bug.
>>     
>
> Kingsley, out of curiosity, do you have suhosin installed?
>
> to the roundcube maintainers: do you plan an upload to bpo? I have a backport 
> ready (well, needs testing, but I'm about to do this) which I could upload...
>
>
> regards,
> 	Holger
>   

Hi,

not Kingsley, but in my case suhosin was not installed.

Regards,
Kalev Kadak

Message #102 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 508628@bugs.debian.org

Subject: Re: Bug#508628: etch-backports still vulnerable

Date: Thu, 15 Jan 2009 15:34:16 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Donnerstag, 15. Januar 2009, Kalev Kadak wrote:
> > to the roundcube maintainers: do you plan an upload to bpo? I have a
> > backport ready (well, needs testing, but I'm about to do this) which I
> > could upload...

I was too fast:

roundcube needs newer php-mail-mime, so I backported that. That needs newer
php-mail-mimedecode, which needs newer dh-make-php to build, so I backported
that too.

But even with that, php-mail-mimedecode fails to build with:

dh_installdirs -A 
mkdir -p "."
ln -f -s ../package.xml -
# install everything in default locations
/usr/bin/pear \
                -c debian/pearrc \
                -d include_path=/usr/share/php \
                -d php_bin=/usr/bin/php \
                -d bin_dir=/usr/bin \
                -d php_dir=/usr/share/php \
                -d data_dir=/usr/share/php/data \
                -d doc_dir=/usr/share/php/docs \
                -d test_dir=/usr/share/php/tests \
                install --nodeps -P ~/Software/roundcube/php-mail-mimedecode-1.5.0/debian/php-mail-mimedecode/ -/package.xml
Console_Getopt: unrecognized option -- /
make: *** [common-install-indep] Error 1
debuild: fatal error at line 1295:
dpkg-buildpackage -rfakeroot -D -us -uc -I.svn -i.svn failed

If I understand this correctly, it seems the syntax used is only available in
newer pear versions, which I rather not backport.

Can someone come up with another syntax for pear 5.2.0?


regards,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #107 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Holger Levsen <holger@layer-acht.org>

Cc: 508628@bugs.debian.org

Subject: Re: Bug#508628: etch-backports still vulnerable

Date: Fri, 16 Jan 2009 11:28:03 +0100

* Holger Levsen:

>                 install --nodeps -P
>                 ~/Software/roundcube/php-mail-mimedecode-1.5.0/debian/php-mail-mimedecode/
>                 -/package.xml

> Console_Getopt: unrecognized option -- /

> If I understand this correctly, it seems the syntax used is only available in
> newer pear versions, which I rather not backport.

"-/package.xml" looks rather like an unset make variable in
debian/rules to me.

Message #112 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 508628@bugs.debian.org

Subject: Re: Bug#508628: etch-backports still vulnerable

Date: Fri, 16 Jan 2009 18:38:49 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Freitag, 16. Januar 2009, Florian Weimer wrote:
> "-/package.xml" looks rather like an unset make variable in
> debian/rules to me.

You're right, thanks for the hint. I then built the package in lenny and saw the problem.

debian/rules includes /usr/share/cdbs/1/class/pear.mk which contains the following code:

PEAR_PKG := $(shell /usr/share/dh-make-php/phppkginfo . package)
PEAR_PKG_VERSION := $(shell /usr/share/dh-make-php/phppkginfo . version)

On etch (using a straightforward dh-make-php backport from lenny) those commands return 
nothing, while they do in lenny. 

So I hacked debian/rules to rather include a modified version of pear.mk which sets

PEAR_PKG=Mail_mimeDecode
PEAR_PKG_VERSION=1.5.0

This builds (about to test if it really works) but is IMHO to ugly to upload to bpo.

Anybody an idea what the real cause for the problem is? php-pear in etch to old (and therefor 
has a bug which the lenny version doenst have)?


regards,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #117 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Holger Levsen <holger@layer-acht.org>

Cc: 508628@bugs.debian.org

Subject: Re: Bug#508628: etch-backports still vulnerable

Date: Fri, 16 Jan 2009 19:53:25 +0100

[Message part 1 (text/plain, inline)]

OoO En ce  début d'après-midi ensoleillé du jeudi  15 janvier 2009, vers
15:34, Holger Levsen <holger@layer-acht.org> disait :

> roundcube needs newer php-mail-mime, so I backported that. That needs newer
> php-mail-mimedecode, which needs newer dh-make-php to build, so I backported
> that too.

In current  version in bpo,  there is a  patch that allows to  use older
version of php-mail-mimedecode. It should be better to use it. This is:
 fix-too-old-php-mail-mime.patch
-- 
panic("esp_handle: current_SC == penguin within interrupt!");
	2.2.16 /usr/src/linux/drivers/scsi/esp.c

[Message part 2 (application/pgp-signature, inline)]

Message #122 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Vincent Bernat <bernat@debian.org>, 508628@bugs.debian.org

Subject: Re: Bug#508628: etch-backports still vulnerable

Date: Mon, 19 Jan 2009 16:24:03 +0100

[Message part 1 (text/plain, inline)]

Hi Vincent,

On Freitag, 16. Januar 2009, Vincent Bernat wrote:
> In current  version in bpo,  there is a  patch that allows to  use older
> version of php-mail-mimedecode. It should be better to use it. This is:
>  fix-too-old-php-mail-mime.patch

Ah, thanks. That does the trick! :)

I'm writing an announcement for bpo announce now and will then upload 
0.1.1-10~bpo to bpo.


regards,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #127 received at 508628@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 508628@bugs.debian.org

Subject: Re: Bug#508628: etch-backports still vulnerable

Date: Mon, 19 Jan 2009 16:45:25 +0100

[Message part 1 (text/plain, inline)]

On Montag, 19. Januar 2009, Holger Levsen wrote:
> I'm writing an announcement for bpo announce now and will then upload
> 0.1.1-10~bpo to bpo.

done

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.