Debian Bug report logs - #727668
roundcube: CVE-2013-6172: vulnerability in handling _session argument of utils/save-prefs

version graph

Package: roundcube; Maintainer for roundcube is Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>; Source for roundcube is src:roundcube.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 25 Oct 2013 06:54:01 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in versions roundcube/0.9.4-1, roundcube/0.7.2-9

Fixed in versions roundcube/0.7.2-9+deb7u1, roundcube/0.9.4-1.1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#727668; Package roundcube. (Fri, 25 Oct 2013 06:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>. (Fri, 25 Oct 2013 06:54:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: roundcube:CVE-2013-6172: vulnerability in handling _session argument of utils/save-prefs
Date: Fri, 25 Oct 2013 08:52:09 +0200
Package: roundcube
Severity: grave
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for roundcube.

CVE-2013-6172[0]:
vulnerability in handling _session argument of utils/save-prefs

See [1] for further information.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6172
    http://security-tracker.debian.org/tracker/CVE-2013-6172
[1] http://roundcube.net/news/2013/10/21/security-updates-095-and-087/
[2] http://trac.roundcube.net/ticket/1489382

Please adjust the affected versions in the BTS as needed (not yet
verified if also roundcube in oldstable/squeeze is affected).

Do you have a chance to prepare packages also for wheezy-security (and
squeeze-security if affected)?

Regards,
Salvatore



Changed Bug title to 'roundcube: CVE-2013-6172: vulnerability in handling _session argument of utils/save-prefs' from 'roundcube:CVE-2013-6172: vulnerability in handling _session argument of utils/save-prefs' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 25 Oct 2013 07:03:08 GMT) Full text and rfc822 format available.

Marked as found in versions roundcube/0.7.2-9. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 26 Oct 2013 09:03:07 GMT) Full text and rfc822 format available.

Marked as found in versions roundcube/0.9.4-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 26 Oct 2013 09:03:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#727668; Package roundcube. (Sat, 26 Oct 2013 20:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>. (Sat, 26 Oct 2013 20:33:05 GMT) Full text and rfc822 format available.

Message #16 received at 727668@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 727668@bugs.debian.org
Subject: roundcube: diff for NMU version 0.9.4-1.1
Date: Sat, 26 Oct 2013 22:30:46 +0200
[Message part 1 (text/plain, inline)]
tags 727668 + pending
thanks

Dear Vincent and Romain,

I've prepared an NMU for roundcube (versioned as 0.9.4-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
[roundcube-0.9.4-1.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 26 Oct 2013 20:33:08 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Tue, 29 Oct 2013 21:21:28 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 29 Oct 2013 21:21:28 GMT) Full text and rfc822 format available.

Message #23 received at 727668-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 727668-close@bugs.debian.org
Subject: Bug#727668: fixed in roundcube 0.7.2-9+deb7u1
Date: Tue, 29 Oct 2013 21:17:39 +0000
Source: roundcube
Source-Version: 0.7.2-9+deb7u1

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 727668@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 26 Oct 2013 00:24:14 +0200
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-plugins
Architecture: source all
Version: 0.7.2-9+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins
Closes: 727668
Changes: 
 roundcube (0.7.2-9+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add CVE-2013-6172.patch patch.
     CVE-2013-6172: An attacker can overwrite configuration settings
     using user preferences. This can result in random file access,
     manipulated SQL queries and even code execution. (Closes: #727668)
Checksums-Sha1: 
 5617671afaaf2f81395fffece9d78ee8179ec86b 2247 roundcube_0.7.2-9+deb7u1.dsc
 81f3e5057c7bd2175318cfc261615c032afa4235 2197455 roundcube_0.7.2.orig.tar.gz
 75bffb477d3c327ff2b769af1ddeae0e94972132 54657 roundcube_0.7.2-9+deb7u1.debian.tar.gz
 5a65e945ae621dd9d2710460e1910946edcccd85 1028892 roundcube-core_0.7.2-9+deb7u1_all.deb
 e7210c52a03a61984da73a2bb2bee24a261a63e6 27766 roundcube_0.7.2-9+deb7u1_all.deb
 4b96fca81b10c3cc3b7689bea4f6e27926f2b187 27700 roundcube-mysql_0.7.2-9+deb7u1_all.deb
 92416f0d0fa1adc482bdf37349cba3ae40203b11 27700 roundcube-pgsql_0.7.2-9+deb7u1_all.deb
 1478c97e6536775fa7d0fe5463a3173063976626 320664 roundcube-plugins_0.7.2-9+deb7u1_all.deb
Checksums-Sha256: 
 db2050a301ada0d14eda38374aeace0e7975b058738a3a72c5c374c0b4896e3c 2247 roundcube_0.7.2-9+deb7u1.dsc
 e14955243b5c31317c3cfd568579399819aefa659e051735b67fceda784331e2 2197455 roundcube_0.7.2.orig.tar.gz
 71923e4d0d8cc01e61da7e08b02fe297016ea7d6e7e64eda385365a352829b81 54657 roundcube_0.7.2-9+deb7u1.debian.tar.gz
 53ae945a0bbf606dcf6d1b5579deaf951cc303e37bfd77d1bb85861db2fb7299 1028892 roundcube-core_0.7.2-9+deb7u1_all.deb
 44dd851e9358dab6ed2645f8619343fb23be690feeed285dfe8f516d823263a7 27766 roundcube_0.7.2-9+deb7u1_all.deb
 f2613edfa37d1222bbfe9010ca0f0e90cc4f17c9d2e3e8fff998d7e097677a53 27700 roundcube-mysql_0.7.2-9+deb7u1_all.deb
 c1b5dd30c33bbe2ba29ffa177230d30514bed6d384dce82839cf5d1fe0a1fd3f 27700 roundcube-pgsql_0.7.2-9+deb7u1_all.deb
 ef16f3042b223a4fb1ee8dbc46bccd33fd607c57a2d177ab86fc7ef6058d92e3 320664 roundcube-plugins_0.7.2-9+deb7u1_all.deb
Files: 
 7de50b5c41e34ed054947e4aece924fb 2247 web extra roundcube_0.7.2-9+deb7u1.dsc
 2b77fe823de00a7ebd85b8919e40d78d 2197455 web extra roundcube_0.7.2.orig.tar.gz
 003c1a0eeaadc689b20d7866fdca6f35 54657 web extra roundcube_0.7.2-9+deb7u1.debian.tar.gz
 908c7df5904ff62502ce66c51cc58a3b 1028892 web extra roundcube-core_0.7.2-9+deb7u1_all.deb
 8f651e4838128fec40ce611a306ac629 27766 web extra roundcube_0.7.2-9+deb7u1_all.deb
 ba44fbd834798781560b4fd1b96ce79b 27700 web extra roundcube-mysql_0.7.2-9+deb7u1_all.deb
 3fda7c3c7205d9645638f78346911498 27700 web extra roundcube-pgsql_0.7.2-9+deb7u1_all.deb
 9f3c8f5247ffd69da5863c28092c890a 320664 web extra roundcube-plugins_0.7.2-9+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSbEMEAAoJEAVMuPMTQ89EFWEP/3+45MsM5RvrKLc6WU9PqfHQ
A2uJWcakSZNdfOKioo00aY7d0bTp/uxbNR37khZfwkqzJCS9nc2NyyG/UMFj6TkE
iaJmN40Nw9e04yylKJX/OLbldsJd5O/wGfrYCKLzvY+vYoFh7mSr3QeP/saAXpFJ
p4T49iIxULsNp0D8dNJ1QwpwnLsiCj4uD66BJ1VNBfOQkEjGID69Zjc1RZR7V0DK
z/wIshZ+6LP+YylG/2XFuMyv232vc34HEfZFXh6dgwt4f3XBz7DLTTBfUzFGiadX
ok/QjnjITtX6HFdI5Zyi56EU+mnbmW+CZIgowP/RUV5trX2OD8/mX+8Mgcx/trPb
RXj+ZOPWAvzSmyjOENjQcHhT39Oa/dbjWy8ViWWGLnAV67Djl00V5cNYihyG4pw5
+f6WUdZsUYBXtjtDUggXzaNhbkCI60zdaMwujMjyjAUoviIoMVM8J3ynkm7v92qJ
a9dS92njxMA0ufffQnE1lay3JvaZ7bRluJVDvAFBLKxCkT0hZqOR4G4/ZgJXs/FQ
qxPxmXfp95qxXXqn7/1aWsjdTKokEQD+oodduIDVBxrRZZaK+y9Re+lq6yCY4+iy
hW5ynPGm9SjE8Ee+gAp7G4cTLDSFXrXqZKEebxZmdnsQTNuyKVUvatH4taupX39w
oomEkKSO9Nzo4VAwAhTS
=4SIn
-----END PGP SIGNATURE-----




Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Thu, 31 Oct 2013 21:24:05 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 31 Oct 2013 21:24:05 GMT) Full text and rfc822 format available.

Message #28 received at 727668-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 727668-close@bugs.debian.org
Subject: Bug#727668: fixed in roundcube 0.9.4-1.1
Date: Thu, 31 Oct 2013 21:20:29 +0000
Source: roundcube
Source-Version: 0.9.4-1.1

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 727668@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 26 Oct 2013 21:47:22 +0200
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-sqlite3 roundcube-plugins
Architecture: source all
Version: 0.9.4-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins
 roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube
Closes: 727668
Changes: 
 roundcube (0.9.4-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Add CVE-2013-6172.patch patch.
     CVE-2013-6172: An attacker can overwrite configuration settings using
     user preferences. This can result in random file access and manipulated
     SQL queries. (Closes: #727668)
Checksums-Sha1: 
 feaa3c532eff7241bcd732a67ff15380071b9c5a 2279 roundcube_0.9.4-1.1.dsc
 3344189166c5a78fa466b04df25d9adc08b23350 55135 roundcube_0.9.4-1.1.debian.tar.gz
 827cb0c6b2199e494cd425b0e778d10a841c85f1 1102746 roundcube-core_0.9.4-1.1_all.deb
 4427386f86f2e79c705a0d24a49e9aa56c443559 28846 roundcube_0.9.4-1.1_all.deb
 d9f89037d9366aa558e875085783d616b41a9e0a 28760 roundcube-mysql_0.9.4-1.1_all.deb
 9d9b16f42ab9924876e39d1dcfd004ec94bcc460 28764 roundcube-pgsql_0.9.4-1.1_all.deb
 4b42867038352b3baf8cd6203aa7d2bc62b53d05 28728 roundcube-sqlite3_0.9.4-1.1_all.deb
 112ad91aa61defb763c8875f5399f8778eda031d 485870 roundcube-plugins_0.9.4-1.1_all.deb
Checksums-Sha256: 
 d06b74771ba5440e13f2a876b6726d39259567c58402131dd65d8df264f9847c 2279 roundcube_0.9.4-1.1.dsc
 9b8a56c84b95b7546675f1b3aafee3d4b81c314dfc8978eaee1c740943185880 55135 roundcube_0.9.4-1.1.debian.tar.gz
 f892a980b7cfd3ca09d65c0762f98dc71bb38d4ce7468c61feafeb485b315802 1102746 roundcube-core_0.9.4-1.1_all.deb
 1792fad4b81d39da48007be26b293ef6350fc2c0cb2b894f03e72b714c67af55 28846 roundcube_0.9.4-1.1_all.deb
 44a6033e6e9a5055d7c60f3ec4b72d7dd20fefb5a390dcc5299ecc451f4f8614 28760 roundcube-mysql_0.9.4-1.1_all.deb
 a61677c1cabc00f5d575a303c29513f95bd799e91c1f06d47428c94855da88f5 28764 roundcube-pgsql_0.9.4-1.1_all.deb
 48599d7057fa7a3f8d2cc5ff89f3713e64c7e6c8ee92b5f098ee592ff1a581b4 28728 roundcube-sqlite3_0.9.4-1.1_all.deb
 569e92cda1d8d4cdefb14d89efe3d99f11a6c501b79fad0a33a75b614c4522a7 485870 roundcube-plugins_0.9.4-1.1_all.deb
Files: 
 02010924d770e63626ee9e63a38d4b65 2279 web extra roundcube_0.9.4-1.1.dsc
 25331f807399129b62b14cec14840262 55135 web extra roundcube_0.9.4-1.1.debian.tar.gz
 5a0dcd13c3a58b9546655ccebae3fa9e 1102746 web extra roundcube-core_0.9.4-1.1_all.deb
 7910a2a76a184374ef27af0950d67554 28846 web extra roundcube_0.9.4-1.1_all.deb
 1e1a34ff4ac405ed14dfbfd78b80d77e 28760 web extra roundcube-mysql_0.9.4-1.1_all.deb
 d6e526610bc1254f82adc83c47dfc91d 28764 web extra roundcube-pgsql_0.9.4-1.1_all.deb
 77d5d36e97f7c0db56d2dfd6176bed01 28728 web extra roundcube-sqlite3_0.9.4-1.1_all.deb
 fe69c011bb91ee5a31ea016136fd0c91 485870 web extra roundcube-plugins_0.9.4-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSbCIAAAoJEAVMuPMTQ89ECn4P/Rv50ZNOoVItbb44iRiTjOUt
u7BrFCC6mynt//ssRT+MuwUdxiK6Jn42Ehkh8CKbrfv0tr+FBFeKld2y3Wr2ZJGG
EjhY3h3Q6Fa+zuCG5ZIIDxXtvLjYrYl+l5xRgc+rFW9WkyPbQVxp3ZI2bCvtnB1+
dS5nmrFEq+842aCMnpmUPINQYhM6Ukn+1t570aBaYGskXIyYdJhfC7iFEdf2viYK
tMlNQ65fppKIG0tRBHY9n2UaERj0hB4rNIKpQyO4IDXKvktpOinFhtT+PyBG4tZO
Aiv3ov4pwcpOLn+eIzNgzqCD16xjoNnsJIDsVJZOJolfaofaGriSNJ9w3faIl3wF
JTaMHe9ldNJYwk28QIig+gLWZRWjjRHeXYaiZOLKF5lXEYdjk1pRDGlew3syB2N6
tqBD/hxiUx11V37iYj8spa82GzSfYrWpcnMIWmgtW746fAabWkSCWLIZ4Wil93WI
g4q1W/2V6wkZnhgs+NgawG4qdp/rg+dOh8+w7F6QHw2RIcGPzHEZ1+r0GzeqtFK+
XkTBPeP+1C6LEfWEzOfBGrgpfNA1cN744wYBWZIYR9JiOs95EkjJ7EjSJGoJ43N7
0pRjQ3QSfW7elG4Pan4rf3bnmb5a7Ix75VAzoiHxKjewRIlNcpGS4e1h38XZmOzr
3GNTDxuPU+0QDpG8Dq/B
=HtX8
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 15 Dec 2013 07:31:56 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 21:31:17 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.