Bug 476830 (CVE-2008-5620)
| Summary: | CVE-2008-5620 roundcubemail: DoS due insufficient quota image size paramaters checking (use excessive amount of memory) | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||||
| Severity: | low | Docs Contact: | |||||||||||
| Priority: | low | ||||||||||||
| Version: | unspecified | CC: | gwync | ||||||||||
| Target Milestone: | --- | Keywords: | Reopened, Security | ||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | Linux | ||||||||||||
| URL: | http://sourceforge.net/forum/forum.php?forum_id=898542 | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2008-12-30 17:27:06 UTC | Type: | --- | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Jan Lieskovsky
2008-12-17 12:08:43 UTC
Created attachment 327236 [details]
Upstream patch
This issue affects all versions of the Roundcubemail package, as shipped with Fedora releases of 9, 10 and devel. Created attachment 327238 [details]
/bin/html2text.php diff part extracted from upstream patch.
Created attachment 327240 [details]
/bin/quotaimg.php diff extracted from the upstream patch
Created attachment 327267 [details]
Downloaded upstream patch.
These patches are reflected in the current version, 0.2-beta. This vulnerability affects per 0.2-beta releases. Patch in comment #4 does not seem to be, or do I miss anything? Whoops, bad patch. Fixing. . . roundcubemail-0.2-5.beta.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/roundcubemail-0.2-5.beta.fc9 roundcubemail-0.2-5.beta.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/roundcubemail-0.2-5.beta.fc8 roundcubemail-0.2-5.beta.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/roundcubemail-0.2-5.beta.fc10 roundcubemail-0.2-5.beta.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. roundcubemail-0.2-5.beta.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. roundcubemail-0.2-5.beta.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. |