Bug 483426

Summary: There is a remote shell vulnerability in roundcubemail 0.1.1
Product: [Fedora] Fedora EPEL Reporter: Gordon Messmer <gordon.messmer>
Component: roundcubemailAssignee: Gwyn Ciesla <gwync>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: low    
Version: el5CC: gwync, orion, rdieter
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://sourceforge.net/forum/forum.php?forum_id=898542
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-17 19:07:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to fix CVE-2008-5619 none

Description Gordon Messmer 2009-02-01 06:23:45 UTC 
Description of problem:
A vulnerability in roundcubemail 0.1.1 may allow attackers to execute commands as the "httpd" user.

This bug is fixed in 0.2:
http://sourceforge.net/forum/forum.php?forum_id=898542

Version-Release number of selected component (if applicable):
roundcubemail-0.1.1-4.el5
Comment 1 Gwyn Ciesla 2009-02-02 14:16:34 UTC 
0.2 will not work in RHEL5 or earlier due to the PHP version.  I'll see if I can fix or craft a patch.
Comment 2 Gwyn Ciesla 2009-02-02 15:13:01 UTC 
To be clear, are you referring to the html2text and quota vulnerabilities?
Comment 3 Gordon Messmer 2009-02-02 17:08:00 UTC 
Yes, I am.
Comment 4 Gwyn Ciesla 2009-02-02 19:55:35 UTC 
I can build but not effectively test for EL-5.  Would you be willing to test an uploaded rpm, or would you prefer a srpm?
Comment 5 Gwyn Ciesla 2009-02-18 18:22:26 UTC 
Ping?
Comment 6 Gordon Messmer 2009-02-19 21:34:02 UTC 
I can test either.  I'd be curious enough to review the patch, as well, so a src.rpm would be welcome.
Comment 7 Gordon Messmer 2009-03-16 05:19:06 UTC 
I've successfully tested the attached patch.  It merely replaces html2text.inc with the version of html2text.php released to fix the bug in 0.2.  Please publish an updated package ASAP.  This is actively being exploited in the wild.
Comment 8 Gordon Messmer 2009-03-16 05:19:58 UTC 
Created attachment 335298 [details]
Patch to fix CVE-2008-5619
Comment 9 Gwyn Ciesla 2009-03-17 19:07:15 UTC 
Built for EL-5 and EL-4, sent request for push to epel-signers.

Thanks very much for the patch and testing.  Sorry for the delay, I've been extraordinarily busy of late.
Comment 10 Orion Poplawski 2009-03-31 21:07:00 UTC 
This still hasn't been pushed.  I'm going to try to ping the epel-signers.  Just got hit by this yesterday.