Bug 1403177 (CVE-2016-9920) - CVE-2016-9920 roundcubemail: Code execution via mail()
Summary: CVE-2016-9920 roundcubemail: Code execution via mail()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-9920
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1403178 1403179
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-09 10:57 UTC by Andrej Nemec
Modified: 2019-09-29 14:02 UTC (History)
6 users (show)

Fixed In Version: roundcubemail 1.2.3, roundcubemail 1.1.7
Clone Of:
Environment:
Last Closed: 2017-01-31 10:17:58 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2016-12-09 10:57:10 UTC 
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before
1.2.3, when no SMTP server is configured and the sendmail program is
enabled, does not properly restrict the use of custom envelope-from
addresses on the sendmail command line, which allows remote
authenticated users to execute arbitrary code via a modified HTTP
request that sends a crafted e-mail message.

References:

https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released

Upstream patches:

https://github.com/roundcube/roundcubemail/commit/aa6bf38843f51a0fc7205acc98a7b84f3c4c9c4f
https://github.com/roundcube/roundcubemail/commit/45a3e81653eb6ad3685d1a9ab817a61df78178eb

CVE assignment:

http://seclists.org/oss-sec/2016/q4/642
Comment 1 Andrej Nemec 2016-12-09 10:58:00 UTC 
Created roundcubemail tracking bugs for this issue:

Affects: fedora-all [bug 1403178]
Affects: epel-all [bug 1403179]
Note You need to log in before you can comment on or make changes to this bug.