Red Hat Bugzilla – Bug 476830
CVE-2008-5620 roundcubemail: DoS due insufficient quota image size paramaters checking (use excessive amount of memory)
Last modified: 2008-12-30 12:27:06 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5620 to
the following vulnerability:
RoundCube Webmail (roundcubemail) before 0.2-beta allows remote
attackers to cause a denial of service (memory consumption) via
crafted size parameters that are used to create a large quota image.
Created attachment 327236 [details]
This issue affects all versions of the Roundcubemail package, as shipped
with Fedora releases of 9, 10 and devel.
Created attachment 327238 [details]
/bin/html2text.php diff part extracted from upstream patch.
Created attachment 327240 [details]
/bin/quotaimg.php diff extracted from the upstream patch
Created attachment 327267 [details]
Downloaded upstream patch.
These patches are reflected in the current version, 0.2-beta. This
vulnerability affects per 0.2-beta releases.
Patch in comment #4 does not seem to be, or do I miss anything?
Whoops, bad patch. Fixing. . .
roundcubemail-0.2-5.beta.fc9 has been submitted as an update for Fedora 9.
roundcubemail-0.2-5.beta.fc8 has been submitted as an update for Fedora 8.
roundcubemail-0.2-5.beta.fc10 has been submitted as an update for Fedora 10.
roundcubemail-0.2-5.beta.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
roundcubemail-0.2-5.beta.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
roundcubemail-0.2-5.beta.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: