476830 – (CVE-2008-5620) CVE-2008-5620 roundcubemail: DoS due insufficient quota image size paramaters checking (use excessive amount of memory)

Bug 476830 (CVE-2008-5620) - CVE-2008-5620 roundcubemail: DoS due insufficient quota image size paramaters checking (use excessive amount of memory)

Summary: CVE-2008-5620 roundcubemail: DoS due insufficient quota image size paramaters...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-5620
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://sourceforge.net/forum/forum.ph...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-12-17 12:08 UTC by Jan Lieskovsky
Modified:	2019-09-29 12:28 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-12-30 17:27:06 UTC
Embargoed:

Attachments	(Terms of Use)
Upstream patch (82 bytes, text/plain) 2008-12-17 12:10 UTC, Jan Lieskovsky	no flags	Details
/bin/html2text.php diff part extracted from upstream patch. (1.65 KB, patch) 2008-12-17 12:16 UTC, Jan Lieskovsky	no flags	Details \| Diff
/bin/quotaimg.php diff extracted from the upstream patch (3.31 KB, patch) 2008-12-17 12:17 UTC, Jan Lieskovsky	no flags	Details \| Diff
Downloaded upstream patch. (7.98 KB, application/x-tar) 2008-12-17 16:40 UTC, Jan Lieskovsky	no flags	Details
View All

Description Jan Lieskovsky 2008-12-17 12:08:43 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5620 to
the following vulnerability:

RoundCube Webmail (roundcubemail) before 0.2-beta allows remote
attackers to cause a denial of service (memory consumption) via
crafted size parameters that are used to create a large quota image.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5620
http://sourceforge.net/forum/forum.php?forum_id=898542

Upstream patch:
http://downloads.sourceforge.net/roundcubemail/roundcubemail-0.2-beta-patch.tar.gz

Comment 1 Jan Lieskovsky 2008-12-17 12:10:34 UTC

Created attachment 327236 [details]
Upstream patch

Comment 2 Jan Lieskovsky 2008-12-17 12:11:29 UTC

This issue affects all versions of the Roundcubemail package, as shipped
with Fedora releases of 9, 10 and devel.

Comment 3 Jan Lieskovsky 2008-12-17 12:16:30 UTC

Created attachment 327238 [details]
/bin/html2text.php diff part extracted from upstream patch.

Comment 4 Jan Lieskovsky 2008-12-17 12:17:55 UTC

Created attachment 327240 [details]
/bin/quotaimg.php diff extracted from the upstream patch

Comment 6 Jan Lieskovsky 2008-12-17 16:40:56 UTC

Created attachment 327267 [details]
Downloaded upstream patch.

Comment 7 Gwyn Ciesla 2008-12-17 16:42:44 UTC

These patches are reflected in the current version, 0.2-beta.  This
vulnerability affects per 0.2-beta releases.

Comment 8 Tomas Hoger 2008-12-17 17:00:53 UTC

Patch in comment #4 does not seem to be, or do I miss anything?

Comment 9 Gwyn Ciesla 2008-12-17 17:19:19 UTC

Whoops, bad patch.  Fixing. . .

Comment 10 Fedora Update System 2008-12-17 21:10:24 UTC

roundcubemail-0.2-5.beta.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/roundcubemail-0.2-5.beta.fc9

Comment 11 Fedora Update System 2008-12-17 21:10:27 UTC

roundcubemail-0.2-5.beta.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/roundcubemail-0.2-5.beta.fc8

Comment 12 Fedora Update System 2008-12-17 21:10:30 UTC

roundcubemail-0.2-5.beta.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/roundcubemail-0.2-5.beta.fc10

Comment 13 Fedora Update System 2008-12-21 08:28:56 UTC

roundcubemail-0.2-5.beta.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2008-12-21 08:31:34 UTC

roundcubemail-0.2-5.beta.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2008-12-21 08:34:55 UTC

roundcubemail-0.2-5.beta.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Red Hat Product Security 2008-12-30 17:27:06 UTC

This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F10/FEDORA-2008-11456
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-11581
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-11535

Note You need to log in before you can comment on or make changes to this bug.