Bug 483426 - There is a remote shell vulnerability in roundcubemail 0.1.1
Summary: There is a remote shell vulnerability in roundcubemail 0.1.1
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: roundcubemail
Version: el5
Hardware: All
OS: Linux
low
urgent
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL: http://sourceforge.net/forum/forum.ph...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-01 06:23 UTC by Gordon Messmer
Modified: 2009-03-31 21:07 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-03-17 19:07:15 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Patch to fix CVE-2008-5619 (24.89 KB, application/octet-stream)
2009-03-16 05:19 UTC, Gordon Messmer
no flags Details

Description Gordon Messmer 2009-02-01 06:23:45 UTC
Description of problem:
A vulnerability in roundcubemail 0.1.1 may allow attackers to execute commands as the "httpd" user.

This bug is fixed in 0.2:
http://sourceforge.net/forum/forum.php?forum_id=898542

Version-Release number of selected component (if applicable):
roundcubemail-0.1.1-4.el5

Comment 1 Gwyn Ciesla 2009-02-02 14:16:34 UTC
0.2 will not work in RHEL5 or earlier due to the PHP version.  I'll see if I can fix or craft a patch.

Comment 2 Gwyn Ciesla 2009-02-02 15:13:01 UTC
To be clear, are you referring to the html2text and quota vulnerabilities?

Comment 3 Gordon Messmer 2009-02-02 17:08:00 UTC
Yes, I am.

Comment 4 Gwyn Ciesla 2009-02-02 19:55:35 UTC
I can build but not effectively test for EL-5.  Would you be willing to test an uploaded rpm, or would you prefer a srpm?

Comment 5 Gwyn Ciesla 2009-02-18 18:22:26 UTC
Ping?

Comment 6 Gordon Messmer 2009-02-19 21:34:02 UTC
I can test either.  I'd be curious enough to review the patch, as well, so a src.rpm would be welcome.

Comment 7 Gordon Messmer 2009-03-16 05:19:06 UTC
I've successfully tested the attached patch.  It merely replaces html2text.inc with the version of html2text.php released to fix the bug in 0.2.  Please publish an updated package ASAP.  This is actively being exploited in the wild.

Comment 8 Gordon Messmer 2009-03-16 05:19:58 UTC
Created attachment 335298 [details]
Patch to fix CVE-2008-5619

Comment 9 Gwyn Ciesla 2009-03-17 19:07:15 UTC
Built for EL-5 and EL-4, sent request for push to epel-signers.

Thanks very much for the patch and testing.  Sorry for the delay, I've been extraordinarily busy of late.

Comment 10 Orion Poplawski 2009-03-31 21:07:00 UTC
This still hasn't been pushed.  I'm going to try to ping the epel-signers.  Just got hit by this yesterday.


Note You need to log in before you can comment on or make changes to this bug.