Debian Bug report logs -
#509596
roundcube: CVE-2008-5620 massive memory consumption via crafted image
Reported by: Nico Golde <nion@debian.org>
Date: Tue, 23 Dec 2008 17:27:01 UTC
Severity: grave
Tags: patch, security
Found in version 0.1-4~bpo40+1
Fixed in versions 0.1.1-10, 0.2~alpha-4
Done: "Thijs Kinkhorst" <thijs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#509596; Package roundcube.
(Tue, 23 Dec 2008 17:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>.
(Tue, 23 Dec 2008 17:27:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: roundcube
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for roundcube.
CVE-2008-5620[0]:
| RoundCube Webmail (roundcubemail) before 0.2-beta allows remote
| attackers to cause a denial of service (memory consumption) via
| crafted size parameters that are used to create a large quota image.
Attached is a patch I extracted from the bundled upstream
patch on http://sourceforge.net/forum/forum.php?forum_id=898542
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5620
http://security-tracker.debian.net/tracker/CVE-2008-5620
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[quotaimg.php.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#509596; Package roundcube.
(Tue, 23 Dec 2008 18:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>.
(Tue, 23 Dec 2008 18:57:03 GMT) (full text, mbox, link).
Message #10 received at 509596@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, 23 Dec 2008 18:23:02 +0100, Nico Golde <nion@debian.org> wrote:
> Package: roundcube
> Severity: grave
> Tags: security patch
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for roundcube.
>
> CVE-2008-5620[0]:
> | RoundCube Webmail (roundcubemail) before 0.2-beta allows remote
> | attackers to cause a denial of service (memory consumption) via
> | crafted size parameters that are used to create a large quota image.
>
> Attached is a patch I extracted from the bundled upstream
> patch on http://sourceforge.net/forum/forum.php?forum_id=898542
Thanks for the patch!
Here is a more minimal one for 0.1.1.
[roundcube-cve-2008-5620.patch (text/plain, attachment)]
Reply sent
to Vincent Bernat <bernat@debian.org>:
You have taken responsibility.
(Tue, 23 Dec 2008 21:09:09 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(Tue, 23 Dec 2008 21:09:09 GMT) (full text, mbox, link).
Message #15 received at 509596-close@bugs.debian.org (full text, mbox, reply):
Source: roundcube
Source-Version: 0.1.1-10
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive:
roundcube-core_0.1.1-10_all.deb
to pool/main/r/roundcube/roundcube-core_0.1.1-10_all.deb
roundcube-mysql_0.1.1-10_all.deb
to pool/main/r/roundcube/roundcube-mysql_0.1.1-10_all.deb
roundcube-pgsql_0.1.1-10_all.deb
to pool/main/r/roundcube/roundcube-pgsql_0.1.1-10_all.deb
roundcube-sqlite_0.1.1-10_all.deb
to pool/main/r/roundcube/roundcube-sqlite_0.1.1-10_all.deb
roundcube_0.1.1-10.diff.gz
to pool/main/r/roundcube/roundcube_0.1.1-10.diff.gz
roundcube_0.1.1-10.dsc
to pool/main/r/roundcube/roundcube_0.1.1-10.dsc
roundcube_0.1.1-10_all.deb
to pool/main/r/roundcube/roundcube_0.1.1-10_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 509596@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 23 Dec 2008 20:52:39 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-sqlite
Architecture: source all
Version: 0.1.1-10
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description:
roundcube - skinnable AJAX based webmail solution for IMAP servers
roundcube-core - skinnable AJAX based webmail solution for IMAP servers
roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
roundcube-sqlite - metapackage providing sqlite dependencies for RoundCube
Closes: 509596
Changes:
roundcube (0.1.1-10) unstable; urgency=high
.
* Fix a vulnerability in quota image generation. This fixes
CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
* Add description to all patches.
* Add missing ${misc:Depends} to debian/control.
* Add missing dependency on php5-gd, used for quota bar.
Checksums-Sha1:
3cb20c77c5c731dd844fdffad0e98be062fdba2a 1383 roundcube_0.1.1-10.dsc
1eb9adb2556aa545f4fa38a2a835af683fc28e05 27523 roundcube_0.1.1-10.diff.gz
3521fa17d4e994246d87ef8562fc8f29cd56b5fa 579908 roundcube-core_0.1.1-10_all.deb
2ba80fd8100c0aa3f457c90383cad5d42bc279bd 13572 roundcube_0.1.1-10_all.deb
d66cd40615f64f78dec43cb7d54b0a12d97a0e65 12900 roundcube-mysql_0.1.1-10_all.deb
1ba999f14e855f68b4cf061b642be46a6e27ddf1 12900 roundcube-pgsql_0.1.1-10_all.deb
c91864383c196d67c6d034e023544cb0046a7bee 12866 roundcube-sqlite_0.1.1-10_all.deb
Checksums-Sha256:
4cff71c7559309d349dccbcc14ded1e393f2c15740c5bae5e4f27ed290c626f8 1383 roundcube_0.1.1-10.dsc
c79d84045f6988410228c862722f165f793a4aafdbb4c8f968904a6837ad9f20 27523 roundcube_0.1.1-10.diff.gz
16dce6da8e7ab351c74ef2d9246d4dd72f4e3f7b7732b4f0a9453e0e94d9d9e6 579908 roundcube-core_0.1.1-10_all.deb
eeed6cd105e68c045b0df04aab88e9f374f3ae271b0c2c668e561dc5f7cecf46 13572 roundcube_0.1.1-10_all.deb
ea4f749e9ec1218746d5f0325e1aa7aa01d86508bb797f353819a47f845b5514 12900 roundcube-mysql_0.1.1-10_all.deb
a2c7019040a2f377cb5db74a932f919b76f36f673a2694f601aff41f946d3e8c 12900 roundcube-pgsql_0.1.1-10_all.deb
5227fe956b2ff8aef42112e967bc14e7de96cc34a7b5964268b15208523190d4 12866 roundcube-sqlite_0.1.1-10_all.deb
Files:
467f646e88b921716886f92890c57c8b 1383 web extra roundcube_0.1.1-10.dsc
476e6a67f577d03e74acc7d5d49a7472 27523 web extra roundcube_0.1.1-10.diff.gz
409d460dfeff01cfddaa0868260f82a1 579908 web extra roundcube-core_0.1.1-10_all.deb
1c2f1a6cea36d178089ab25c1853f759 13572 web extra roundcube_0.1.1-10_all.deb
b82fa90dd4e4fddc93d2e3ff7987644d 12900 web extra roundcube-mysql_0.1.1-10_all.deb
ebb52fca1ea900eb45dcaab44cd5cba0 12900 web extra roundcube-pgsql_0.1.1-10_all.deb
31fcfdb9c576e032933641ba7166535e 12866 web extra roundcube-sqlite_0.1.1-10_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklRRioACgkQKFvXofIqeU4VEACeMs1kWBTIPJu24AdIME38AcOf
4yYAoIlghNEFiytWSPqSkbR6Lk08TPFI
=bN38
-----END PGP SIGNATURE-----
Reply sent
to Vincent Bernat <bernat@debian.org>:
You have taken responsibility.
(Thu, 25 Dec 2008 11:09:08 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(Thu, 25 Dec 2008 11:09:08 GMT) (full text, mbox, link).
Message #20 received at 509596-close@bugs.debian.org (full text, mbox, reply):
Source: roundcube
Source-Version: 0.2~alpha-4
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive:
roundcube-core_0.2~alpha-4_all.deb
to pool/main/r/roundcube/roundcube-core_0.2~alpha-4_all.deb
roundcube-mysql_0.2~alpha-4_all.deb
to pool/main/r/roundcube/roundcube-mysql_0.2~alpha-4_all.deb
roundcube-pgsql_0.2~alpha-4_all.deb
to pool/main/r/roundcube/roundcube-pgsql_0.2~alpha-4_all.deb
roundcube-sqlite_0.2~alpha-4_all.deb
to pool/main/r/roundcube/roundcube-sqlite_0.2~alpha-4_all.deb
roundcube_0.2~alpha-4.diff.gz
to pool/main/r/roundcube/roundcube_0.2~alpha-4.diff.gz
roundcube_0.2~alpha-4.dsc
to pool/main/r/roundcube/roundcube_0.2~alpha-4.dsc
roundcube_0.2~alpha-4_all.deb
to pool/main/r/roundcube/roundcube_0.2~alpha-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 509596@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 25 Dec 2008 11:38:13 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-sqlite
Architecture: source all
Version: 0.2~alpha-4
Distribution: experimental
Urgency: low
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description:
roundcube - skinnable AJAX based webmail solution for IMAP servers
roundcube-core - skinnable AJAX based webmail solution for IMAP servers
roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
roundcube-sqlite - metapackage providing sqlite dependencies for RoundCube
Closes: 508633 509596
Changes:
roundcube (0.2~alpha-4) experimental; urgency=low
.
* Add missing ${misc:Depends} to make Lintian happy.
* Add description to each patch.
* Execute cron job only if the directory to clean exists.
* Reload web server configuration instead of restart, thanks to a patch
from Tiago Bortoletto Vaz. Closes: #508633.
* Fix a vulnerability in quota image generation. This fixes
CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
* Add missing dependency on php5-gd, used for quota bar.
* For roundcube-pgsql, depends on postgresql-client only. This package
is provided by the currently supported real package.
Checksums-Sha1:
69e71dea89873e34708ce5d09a2db71f1383e779 1407 roundcube_0.2~alpha-4.dsc
3ab7efe8e578c48376ebeaa4fd3ea4f1c37471d6 27345 roundcube_0.2~alpha-4.diff.gz
82c68c3456b4fb4ee343712a3e8788fa4baf0abe 597126 roundcube-core_0.2~alpha-4_all.deb
66f2b9f5c1b7601784838b2a233fef8ff05704fc 15054 roundcube_0.2~alpha-4_all.deb
47cd3d13291c1c7454b2d2648b49b388b12ae0ff 14380 roundcube-mysql_0.2~alpha-4_all.deb
cdc921ee15ba481932e08d730a9ecaef50994cec 14372 roundcube-pgsql_0.2~alpha-4_all.deb
f429bab6bf24d299629b4f728d6d3f5f5c898183 14348 roundcube-sqlite_0.2~alpha-4_all.deb
Checksums-Sha256:
5df5ad1e94f27485dc43d1627cc84103c0ca89f5c0c62d95781d45a4e3ef383a 1407 roundcube_0.2~alpha-4.dsc
048fc61edc06cc9d54d2069fe9b6f7ec29a348ad513358b7de4245958e165d0c 27345 roundcube_0.2~alpha-4.diff.gz
85d233b124d4b9c6146dfab839f56371dd24bb07bf211bf7908dadbc5eb604df 597126 roundcube-core_0.2~alpha-4_all.deb
485d6d2cf341ec502779e641170e3954fbce9d61b73271264f43a0b18b9e8fa7 15054 roundcube_0.2~alpha-4_all.deb
5d2d2d4ce3b2606d87878b15e1f3dd56285feff691cfa6f6ca5194626a607672 14380 roundcube-mysql_0.2~alpha-4_all.deb
2209bcaf6cae4fb9ed8902aacdaa63f7b37b070ddee26172c9efc813517c5d80 14372 roundcube-pgsql_0.2~alpha-4_all.deb
f076e06b01a54a9b25741608dc8b21225ad7f34701f8496ff60f8bb88acb9db5 14348 roundcube-sqlite_0.2~alpha-4_all.deb
Files:
e6dc8acbf361e143aa855b9421ca1177 1407 web extra roundcube_0.2~alpha-4.dsc
a82323d8bfdbdc6013d2cf17537c07c4 27345 web extra roundcube_0.2~alpha-4.diff.gz
6d595e02268a5ef3004597eccc1ee6b0 597126 web extra roundcube-core_0.2~alpha-4_all.deb
209bc10c163ab35680941247a81c8ba1 15054 web extra roundcube_0.2~alpha-4_all.deb
78bcaaaed23789bc0fabfabf10b255e1 14380 web extra roundcube-mysql_0.2~alpha-4_all.deb
d8133fbf877d562ceee599fd2814e01f 14372 web extra roundcube-pgsql_0.2~alpha-4_all.deb
c45dd82f5a534f455bc2b95b4b24be32 14348 web extra roundcube-sqlite_0.2~alpha-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklTYwoACgkQKFvXofIqeU4UiwCfQJt23jkcoretrrcvdrUqPXwu
hZoAoKXNPfS+RYkXyjeA64x47+rVp/hL
=aqjt
-----END PGP SIGNATURE-----
Bug reopened, originator not changed.
Request was from Marco Solieri <soujak@xt3.it>
to control@bugs.debian.org.
(Mon, 29 Dec 2008 01:18:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#509596; Package roundcube.
(Mon, 29 Dec 2008 01:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Marco Solieri <soujak@xt3.it>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>.
(Mon, 29 Dec 2008 01:24:02 GMT) (full text, mbox, link).
Message #27 received at 509596@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Roundcube version in etch-backports is still to version
0.1-4~bpo40+1: it is still unpatched and vulnerable.
Bug has been reopened.
--
Marco Solieri
aka SoujaK
[signature.asc (application/pgp-signature, inline)]
Bug marked as fixed in version 0.1.1-10, send any further explanations to Nico Golde <nion@debian.org>
Request was from "Thijs Kinkhorst" <thijs@debian.org>
to control@bugs.debian.org.
(Mon, 29 Dec 2008 12:03:03 GMT) (full text, mbox, link).
Bug marked as fixed in version 0.2~alpha-4, send any further explanations to Nico Golde <nion@debian.org>
Request was from "Thijs Kinkhorst" <thijs@debian.org>
to control@bugs.debian.org.
(Mon, 29 Dec 2008 12:03:04 GMT) (full text, mbox, link).
Bug marked as found in version 0.1-4~bpo40+1.
Request was from "Thijs Kinkhorst" <thijs@debian.org>
to control@bugs.debian.org.
(Mon, 29 Dec 2008 12:03:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 27 Jan 2009 07:33:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:21:23 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon