847179 – (CVE-2013-6172) VUL-0: CVE-2013-6172 : roundcubemail: vulnerability in handling _session argument of utils/save-prefs

Bug 847179 (CVE-2013-6172) - VUL-0: CVE-2013-6172 : roundcubemail: vulnerability in handling _session argument of utils/save-prefs

Summary: VUL-0: CVE-2013-6172 : roundcubemail: vulnerability in handling _session argu...

Status:	RESOLVED FIXED

Alias:	CVE-2013-6172

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 13.1

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Peter Nixon
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-10-23 06:57 UTC by Victor Pereira
Modified:	2015-02-19 00:04 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2013-10-23 06:57:55 UTC

it was found a vulnerability, which could allow an attacker to overwrite configuration settings using user preferences, that can result in random file access, manipulated SQL queries or even remote code execution (0.8.6 and older).


References:
http://roundcube.net/news/2013/10/21/security-updates-095-and-087/
https://bugzilla.redhat.com/show_bug.cgi?id=1021964

Comment 1 Swamp Workflow Management 2013-10-23 22:00:23 UTC

bugbot adjusting priority

Comment 2 Marcus Meissner 2014-01-14 08:52:36 UTC

ping?

Comment 3 Aeneas Jaißle 2014-03-05 10:18:01 UTC

https://build.opensuse.org/request/show/224647

Comment 4 Marcus Meissner 2014-03-05 11:03:46 UTC

looks good, accepted into openszuse queue, thanks! (not on SLE, so closing)

Comment 5 Aeneas Jaißle 2014-03-05 11:15:33 UTC

We now require an additional package "php-pear-Net_IDNA2" that is included in openSUSE:Factory but not in openSUSE:12.3 resp. openSUSE:13.1.

How can this be included?

Comment 6 Marcus Meissner 2014-03-06 12:21:54 UTC

I have used the factory version of php5-pear-Net-IDNA2 for 12.3 and 13.1 updates.

Comment 7 Marcus Meissner 2014-03-06 12:53:27 UTC

i get an error on installing roundcubemail:

sed: can't read /etc/roundcubemail/main.inc.php: No such file or directory

and the DES key is not replaced.

this file is generated only later in the %post script. (it will probably work better on the next upgrade, but it also should work on initial installation).

Comment 8 Aeneas Jaißle 2014-03-07 11:41:44 UTC

https://build.opensuse.org/request/show/225007
https://build.opensuse.org/request/show/225008

Comment 9 Swamp Workflow Management 2014-03-13 16:05:00 UTC

openSUSE-SU-2014:0365-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 847179
CVE References: CVE-2013-6172
Sources used:
openSUSE 13.1 (src):    php5-pear-Net_IDNA2-0.1.1-2.1, roundcubemail-0.9.5-2.5.1
openSUSE 12.3 (src):    php5-pear-Net_IDNA2-0.1.1-2.1, roundcubemail-0.9.5-1.13.1

Comment 10 Marcus Meissner 2014-03-13 16:11:31 UTC

released