Bug 847179 - (CVE-2013-6172) VUL-0: CVE-2013-6172 : roundcubemail: vulnerability in handling _session argument of utils/save-prefs
(CVE-2013-6172)
VUL-0: CVE-2013-6172 : roundcubemail: vulnerability in handling _session argu...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.1
: P3 - Medium : Major
: ---
Assigned To: Peter Nixon
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-23 06:57 UTC by Victor Pereira
Modified: 2015-02-19 00:04 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2013-10-23 06:57:55 UTC
it was found a vulnerability, which could allow an attacker to overwrite configuration settings using user preferences, that can result in random file access, manipulated SQL queries or even remote code execution (0.8.6 and older).


References:
http://roundcube.net/news/2013/10/21/security-updates-095-and-087/
https://bugzilla.redhat.com/show_bug.cgi?id=1021964
Comment 1 Swamp Workflow Management 2013-10-23 22:00:23 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2014-01-14 08:52:36 UTC
ping?
Comment 3 Aeneas Jaißle 2014-03-05 10:18:01 UTC
https://build.opensuse.org/request/show/224647
Comment 4 Marcus Meissner 2014-03-05 11:03:46 UTC
looks good, accepted into openszuse queue, thanks! (not on SLE, so closing)
Comment 5 Aeneas Jaißle 2014-03-05 11:15:33 UTC
We now require an additional package "php-pear-Net_IDNA2" that is included in openSUSE:Factory but not in openSUSE:12.3 resp. openSUSE:13.1.

How can this be included?
Comment 6 Marcus Meissner 2014-03-06 12:21:54 UTC
I have used the factory version of php5-pear-Net-IDNA2 for 12.3 and 13.1 updates.
Comment 7 Marcus Meissner 2014-03-06 12:53:27 UTC
i get an error on installing roundcubemail:

sed: can't read /etc/roundcubemail/main.inc.php: No such file or directory

and the DES key is not replaced.

this file is generated only later in the %post script. (it will probably work better on the next upgrade, but it also should work on initial installation).
Comment 9 Swamp Workflow Management 2014-03-13 16:05:00 UTC
openSUSE-SU-2014:0365-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 847179
CVE References: CVE-2013-6172
Sources used:
openSUSE 13.1 (src):    php5-pear-Net_IDNA2-0.1.1-2.1, roundcubemail-0.9.5-2.5.1
openSUSE 12.3 (src):    php5-pear-Net_IDNA2-0.1.1-2.1, roundcubemail-0.9.5-1.13.1
Comment 10 Marcus Meissner 2014-03-13 16:11:31 UTC
released