Bug 1082822 – VUL-0: CVE-2018-1000071,CVE-2018-1000072: roundcubemail: Permissions issue in enigma plugin allows exfiltration of secret gpg key file

Bug 1082822 - (CVE-2018-1000071) VUL-0: CVE-2018-1000071,CVE-2018-1000072: roundcubemail: Permissions issue in enigma plugin allows exfiltration of secret gpg key file

(CVE-2018-1000071)
Summary:	VUL-0: CVE-2018-1000071,CVE-2018-1000072: roundcubemail: Permissions issue in...

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 42.3
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Peter Nixon
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/200826/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-02-26 11:58 UTC by Johannes Segitz
Modified:	2019-07-11 14:57 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2018-02-26 11:58:04 UTC

rh#1549054

Enigma plugin in roundcube installation running on nginx web server is vulnerable to insecure permissions due to which a remote attacker is able to exfiltrate user's password protected secret GPG key file using a specially crafted URL.

Affected versions: before 1.3.4 => Leap 42.3

References:
https://github.com/roundcube/roundcubemail/issues/6173
https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt
https://bugzilla.redhat.com/show_bug.cgi?id=1549054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000071

Comment 2 Andreas Stieger 2018-02-26 13:08:18 UTC

Leap 42.3 has 1.1.9
/srv/www/roundcubemail/plugins/enigma has root:root 755 and is in the web tree.

This was actually NOT fixed in the upstream release. This path was touched:

+# RW need for PGP plugin
+%attr(0700, wwwrun, root) %dir %{roundcubepath}/plugins/enigma/home
https://build.opensuse.org/request/show/577173


Joop, Eric, are one of you able to please:

* verify affectedness for server:php:applications/roundcubemail 1.3.4?
* if affected fix it
* suggest a maintenance update?

Comment 3 Andreas Stieger 2018-02-26 13:12:08 UTC

server:php:applications/roundcubemail actually has maintainers...

Comment 4 Eric Schirra 2018-02-26 13:28:58 UTC

(In reply to Andreas Stieger from comment #2)
> Leap 42.3 has 1.1.9
> /srv/www/roundcubemail/plugins/enigma has root:root 755 and is in the web
> tree.
> 
> This was actually NOT fixed in the upstream release. This path was touched:

This is no security risc, because with root:root you can not use this plugin.
Apache must have write rights to save and generate keys.
With root:root apache can not do this.

Comment 5 Andreas Stieger 2018-03-01 09:42:12 UTC

(In reply to Eric Schirra from comment #4)
> This is no security risc, because with root:root you can not use this plugin.
> Apache must have write rights to save and generate keys.
> With root:root apache can not do this.

Are you sure? The vulnerability is about remote attackers reading confidential files due to them being web readable and in the web tree, which is the case here.

Comment 6 Eric Schirra 2018-04-13 07:39:53 UTC

(In reply to Andreas Stieger from comment #5)
> (In reply to Eric Schirra from comment #4)
> > This is no security risc, because with root:root you can not use this plugin.
> > Apache must have write rights to save and generate keys.
> > With root:root apache can not do this.
> 
> Are you sure? The vulnerability is about remote attackers reading
> confidential files due to them being web readable and in the web tree, which
> is the case here.

In devel, factory (Tumbleweed) and Leap 15.0 there is:

# RW need for PGP plugin
%attr(0700, wwwrun, root) %dir %{roundcubepath}/plugins/enigma/home

So. Only wwwrun can rwx.
And without this rights, the enigma-plugin can not be use.
I think this is secure enough.
And you can change the dir manuell to other location.

We can put only this plugin outside the normal roundcube path.
But why? And this will be not clearly and logical, because all other plugins are under roundcubepath.

Comment 7 Andreas Stieger 2019-01-08 15:54:09 UTC

It just seems logical to have plugin temporary and database data outside of the web tree.

Comment 8 Eric Schirra 2019-01-09 17:32:57 UTC

(In reply to Andreas Stieger from comment #7)
> It just seems logical to have plugin temporary and database data outside of
> the web tree.

Sorry. I can do nothing at the moment.
Because roundcube itself has trouble.
For this is an other bug report open.

Must wait if the roundcubemail bug is fixed.
After that i can do changes and test it.

Comment 9 Tomáš Chvátal 2019-07-11 11:27:35 UTC

This is automated batch bugzilla cleanup.

The openSUSE 42.3 changed to end-of-life (EOL [1]) status. As such
it is no longer maintained, which means that it will not receive any
further security or bug fix updates.
As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
openSUSE (At this moment openSUSE Leap 15.1, 15.0 and Tumbleweed) please
feel free to reopen this bug against that version (!you must update the
"Version" component in the bug fields, do not just reopen please), or
alternatively create a new ticket.

Thank you for reporting this bug and we are sorry it could not be fixed
during the lifetime of the release.

[1] https://en.opensuse.org/Lifetime

Comment 10 Marcus Meissner 2019-07-11 14:57:31 UTC

15.0 has 1.3.6 -> fixed