Re: Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6

[Andreas Stieger <astieger () suse de>]

Hello,

On 07/07/2015 04:57 AM, cve-assign () mitre org wrote:
> > Fix security issue in contact photo handling
> > http://trac.roundcube.net/ticket/1490379
>
> > There is a potential for an arbitrary read from an authenticated user
> > who uploads a contact (vCard) with a specially crafted POST.
> > [...]
> > by supplying the "_alt" param in the POST. User must be authenticated.
> > [...]
> > I was able to read any file on disk (the apache has access to, e.g.
> > config/config.inc.php) using GET request
>
> > Commits:
> > 1.1: http://trac.roundcube.net/changeset/681ba6fc3/github
> > 1.0: http://trac.roundcube.net/changeset/6ccd4c54b/github
>
> Use CVE-2015-5382. For 1.1, the security fix for _alt seems to be
> announced in http://trac.roundcube.net/changeset/e84fafcec/github --
> do you mean that part of the _alt vulnerability was fixed in
> http://trac.roundcube.net/changeset/681ba6fc3/github and then a
> different part of the _alt vulnerability was fixed in
> http://trac.roundcube.net/changeset/e84fafcec/github (if so, then
> there would potentially be another CVE ID)?

Mistake on my side. 681ba6fc3 was a changeset that removed functionality
using the _alt argument, I did not mean to imply that part of the _alt
vulnerability was fixed by it.
e84fafcec is the changeset that fixes the issue in 1.1, and 6ccd4c54b
the corresponding backport to 1.0.

Andreas

-- 
Andreas Stieger <astieger () suse de>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu,
Graham Norton, HRB 21284 (AG Nürnberg)

Attachment: signature.asc
Description: OpenPGP digital signature