Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 7 Jul 2015 09:59:23 +0200
From: Andreas Stieger <>
Subject: Re: Re: CVE request for vulnerabilities fixed in
 roundcubemail 1.1.2 and 1.0.6


On 07/07/2015 04:57 AM, wrote:
> > Fix security issue in contact photo handling
> >
> > There is a potential for an arbitrary read from an authenticated user
> > who uploads a contact (vCard) with a specially crafted POST.
> > [...]
> > by supplying the "_alt" param in the POST. User must be authenticated.
> > [...]
> > I was able to read any file on disk (the apache has access to, e.g.
> > config/ using GET request
> > Commits:
> > 1.1:
> > 1.0:
> Use CVE-2015-5382. For 1.1, the security fix for _alt seems to be
> announced in --
> do you mean that part of the _alt vulnerability was fixed in
> and then a
> different part of the _alt vulnerability was fixed in
> (if so, then
> there would potentially be another CVE ID)?

Mistake on my side. 681ba6fc3 was a changeset that removed functionality
using the _alt argument, I did not mean to imply that part of the _alt
vulnerability was fixed by it.
e84fafcec is the changeset that fixes the issue in 1.1, and 6ccd4c54b
the corresponding backport to 1.0.


Andreas Stieger <>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Dilip Upmanyu,
Graham Norton, HRB 21284 (AG N├╝rnberg)

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ