Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 7 Jul 2015 09:59:23 +0200
From: Andreas Stieger <astieger@...e.de>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Re: CVE request for vulnerabilities fixed in
 roundcubemail 1.1.2 and 1.0.6

Hello,

On 07/07/2015 04:57 AM, cve-assign@...re.org wrote:
> > Fix security issue in contact photo handling
> > http://trac.roundcube.net/ticket/1490379
>
> > There is a potential for an arbitrary read from an authenticated user
> > who uploads a contact (vCard) with a specially crafted POST.
> > [...]
> > by supplying the "_alt" param in the POST. User must be authenticated.
> > [...]
> > I was able to read any file on disk (the apache has access to, e.g.
> > config/config.inc.php) using GET request
>
> > Commits:
> > 1.1: http://trac.roundcube.net/changeset/681ba6fc3/github
> > 1.0: http://trac.roundcube.net/changeset/6ccd4c54b/github
>
> Use CVE-2015-5382. For 1.1, the security fix for _alt seems to be
> announced in http://trac.roundcube.net/changeset/e84fafcec/github --
> do you mean that part of the _alt vulnerability was fixed in
> http://trac.roundcube.net/changeset/681ba6fc3/github and then a
> different part of the _alt vulnerability was fixed in
> http://trac.roundcube.net/changeset/e84fafcec/github (if so, then
> there would potentially be another CVE ID)?

Mistake on my side. 681ba6fc3 was a changeset that removed functionality
using the _alt argument, I did not mean to imply that part of the _alt
vulnerability was fixed by it.
e84fafcec is the changeset that fixes the issue in 1.1, and 6ccd4c54b
the corresponding backport to 1.0.

Andreas

-- 
Andreas Stieger <astieger@...e.de>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Dilip Upmanyu,
Graham Norton, HRB 21284 (AG N├╝rnberg)



Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ