From 2f9049ccca60685914d9faae8586e14fd4d65a34 Mon Sep 17 00:00:00 2001 From: Jon Ciesla Date: Dec 17 2008 21:02:49 +0000 Subject: CVE-2008-5620 --- diff --git a/roundcubemail-0.2-beta-CVE-2008-5620.patch b/roundcubemail-0.2-beta-CVE-2008-5620.patch new file mode 100644 index 0000000..b6e6ff2 --- /dev/null +++ b/roundcubemail-0.2-beta-CVE-2008-5620.patch @@ -0,0 +1,60 @@ +--- bin/quotaimg.php.orig 2008-09-12 11:48:23.000000000 -0500 ++++ bin/quotaimg.php 2008-12-16 11:21:30.000000000 -0600 +@@ -4 +4 @@ +- | program/bin/quotaimg.php | ++ | bin/quotaimg.php | +@@ -7 +7 @@ +- | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | ++ | Copyright (C) 2005-2008, RoundCube Dev. - Switzerland | +@@ -17 +17 @@ +- $Id: $ ++ $Id$ +@@ -21,4 +21,4 @@ +-$used = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??'; +-$quota = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??'; +-$width = empty($_GET['w']) ? 100 : (int)$_GET['w']; +-$height = empty($_GET['h']) ? 14 : (int)$_GET['h']; ++$used = isset($_GET['u']) ? intval($_GET['u']) : '??'; ++$quota = isset($_GET['q']) ? intval($_GET['q']) : '??'; ++$width = empty($_GET['w']) ? 100 : min(300, intval($_GET['w'])); ++$height = empty($_GET['h']) ? 14 : min(50, intval($_GET['h'])); +@@ -99 +99 @@ +- } ++ } +@@ -101,2 +101 @@ +- if (strpos($used, '?') !== false || strpos($total, '?') !== false +- && $used != 0) { ++ if (strpos($used, '?') !== false || strpos($total, '?') !== false && $used != 0) { +@@ -104 +103 @@ +- } ++ } +@@ -156 +155 @@ +- // if($quota >= $limit['low']) ++ // if($quota >= $limit['low']) +@@ -166 +165 @@ +- // Print percent in black ++ // Print percent in black +@@ -171,5 +170,5 @@ +- +- // @todo is harcoding GMT necessary? +- header('Expires: ' . gmdate('D, d M Y H:i:s', mktime()+86400) . ' GMT'); +- header('Cache-Control: '); +- header('Pragma: '); ++ ++ // cache for 1 hour ++ $maxage = 3600; ++ header('Expires: ' . gmdate('D, d M Y H:i:s', time()+$maxage). ' GMT'); ++ header('Cache-Control: max-age=' . $maxage); +@@ -181 +180,7 @@ +-genQuota($used, $quota, $width, $height); ++if ($width > 1 && $height > 1) { ++ genQuota($used, $quota, $width, $height); ++} ++else { ++ header("HTTP/1.0 404 Not Found"); ++} ++ +@@ -183 +188 @@ +-?> +\ No newline at end of file ++?> diff --git a/roundcubemail.spec b/roundcubemail.spec index af4c00d..29cb7f7 100644 --- a/roundcubemail.spec +++ b/roundcubemail.spec @@ -1,7 +1,7 @@ %define roundcubedir %{_datadir}/roundcubemail Name: roundcubemail Version: 0.2 -Release: 4.beta%{?dist} +Release: 5.beta%{?dist} Summary: Round Cube Webmail is a browser-based multilingual IMAP client Group: Applications/System @@ -14,6 +14,8 @@ Source4: roundcubemail-README.fedora Patch0: roundcubemail-0.2-beta-confpath.patch # From upstream, not in a release yet, BZ 476223. Patch1: roundcubemail-0.2-beta-html2text.patch +# From upstream, not in a release yet, BZ 476830. +Patch2: roundcubemail-0.2-beta-CVE-2008-5620.patch BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root%(%{__id_u} -n) @@ -45,6 +47,7 @@ interface is fully skinnable using XHTML and CSS 2. %patch0 -p0 %patch1 -p0 +%patch2 -p0 # fix permissions and remove any .htaccess files find . -type f -print | xargs chmod a-x @@ -132,6 +135,9 @@ exit 0 %config(noreplace) %{_sysconfdir}/logrotate.d/roundcubemail %changelog +* Wed Dec 17 2008 Jon Ciesla = 0.2-5.beta +- Security fix, BZ 476830. + * Fri Dec 12 2008 Jon Ciesla = 0.2-4.beta - Security fix, BZ 476223.