Date: Sun, 28 Dec 2008 01:03:43 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/129982: [vuxml] [patch] mail/roundcube: fix and document CVE-2008-5619 Message-ID: <20081227220343.704CEB8019@phoenix.codelabs.ru> Resent-Message-ID: <200812272210.mBRMA5RP047639@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129982 >Category: ports >Synopsis: [vuxml] [patch] mail/roundcube: fix and document CVE-2008-5619 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Dec 27 22:10:04 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: RoundCube Mail is prone to the remote (PHP) code execution. >How-To-Repeat: http://trac.roundcube.net/ticket/1485618 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619 >Fix: The following patch adds upstream fix for the issue: --- fix-CVE-2008-5619.diff begins here --- >From 6d318348de0376b7ccf145dedcced0650dcbabb4 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sun, 28 Dec 2008 00:44:50 +0300 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- mail/roundcube/Makefile | 1 + mail/roundcube/files/patch-CVE-2008-5619 | 131 ++++++++++++++++++++++++++++++ 2 files changed, 132 insertions(+), 0 deletions(-) create mode 100644 mail/roundcube/files/patch-CVE-2008-5619 diff --git a/mail/roundcube/Makefile b/mail/roundcube/Makefile index 0f3aa65..e932835 100644 --- a/mail/roundcube/Makefile +++ b/mail/roundcube/Makefile @@ -7,6 +7,7 @@ PORTNAME= roundcube DISTVERSION= 0.2-beta +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= mail www MASTER_SITES= SF/${PORTNAME}mail diff --git a/mail/roundcube/files/patch-CVE-2008-5619 b/mail/roundcube/files/patch-CVE-2008-5619 new file mode 100644 index 0000000..264b87e --- /dev/null +++ b/mail/roundcube/files/patch-CVE-2008-5619 @@ -0,0 +1,131 @@ +Fix for CVE-2008-5619 + +Obtained from: http://trac.roundcube.net/changeset/2148?format=diff&new=2148 + +--- program/lib/html2text.php.orig 2008-08-30 16:35:36.000000000 +0400 ++++ program/lib/html2text.php 2008-12-28 00:37:43.000000000 +0300 +@@ -149,25 +149,18 @@ + '/<script[^>]*>.*?<\/script>/i', // <script>s -- which strip_tags supposedly has problems with + '/<style[^>]*>.*?<\/style>/i', // <style>s -- which strip_tags supposedly has problems with + //'/<!-- .* -->/', // Comments -- which strip_tags might have problem a with +- '/<h[123][^>]*>(.*?)<\/h[123]>/ie', // H1 - H3 +- '/<h[456][^>]*>(.*?)<\/h[456]>/ie', // H4 - H6 + '/<p[^>]*>/i', // <P> + '/<br[^>]*>/i', // <br> +- '/<b[^>]*>(.*?)<\/b>/ie', // <b> +- '/<strong[^>]*>(.*?)<\/strong>/ie', // <strong> + '/<i[^>]*>(.*?)<\/i>/i', // <i> + '/<em[^>]*>(.*?)<\/em>/i', // <em> + '/(<ul[^>]*>|<\/ul>)/i', // <ul> and </ul> + '/(<ol[^>]*>|<\/ol>)/i', // <ol> and </ol> + '/<li[^>]*>(.*?)<\/li>/i', // <li> and </li> + '/<li[^>]*>/i', // <li> +- '/<a [^>]*href=("|\')([^"\']+)\1[^>]*>(.*?)<\/a>/ie', +- // <a href=""> + '/<hr[^>]*>/i', // <hr> + '/(<table[^>]*>|<\/table>)/i', // <table> and </table> + '/(<tr[^>]*>|<\/tr>)/i', // <tr> and </tr> + '/<td[^>]*>(.*?)<\/td>/i', // <td> and </td> +- '/<th[^>]*>(.*?)<\/th>/ie', // <th> and </th> + '/&(nbsp|#160);/i', // Non-breaking space + '/&(quot|rdquo|ldquo|#8220|#8221|#147|#148);/i', + // Double quotes +@@ -201,25 +194,18 @@ + '', // <script>s -- which strip_tags supposedly has problems with + '', // <style>s -- which strip_tags supposedly has problems with + //'', // Comments -- which strip_tags might have problem a with +- "strtoupper(\"\n\n\\1\n\n\")", // H1 - H3 +- "ucwords(\"\n\n\\1\n\")", // H4 - H6 + "\n\n", // <P> + "\n", // <br> +- 'strtoupper("\\1")', // <b> +- 'strtoupper("\\1")', // <strong> + '_\\1_', // <i> + '_\\1_', // <em> + "\n\n", // <ul> and </ul> + "\n\n", // <ol> and </ol> + "\t* \\1\n", // <li> and </li> + "\n\t* ", // <li> +- '$this->_build_link_list("\\2", "\\3")', +- // <a href=""> + "\n-------------------------\n", // <hr> + "\n\n", // <table> and </table> + "\n", // <tr> and </tr> + "\t\t\\1\n", // <td> and </td> +- "strtoupper(\"\t\t\\1\n\")", // <th> and </th> + ' ', // Non-breaking space + '"', // Double quotes + "'", // Single quotes +@@ -238,6 +224,22 @@ + ' ' // Runs of spaces, post-handling + ); + ++ /** ++ * List of preg* regular expression patterns to search for ++ * and replace using callback function. ++ * ++ * @var array $callback_search ++ * @access public ++ */ ++ var $callback_search = array( ++ '/<(h)[123456][^>]*>(.*?)<\/h[123456]>/i', // H1 - H3 ++ '/<(b)[^>]*>(.*?)<\/b>/i', // <b> ++ '/<(strong)[^>]*>(.*?)<\/strong>/i', // <strong> ++ '/<(a) [^>]*href=("|\')([^"\']+)\2[^>]*>(.*?)<\/a>/i', ++ // <a href=""> ++ '/<(th)[^>]*>(.*?)<\/th>/i', // <th> and </th> ++ ); ++ + /** + * List of preg* regular expression patterns to search for in PRE body, + * used in conjunction with $pre_replace. +@@ -471,6 +473,7 @@ + + // Strip any other HTML tags + $text = strip_tags($text, $this->allowed_tags); ++ $text = preg_replace_callback($this->callback_search, array('html2text', '_preg_callback'), $text); + + // Bring down number of empty lines to 2 max + $text = preg_replace("/\n\s+\n/", "\n\n", $text); +@@ -549,3 +552,41 @@ + } + + ?> ++ ++ /** ++ * Callback function for preg_replace_callback use. ++ * ++ * @param array PREG matches ++ * @return string ++ * @access private ++ */ ++ function _preg_callback($matches) ++ { ++ switch($matches[1]) ++ { ++ case 'b': ++ case 'strong': ++ return $this->_strtoupper($matches[2]); ++ case 'hr': ++ return $this->_strtoupper("\t\t". $matches[2] ."\n"); ++ case 'h': ++ return $this->_strtoupper("\n\n". $matches[2] ."\n\n"); ++ case 'a': ++ return $this->_build_link_list($matches[3], $matches[4]); ++ } ++ } ++ ++ /** ++ * Strtoupper multibyte wrapper function ++ * ++ * @param string ++ * @return string ++ * @access private ++ */ ++ function _strtoupper($str) ++ { ++ if (function_exists('mb_strtoupper')) ++ return mb_strtoupper($str); ++ else ++ return strtoupper($str); ++ } -- 1.6.0.5 --- fix-CVE-2008-5619.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="8f483746-d45d-11dd-84ec-001fc66e7203"> <topic>roundcube -- remote execution of arbitrary code</topic> <affects> <package> <name>roundcube</name> <range><lt>0.2-beta_1,1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Entry for CVE-2008-5619 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619">; <p>html2text.php in RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-5619</cvename> <url>http://trac.roundcube.net/ticket/1485618</url>; </references> <dates> <discovery>12-12-2008</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081227220343.704CEB8019>