System Administration, Reconfigurable Computing and Other Random Topics

Fixing Roundcube’s command execution vulnerability in Debian Wheezy

Recently a quite serious vulnerability (CVE-2016-9920) in Roundcube was reported. Until now (7th Dec) this vulnerability is unfixed in Debian’s roundcube packages (see the corresponding entry in the Debian Security Tracker).

The upstream patch is not directly applicable to version 0.7 which is used in Debian Wheezy but with a little modification it is. Following you find a corresponding patch*.

Update 9th Dec: The fix shown below was recently applied to the Debian Wheezy package and an update was released (0.7.2-9+deb7u5).

From 5d0f51742df3911b2f94d3347967a1e5b280f398 Mon Sep 17 00:00:00 2001
From: Michael Lass <bevan@bi-co.net>
Date: Wed, 7 Dec 2016 07:40:06 +0100
Subject: [PATCH] Fix vulnerability in handling of mail()'s 5th argument

Manually cherry-picked from f842337
 CHANGELOG                |    1 +
 program/include/main.inc |    2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

index 24b61ae..850e57c 100644
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail

+- Fix vulnerability in handling of mail()'s 5th argument
 - Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

 RELEASE 0.7.4
diff --git a/program/include/main.inc b/program/include/main.inc
index 7a3e1c0..62bb8ac 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -1788,7 +1788,7 @@ function rcmail_deliver_message(&$message, $from, $mailto, &$smtp_error, &$body_
       if (ini_get('safe_mode'))
         $sent = mail($to, $subject, $msg_body, $header_str);
-        $sent = mail($to, $subject, $msg_body, $header_str, "-f$from");
+        $sent = mail($to, $subject, $msg_body, $header_str, '-f' . escapeshellarg($from));


*: Roundcube 0.7.2 and the shown patch are released under GNU General Public License Version 2 (GPLv2).

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha loading...