ports/129982: [vuxml] [patch] mail/roundcube: fix and document CVE-2008-5619
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Sat Dec 27 22:10:05 UTC 2008
>Number: 129982
>Category: ports
>Synopsis: [vuxml] [patch] mail/roundcube: fix and document CVE-2008-5619
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Dec 27 22:10:04 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-PRERELEASE amd64
>Description:
RoundCube Mail is prone to the remote (PHP) code execution.
>How-To-Repeat:
http://trac.roundcube.net/ticket/1485618
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619
>Fix:
The following patch adds upstream fix for the issue:
--- fix-CVE-2008-5619.diff begins here ---
>From 6d318348de0376b7ccf145dedcced0650dcbabb4 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Sun, 28 Dec 2008 00:44:50 +0300
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
mail/roundcube/Makefile | 1 +
mail/roundcube/files/patch-CVE-2008-5619 | 131 ++++++++++++++++++++++++++++++
2 files changed, 132 insertions(+), 0 deletions(-)
create mode 100644 mail/roundcube/files/patch-CVE-2008-5619
diff --git a/mail/roundcube/Makefile b/mail/roundcube/Makefile
index 0f3aa65..e932835 100644
--- a/mail/roundcube/Makefile
+++ b/mail/roundcube/Makefile
@@ -7,6 +7,7 @@
PORTNAME= roundcube
DISTVERSION= 0.2-beta
+PORTREVISION= 1
PORTEPOCH= 1
CATEGORIES= mail www
MASTER_SITES= SF/${PORTNAME}mail
diff --git a/mail/roundcube/files/patch-CVE-2008-5619 b/mail/roundcube/files/patch-CVE-2008-5619
new file mode 100644
index 0000000..264b87e
--- /dev/null
+++ b/mail/roundcube/files/patch-CVE-2008-5619
@@ -0,0 +1,131 @@
+Fix for CVE-2008-5619
+
+Obtained from: http://trac.roundcube.net/changeset/2148?format=diff&new=2148
+
+--- program/lib/html2text.php.orig 2008-08-30 16:35:36.000000000 +0400
++++ program/lib/html2text.php 2008-12-28 00:37:43.000000000 +0300
+@@ -149,25 +149,18 @@
+ '/<script[^>]*>.*?<\/script>/i', // <script>s -- which strip_tags supposedly has problems with
+ '/<style[^>]*>.*?<\/style>/i', // <style>s -- which strip_tags supposedly has problems with
+ //'/<!-- .* -->/', // Comments -- which strip_tags might have problem a with
+- '/<h[123][^>]*>(.*?)<\/h[123]>/ie', // H1 - H3
+- '/<h[456][^>]*>(.*?)<\/h[456]>/ie', // H4 - H6
+ '/<p[^>]*>/i', // <P>
+ '/<br[^>]*>/i', // <br>
+- '/<b[^>]*>(.*?)<\/b>/ie', // <b>
+- '/<strong[^>]*>(.*?)<\/strong>/ie', // <strong>
+ '/<i[^>]*>(.*?)<\/i>/i', // <i>
+ '/<em[^>]*>(.*?)<\/em>/i', // <em>
+ '/(<ul[^>]*>|<\/ul>)/i', // <ul> and </ul>
+ '/(<ol[^>]*>|<\/ol>)/i', // <ol> and </ol>
+ '/<li[^>]*>(.*?)<\/li>/i', // <li> and </li>
+ '/<li[^>]*>/i', // <li>
+- '/<a [^>]*href=("|\')([^"\']+)\1[^>]*>(.*?)<\/a>/ie',
+- // <a href="">
+ '/<hr[^>]*>/i', // <hr>
+ '/(<table[^>]*>|<\/table>)/i', // <table> and </table>
+ '/(<tr[^>]*>|<\/tr>)/i', // <tr> and </tr>
+ '/<td[^>]*>(.*?)<\/td>/i', // <td> and </td>
+- '/<th[^>]*>(.*?)<\/th>/ie', // <th> and </th>
+ '/&(nbsp|#160);/i', // Non-breaking space
+ '/&(quot|rdquo|ldquo|#8220|#8221|#147|#148);/i',
+ // Double quotes
+@@ -201,25 +194,18 @@
+ '', // <script>s -- which strip_tags supposedly has problems with
+ '', // <style>s -- which strip_tags supposedly has problems with
+ //'', // Comments -- which strip_tags might have problem a with
+- "strtoupper(\"\n\n\\1\n\n\")", // H1 - H3
+- "ucwords(\"\n\n\\1\n\")", // H4 - H6
+ "\n\n", // <P>
+ "\n", // <br>
+- 'strtoupper("\\1")', // <b>
+- 'strtoupper("\\1")', // <strong>
+ '_\\1_', // <i>
+ '_\\1_', // <em>
+ "\n\n", // <ul> and </ul>
+ "\n\n", // <ol> and </ol>
+ "\t* \\1\n", // <li> and </li>
+ "\n\t* ", // <li>
+- '$this->_build_link_list("\\2", "\\3")',
+- // <a href="">
+ "\n-------------------------\n", // <hr>
+ "\n\n", // <table> and </table>
+ "\n", // <tr> and </tr>
+ "\t\t\\1\n", // <td> and </td>
+- "strtoupper(\"\t\t\\1\n\")", // <th> and </th>
+ ' ', // Non-breaking space
+ '"', // Double quotes
+ "'", // Single quotes
+@@ -238,6 +224,22 @@
+ ' ' // Runs of spaces, post-handling
+ );
+
++ /**
++ * List of preg* regular expression patterns to search for
++ * and replace using callback function.
++ *
++ * @var array $callback_search
++ * @access public
++ */
++ var $callback_search = array(
++ '/<(h)[123456][^>]*>(.*?)<\/h[123456]>/i', // H1 - H3
++ '/<(b)[^>]*>(.*?)<\/b>/i', // <b>
++ '/<(strong)[^>]*>(.*?)<\/strong>/i', // <strong>
++ '/<(a) [^>]*href=("|\')([^"\']+)\2[^>]*>(.*?)<\/a>/i',
++ // <a href="">
++ '/<(th)[^>]*>(.*?)<\/th>/i', // <th> and </th>
++ );
++
+ /**
+ * List of preg* regular expression patterns to search for in PRE body,
+ * used in conjunction with $pre_replace.
+@@ -471,6 +473,7 @@
+
+ // Strip any other HTML tags
+ $text = strip_tags($text, $this->allowed_tags);
++ $text = preg_replace_callback($this->callback_search, array('html2text', '_preg_callback'), $text);
+
+ // Bring down number of empty lines to 2 max
+ $text = preg_replace("/\n\s+\n/", "\n\n", $text);
+@@ -549,3 +552,41 @@
+ }
+
+ ?>
++
++ /**
++ * Callback function for preg_replace_callback use.
++ *
++ * @param array PREG matches
++ * @return string
++ * @access private
++ */
++ function _preg_callback($matches)
++ {
++ switch($matches[1])
++ {
++ case 'b':
++ case 'strong':
++ return $this->_strtoupper($matches[2]);
++ case 'hr':
++ return $this->_strtoupper("\t\t". $matches[2] ."\n");
++ case 'h':
++ return $this->_strtoupper("\n\n". $matches[2] ."\n\n");
++ case 'a':
++ return $this->_build_link_list($matches[3], $matches[4]);
++ }
++ }
++
++ /**
++ * Strtoupper multibyte wrapper function
++ *
++ * @param string
++ * @return string
++ * @access private
++ */
++ function _strtoupper($str)
++ {
++ if (function_exists('mb_strtoupper'))
++ return mb_strtoupper($str);
++ else
++ return strtoupper($str);
++ }
--
1.6.0.5
--- fix-CVE-2008-5619.diff ends here ---
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="8f483746-d45d-11dd-84ec-001fc66e7203">
<topic>roundcube -- remote execution of arbitrary code</topic>
<affects>
<package>
<name>roundcube</name>
<range><lt>0.2-beta_1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Entry for CVE-2008-5619 says:</p>
<blockquote
cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619">
<p>html2text.php in RoundCube Webmail (roundcubemail)
0.2-1.alpha and 0.2-3.beta allows remote attackers to execute
arbitrary code via crafted input that is processed by the
preg_replace function with the eval switch.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-5619</cvename>
<url>http://trac.roundcube.net/ticket/1485618</url>
</references>
<dates>
<discovery>12-12-2008</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list