1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1107073: roundcube: Post-Auth RCE via PHP Object Deserialization

    From Guilhem Moulin@21:1/5 to All on Sun Jun 1 11:20:02 2025
    Source: roundcube
    Version: 1.6.10+dfsg-2
    Severity: grave
    Control: found -1 1.6.5+dfsg-1+deb12u4
    Control: found -1 1.4.15+dfsg.1-1+deb11u4
    Tags: security upstream
    Justification: user security hole

    Roundcube webmail upstream has recently released 1.6.10 [0] which fixes
    the following vulnerability:

    * Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.
    https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d

    AFAICT no CVE-ID has been published for this issue. Will request one
    tomorrow if no one beats me to it.
    --
    Guilhem.

    [0] https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmg8GOsACgkQ05pJnDwh pVI9eBAAlta3qLx2GS0/i8NfDO9GD/DrZMmF3mfT1UsL+VZUNRcisYLG6XkOaH5C RswLofEm8ohaKrmpuxYlOaCpoKPTfI+Zan6wdDVRmUA/ipEp+4Du7hqNblEIxxAs WZ/1Ac/AKO5dU+fhYOk+/pivAWRBbJ8tpPiaURuPMPnHcLvjg5KqYSnLUzse9m+o pIaai8sl/3KhbFgM5vLCfXCW5I46bAPAPHyYwz8jCOYKqhJNurYDBwq2q3VRhdo8 37Px6It86X7iV5gVR3OnwBvLUGWO2SS6Rk8gyLc2JQF05oHiIh+ppGc0Di/wWyZN rwxbUuJusoxUeDUJS/8agdVs5y7vpOlA2RrqUJNEDoo5c4eY5oM3mxJtddutVqt2 RQGT9JqSMjvWIPiRtb2g6G8Cyd8lHsLFdtl31vuPMKyu4yDfgcwzkHRXpXaibIVA 29In172RO1w3mqGmPLPUfBim5PRr74E6xoSt1Egsym0beMcGsJh8jV9wn6Y3UgsO sxWdQYVwUZ3L621JFmVldnD0w90kuKe77GaM5DHqx7t20PN9nhbLCLiaSaiYw2MK 0vC6nNb3Q1c7aZ6XX6f3H7haR4lVc0ALSprWuKaaTxHyJV74jlynXc9g88Ogu8Hk UDtizyjUXMFhEnUc3Us//5JcBUyxmGuf0oTeQ/7fG9UqXAl7npY=
    =NyjD
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Steinacher@21:1/5 to All on Tue Jun 3 14:00:01 2025
    This is a multi-part message in MIME format.
    Hi,

    We fixed our bullseye installations with the attached patch for
    roundcube 1.4.15+dfsg.1-1+deb11u4, based on https://github.com/roundcube/roundcubemail/pull/9865/files (but skipping
    the tests).

    Maybe this is helpful to someone.

    Marco



    LS0tIHVzci9zaGFyZS9yb3VuZGN1YmUvcHJvZ3JhbS9zdGVwcy9zZXR0aW5ncy91cGxvYWQu aW5jLm9yaWcgICAgMjAyMy0xMC0xNCAxODozNDozMi4wMDAwMDAwMDAgKzAyMDAKKysrIHVz ci9zaGFyZS9yb3VuZGN1YmUvcHJvZ3JhbS9zdGVwcy9zZXR0aW5ncy91cGxvYWQuaW5jICAg IDIwMjUtMDYtMDMgMTM6Mzc6MDAuMjU3MzMxNTYyICswMjAwCkBAIC0yMCw2ICsyMCwxMyBA QAogJGZyb20gPSByY3ViZV91dGlsczo6Z2V0X2lucHV0X3ZhbHVlKCdfZnJvbScsIHJjdWJl X3V0aWxzOjpJTlBVVF9HRVQpOwogJHR5cGUgPSBwcmVnX3JlcGxhY2UoJy8oYWRkfGVkaXQp LS8nLCAnJywgJGZyb20pOwogCisvLyBWYWxpZGF0ZSBVUkwgaW5wdXQuCitpZiAoIXJjdWJl X3V0aWxzOjppc19zaW1wbGVfc3RyaW5nKCR0eXBlKSkgeworICAgICRSQ01BSUwtPndyaXRl X2xvZygnZXJyb3JzJywgJ1RoZSBVUkwgcGFyYW1ldGVyICJfZnJvbSIgY29udGFpbnMgZGlz YWxsb3dlZCBjaGFyYWN0ZXJzIGFuZCB0aGUgcmVxdWVzdCBpcyB0aHVzIHJlamVjdGVkLicp OworICAgICRPVVRQVVQtPmNvbW1hbmQoJ2Rpc3BsYXlfbWVzc2FnZScsICdJbnZhbGlkIGlu cHV0JywgJ2Vycm9yJyk7CisgICAgJE9VVFBVVC0+c2VuZCgnaWZyYW1lJyk7Cit9CisKIC8v IFBsdWdpbnMgaW4gU2V0dGluZ3MgbWF5IHVzZSB0aGlzIGZpbGUgZm9yIHNvbWUgdXBsb2Fk cyAoIzU2OTQpCiAvLyBNYWtlIHN1cmUgaXQgZG9lcyBub3QgY29udGFpbiBhIGRvdCwgd2hp Y2ggaXMgYSBzcGVjaWFsIGNoYXJhY3RlcgogLy8gd2hlbiB1c2luZyByY3ViZV9zZXNzaW9u OjphcHBlbmQoKSBiZWxvdwotLS0gdXNyL3NoYXJlL3JvdW5kY3ViZS9wcm9ncmFtL2xpYi9S b3VuZGN1YmUvcmN1YmVfdXRpbHMucGhwLm9yaWcgICAgMjAyNC0wOC0wOCAyMzo0ODo1Ni4w MDAwMDAwMDAgKzAyMDAKKysrIHVzci9zaGFyZS9yb3VuZGN1YmUvcHJvZ3JhbS9saWIvUm91 bmRjdWJlL3JjdWJlX3V0aWxzLnBocCAgICAyMDI1LTA2LTAzIDEzOjIzOjUxLjMyODYxNDYx OCArMDIwMApAQCAtMjQzLDYgKzI0MywyMiBAQAogICAgIH0KIAogICAgIC8qKgorICAgICAq IENoZWNrIGlmIGlucHV0IHZhbHVlIGlzIGEgInNpbXBsZSIgc3RyaW5nLgorICAgICAqICJT aW1wbGUiIGlzIGRlZmluZWQgYXMgYSBub24tZW1wdHkgc3RyaW5nIGNvbnRhaW5pbmcgb25s eQorICAgICAqICAtICJ3b3JkIiBjaGFyYWN0ZXJzIChhbHBoYW51bWVyaWMgcGx1cyB1bmRl cnNjb3JlKSwKKyAgICAgKiAgLSBkb3RzLAorICAgICAqICAtIGRhc2hlcy4KKyAgICAgKgor ICAgICAqIEBwYXJhbSBtaXhlZCAkaW5wdXQgVGhlIHZhbHVlIHRvIHRlc3QKKyAgICAgKgor ICAgICAqIEByZXR1cm4gYm9vbAorICAgICAqLworICAgIHB1YmxpYyBzdGF0aWMgZnVuY3Rp b24gaXNfc2ltcGxlX3N0cmluZygkaW5wdXQpCisgICAgeworICAgICAgICByZXR1cm4gaXNf c3RyaW5nKCRpbnB1dCkgJiYgKGJvb2wpIHByZWdfbWF0Y2goJy9eW1x3Li1dKyQvaScsICRp bnB1dCk7CisgICAgfQorCisgICAgLyoqCiAgICAgICogUmVhZCBpbnB1dCB2YWx1ZSBhbmQg Y29udmVydCBpdCBmb3IgaW50ZXJuYWwgdXNlCiAgICAgICogUGVyZm9ybXMgc3RyaXBzbGFz aGVzKCkgYW5kIGNoYXJzZXQgY29udmVyc2lvbiBpZiBuZWNlc3NhcnkKICAgICAgKgo=

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)