rpms/roundcubemail/EL-5 roundcubemail-0.1.1-CVE-2009-4076-4077.patch, NONE, 1.1 roundcubemail.spec, 1.10, 1.11
Jon Ciesla
limb at fedoraproject.org
Mon Nov 30 20:52:45 UTC 2009
Author: limb
Update of /cvs/pkgs/rpms/roundcubemail/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv466
Modified Files:
roundcubemail.spec
Added Files:
roundcubemail-0.1.1-CVE-2009-4076-4077.patch
Log Message:
Fix for CVE-2009-4076 and CVE-2009-4077.
roundcubemail-0.1.1-CVE-2009-4076-4077.patch:
js/app.js | 4 ++--
localization/de_CH/messages.inc | 3 +++
localization/de_DE/messages.inc | 1 +
localization/en_US/messages.inc | 1 +
steps/addressbook/copy.inc | 5 +++++
steps/addressbook/delete.inc | 2 +-
steps/addressbook/edit.inc | 32 ++++++++++++--------------------
steps/addressbook/save.inc | 17 ++++++++++++++---
steps/mail/addcontact.inc | 4 ++++
steps/mail/folders.inc | 4 ++++
steps/mail/mark.inc | 6 +++++-
steps/mail/move_del.inc | 6 +++++-
steps/mail/sendmdn.inc | 3 +++
steps/settings/delete_identity.inc | 13 +++++++++++--
steps/settings/edit_identity.inc | 3 ++-
steps/settings/func.inc | 36 ++++++++++++++++--------------------
steps/settings/save_identity.inc | 7 +++++++
steps/settings/save_prefs.inc | 8 ++++++++
18 files changed, 104 insertions(+), 51 deletions(-)
--- NEW FILE roundcubemail-0.1.1-CVE-2009-4076-4077.patch ---
diff -U0 -r program.orig/js/app.js program/js/app.js
--- program.orig/js/app.js 2008-04-05 07:49:21.000000000 -0500
+++ program/js/app.js 2009-11-30 14:00:26.000000000 -0600
@@ -2517,2 +2517,2 @@
- // if (this.env.framed && id)
- this.goto_url('delete-identity', '_iid='+id, true);
+ // append token to request
+ this.goto_url('delete-identity', '_iid='+id+'&_token='+this.env.request_token, true);
diff -U0 -r program.orig/localization/de_CH/messages.inc program/localization/de_CH/messages.inc
--- program.orig/localization/de_CH/messages.inc 2009-11-30 13:58:28.000000000 -0600
+++ program/localization/de_CH/messages.inc 2009-11-30 14:12:24.000000000 -0600
@@ -24,0 +25,2 @@
+$messages['servererror'] = 'Serverfehler!';
+$messages['invalidrequest'] = 'UngÃŒltige Anfrage! Es wurden keine Daten gespeichert.';
@@ -45,0 +48 @@
+$messages['errormarking'] = 'Nachricht konnte nicht markiert werden';
diff -U0 -r program.orig/localization/de_DE/messages.inc program/localization/de_DE/messages.inc
--- program.orig/localization/de_DE/messages.inc 2009-11-30 13:58:30.000000000 -0600
+++ program/localization/de_DE/messages.inc 2009-11-30 14:13:16.000000000 -0600
@@ -24,0 +25 @@
+$messages['invalidrequest'] = 'UngÃŒltige Anfrage! Es wurden keine Daten gespeichert.';
diff -U0 -r program.orig/localization/en_US/messages.inc program/localization/en_US/messages.inc
--- program.orig/localization/en_US/messages.inc 2009-11-30 13:58:30.000000000 -0600
+++ program/localization/en_US/messages.inc 2009-11-30 14:13:40.000000000 -0600
@@ -24,0 +25 @@
+$messages['invalidrequest'] = 'Invalid request! No data was saved.';
diff -U0 -r program.orig/steps/addressbook/copy.inc program/steps/addressbook/copy.inc
--- program.orig/steps/addressbook/copy.inc 2009-11-30 13:58:26.000000000 -0600
+++ program/steps/addressbook/copy.inc 2009-11-30 14:08:21.000000000 -0600
@@ -21,0 +22,5 @@
+// only process ajax requests
+if (!$OUTPUT->ajax_call)
+ return;
+
+
diff -U0 -r program.orig/steps/addressbook/delete.inc program/steps/addressbook/delete.inc
--- program.orig/steps/addressbook/delete.inc 2009-11-30 13:58:26.000000000 -0600
+++ program/steps/addressbook/delete.inc 2009-11-30 14:07:58.000000000 -0600
@@ -22 +22 @@
-if (($cid = get_input_value('_cid', RCUBE_INPUT_POST)) && preg_match('/^[0-9]+(,[0-9]+)*$/', $cid))
+if ($OUTPUT->ajax_call && ($cid = get_input_value('_cid', RCUBE_INPUT_POST)) && preg_match('/^[0-9]+(,[0-9]+)*$/', $cid))
diff -U0 -r program.orig/steps/addressbook/edit.inc program/steps/addressbook/edit.inc
--- program.orig/steps/addressbook/edit.inc 2009-11-30 13:58:26.000000000 -0600
+++ program/steps/addressbook/edit.inc 2009-11-30 14:18:39.000000000 -0600
@@ -85 +85 @@
- {
+{
@@ -88,6 +88,4 @@
- $result = $CONTACTS->get_result();
- $form_start = '';
- if (!strlen($EDIT_FORM))
- {
- $hiddenfields = new hiddenfield(array('name' => '_task', 'value' => $GLOBALS['_task']));
- $hiddenfields->add(array('name' => '_action', 'value' => 'save', 'source' => get_input_value('_source', RCUBE_INPUT_GPC)));
+ $form_start = $form_end = '';
+
+ if (empty($EDIT_FORM)) {
+ $hiddenfields = new html_hiddenfield(array('name' => '_source', 'value' => get_input_value('_source', RCUBE_INPUT_GPC)));
@@ -98,12 +96,2 @@
- $form_start = !strlen($attrib['form']) ? '<form name="form" action="./" method="post">' : '';
- $form_start .= "\n$SESS_HIDDEN_FIELD\n";
- $form_start .= $hiddenfields->show();
- }
-
- $form_end = (strlen($EDIT_FORM) && !strlen($attrib['form'])) ? '</form>' : '';
- $form_name = strlen($attrib['form']) ? $attrib['form'] : 'form';
-
- if (!strlen($EDIT_FORM))
- $OUTPUT->add_gui_object('editform', $form_name);
-
- $EDIT_FORM = $form_name;
+ $form_start = $RCMAIL->output->request_form(array('name' => "form", 'method' => "post", 'task' => $RCMAIL->task, 'action' => 'save', 'request' => 'save.'.intval($record['ID']), 'noclose' => true) + $attrib, $hiddenfields->show());
+ $form_end = !strlen($attrib['form']) ? '</form>' : '';
@@ -111 +99,2 @@
- return array($form_start, $form_end);
+ $EDIT_FORM = !empty($attrib['form']) ? $attrib['form'] : 'form';
+ $RCMAIL->output->add_gui_object('editform', $EDIT_FORM);
@@ -113,0 +103,3 @@
+ return array($form_start, $form_end);
+}
+
diff -U0 -r program.orig/steps/addressbook/save.inc program/steps/addressbook/save.inc
--- program.orig/steps/addressbook/save.inc 2009-11-30 13:58:26.000000000 -0600
+++ program/steps/addressbook/save.inc 2009-11-30 14:20:53.000000000 -0600
@@ -21,0 +22,12 @@
+$cid = get_input_value('_cid', RCUBE_INPUT_POST);
+$return_action = empty($cid) ? 'add' : 'show';
+
+// check request token and exit if invalid
+if (!$RCMAIL->check_request('save.'.intval($cid), RCUBE_INPUT_POST))
+{
+ $OUTPUT->show_message('invalidrequest', 'error');
+ rcmail_overwrite_action($return_action);
+ return;
+}
+
+
@@ -26 +38 @@
- rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show');
+ rcmail_overwrite_action($return_action);
@@ -34 +46 @@
- rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show');
+ rcmail_overwrite_action($return_action);
@@ -42 +53,0 @@
-$cid = get_input_value('_cid', RCUBE_INPUT_POST);
diff -U0 -r program.orig/steps/mail/addcontact.inc program/steps/mail/addcontact.inc
--- program.orig/steps/mail/addcontact.inc 2009-11-30 13:58:27.000000000 -0600
+++ program/steps/mail/addcontact.inc 2009-11-30 14:06:14.000000000 -0600
@@ -23,0 +24,4 @@
+// only process ajax requests
+if (!$OUTPUT->ajax_call)
+ return;
+
diff -U0 -r program.orig/steps/mail/folders.inc program/steps/mail/folders.inc
--- program.orig/steps/mail/folders.inc 2009-11-30 13:58:26.000000000 -0600
+++ program/steps/mail/folders.inc 2009-11-30 14:05:55.000000000 -0600
@@ -20,0 +21,4 @@
+// only process ajax requests
+if (!$OUTPUT->ajax_call)
+ return;
+
diff -U0 -r program.orig/steps/mail/mark.inc program/steps/mail/mark.inc
--- program.orig/steps/mail/mark.inc 2009-11-30 13:58:26.000000000 -0600
+++ program/steps/mail/mark.inc 2009-11-30 14:03:12.000000000 -0600
@@ -7 +7 @@
- | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland |
+ | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland |
@@ -20,0 +21,4 @@
+// only process ajax requests
+if (!$OUTPUT->ajax_call)
+ return;
+
diff -U0 -r program.orig/steps/mail/move_del.inc program/steps/mail/move_del.inc
--- program.orig/steps/mail/move_del.inc 2009-11-30 13:58:26.000000000 -0600
+++ program/steps/mail/move_del.inc 2009-11-30 14:03:30.000000000 -0600
@@ -8 +8 @@
- | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland |
+ | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland |
@@ -21,0 +22,4 @@
+// only process ajax requests
+if (!$OUTPUT->ajax_call)
+ return;
+
diff -U0 -r program.orig/steps/mail/sendmdn.inc program/steps/mail/sendmdn.inc
--- program.orig/steps/mail/sendmdn.inc 2009-11-30 13:58:27.000000000 -0600
+++ program/steps/mail/sendmdn.inc 2009-11-30 14:04:02.000000000 -0600
@@ -23,0 +24,3 @@
+// only process ajax requests
+if (!$OUTPUT->ajax_call)
+ return;
diff -U0 -r program.orig/steps/settings/delete_identity.inc program/steps/settings/delete_identity.inc
--- program.orig/steps/settings/delete_identity.inc 2008-02-10 11:08:40.000000000 -0600
+++ program/steps/settings/delete_identity.inc 2009-11-30 14:01:58.000000000 -0600
@@ -22 +22,10 @@
-if (($ids = get_input_value('_iid', RCUBE_INPUT_GET)) && preg_match('/^[0-9]+(,[0-9]+)*$/', $ids))
+$iid = get_input_value('_iid', RCUBE_INPUT_GPC);
+
+// check request token
+if (!$OUTPUT->ajax_call && !$RCMAIL->check_request(RCUBE_INPUT_GPC)) {
+ $OUTPUT->show_message('invalidrequest', 'error');
+ rcmail_overwrite_action('identities');
+ return;
+}
+
+if ($iid && preg_match('/^[0-9]+(,[0-9]+)*$/', $iid))
@@ -34 +25 @@
- if ($USER->delete_identity($ids))
+ if ($USER->delete_identity($iid))
diff -U0 -r program.orig/steps/settings/edit_identity.inc program/steps/settings/edit_identity.inc
--- program.orig/steps/settings/edit_identity.inc 2009-11-30 13:58:26.000000000 -0600
+++ program/steps/settings/edit_identity.inc 2009-11-30 14:21:44.000000000 -0600
@@ -61 +61,2 @@
- list($form_start, $form_end) = get_form_tags($attrib, 'save-identity', array('name' => '_iid', 'value' => $IDENTITY_RECORD['identity_id']));
+ list($form_start, $form_end) = get_form_tags($attrib, 'save-identity', intval($IDENTITY_RECORD['identity_id']), array('name' => '_iid', 'value' => $IDENTITY_RECORD['identity_id']));
+
diff -U0 -r program.orig/steps/settings/func.inc program/steps/settings/func.inc
--- program.orig/steps/settings/func.inc 2009-11-30 13:58:26.000000000 -0600
+++ program/steps/settings/func.inc 2009-11-30 14:23:44.000000000 -0600
@@ -228 +228 @@
-function get_form_tags($attrib, $action, $add_hidden=array())
+function get_form_tags($attrib, $action, $id = null, $hidden = null)
@@ -232,8 +232,10 @@
- $form_start = '';
- if (!strlen($EDIT_FORM))
- {
- $hiddenfields = new hiddenfield(array('name' => '_task', 'value' => $GLOBALS['_task']));
- $hiddenfields->add(array('name' => '_action', 'value' => $action));
-
- if ($add_hidden)
- $hiddenfields->add($add_hidden);
+ $form_start = $form_end = '';
+
+ if (empty($EDIT_FORM)) {
+ $request_key = $action . (isset($id) ? '.'.$id : '');
+ $form_start = $RCMAIL->output->request_form(array('name' => "form", 'method' => "post", 'task' => $RCMAIL->task, 'action' => $action, 'request' => $request_key, 'noclose' => true) + $attrib);
+
+ if (is_array($hidden)) {
+ $hiddenfields = new html_hiddenfield($hidden);
+ $form_start .= $hiddenfields->show();
+ }
@@ -244,7 +246,5 @@
- $form_start = !strlen($attrib['form']) ? '<form name="form" action="./" method="post">' : '';
- $form_start .= "\n$SESS_HIDDEN_FIELD\n";
- $form_start .= $hiddenfields->show();
- }
-
- $form_end = (!strlen($EDIT_FORM) && !strlen($attrib['form'])) ? '</form>' : '';
- $form_name = strlen($attrib['form']) ? $attrib['form'] : 'form';
+ $form_end = !strlen($attrib['form']) ? '</form>' : '';
+
+ $EDIT_FORM = !empty($attrib['form']) ? $attrib['form'] : 'form';
+ $RCMAIL->output->add_gui_object('editform', $EDIT_FORM);
+ }
@@ -252,4 +251,0 @@
- if (!strlen($EDIT_FORM))
- $OUTPUT->add_gui_object('editform', $form_name);
-
- $EDIT_FORM = $form_name;
diff -U0 -r program.orig/steps/settings/save_identity.inc program/steps/settings/save_identity.inc
--- program.orig/steps/settings/save_identity.inc 2009-11-30 13:58:26.000000000 -0600
+++ program/steps/settings/save_identity.inc 2009-11-30 14:24:30.000000000 -0600
@@ -26,0 +27,7 @@
+// check request token
+if (!$RCMAIL->check_request('save-identity.'.intval(get_input_value('_iid', RCUBE_INPUT_POST)), RCUBE_INPUT_POST)) {
+ $OUTPUT->show_message('invalidrequest', 'error');
+ rcmail_overwrite_action('identities');
+ return;
+}
+
diff -U0 -r program.orig/steps/settings/save_prefs.inc program/steps/settings/save_prefs.inc
--- program.orig/steps/settings/save_prefs.inc 2009-11-30 13:58:26.000000000 -0600
+++ program/steps/settings/save_prefs.inc 2009-11-30 14:24:51.000000000 -0600
@@ -21,0 +22,8 @@
+// check request token and exit if invalid
+if (!$RCMAIL->check_request('save-prefs', RCUBE_INPUT_POST)) {
+ $OUTPUT->show_message('invalidrequest', 'error');
+ rcmail_overwrite_action('preferences');
+ return;
+}
+
+
Index: roundcubemail.spec
===================================================================
RCS file: /cvs/pkgs/rpms/roundcubemail/EL-5/roundcubemail.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -p -r1.10 -r1.11
--- roundcubemail.spec 17 Mar 2009 18:48:32 -0000 1.10
+++ roundcubemail.spec 30 Nov 2009 20:52:45 -0000 1.11
@@ -1,7 +1,8 @@
+%define _default_patch_fuzz 2
%define roundcubedir %{_datadir}/roundcubemail
Name: roundcubemail
Version: 0.1.1
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: Round Cube Webmail is a browser-based multilingual IMAP client
Group: Applications/System
@@ -14,6 +15,7 @@ Source4: roundcubemail-README.fedora
Patch0: roundcubemail-0.1.1-mysql.update.sql.patch
Patch1: roundcubemail-0.1.1-pear.patch
Patch2: roundcubemail-CVE-2008-5619.patch
+Patch3: roundcubemail-0.1.1-CVE-2009-4076-4077.patch
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root%(%{__id_u} -n)
@@ -41,6 +43,7 @@ interface is fully skinnable using XHTML
%patch0 -p0
%patch1 -p0
%patch2 -p0
+%patch3 -p0
# fix permissions and remove any .htaccess files
find . -type f -print | xargs chmod a-x
@@ -128,6 +131,9 @@ exit 0
%config(noreplace) %{_sysconfdir}/logrotate.d/roundcubemail
%changelog
+* Mon Nov 30 2009 Jon Ciesla <limb at jcomserv.net> = 0.1.1-6
+- Fix for CVE-2009-4076 and CVE-2009-4077.
+
* Tue Mar 17 2009 Jon Ciesla <limb at jcomserv.net> = 0.1.1-5
- Patch for CVE-2008-5619.
More information about the fedora-extras-commits
mailing list