http://bugzilla.opensuse.org/show_bug.cgi?id=1082822 http://bugzilla.opensuse.org/show_bug.cgi?id=1082822#c2 Andreas Stieger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ecsos@schirra.net, | |joop.boonen@boonen.org, | |lars.vogdt@suse.com --- Comment #2 from Andreas Stieger --- Leap 42.3 has 1.1.9 /srv/www/roundcubemail/plugins/enigma has root:root 755 and is in the web tree. This was actually NOT fixed in the upstream release. This path was touched: +# RW need for PGP plugin +%attr(0700, wwwrun, root) %dir %{roundcubepath}/plugins/enigma/home https://build.opensuse.org/request/show/577173 Joop, Eric, are one of you able to please: * verify affectedness for server:php:applications/roundcubemail 1.3.4? * if affected fix it * suggest a maintenance update? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1082822 http://bugzilla.opensuse.org/show_bug.cgi?id=1082822#c3 Andreas Stieger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aj@ajaissle.de, | |nix@opensuse.org, | |wolfgang@rosenauer.org --- Comment #3 from Andreas Stieger --- server:php:applications/roundcubemail actually has maintainers... -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1082822 http://bugzilla.opensuse.org/show_bug.cgi?id=1082822#c5 --- Comment #5 from Andreas Stieger --- (In reply to Eric Schirra from comment #4)

This is no security risc, because with root:root you can not use this plugin. Apache must have write rights to save and generate keys. With root:root apache can not do this.

Are you sure? The vulnerability is about remote attackers reading confidential files due to them being web readable and in the web tree, which is the case here. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1082822 http://bugzilla.opensuse.org/show_bug.cgi?id=1082822#c6 Eric Schirra changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(astieger@suse.com | |) --- Comment #6 from Eric Schirra --- (In reply to Andreas Stieger from comment #5)

(In reply to Eric Schirra from comment #4)

...

This is no security risc, because with root:root you can not use this plugin. Apache must have write rights to save and generate keys. With root:root apache can not do this.

Are you sure? The vulnerability is about remote attackers reading confidential files due to them being web readable and in the web tree, which is the case here.

In devel, factory (Tumbleweed) and Leap 15.0 there is: # RW need for PGP plugin %attr(0700, wwwrun, root) %dir %{roundcubepath}/plugins/enigma/home So. Only wwwrun can rwx. And without this rights, the enigma-plugin can not be use. I think this is secure enough. And you can change the dir manuell to other location. We can put only this plugin outside the normal roundcube path. But why? And this will be not clearly and logical, because all other plugins are under roundcubepath. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1082822 http://bugzilla.opensuse.org/show_bug.cgi?id=1082822#c8 --- Comment #8 from Eric Schirra --- (In reply to Andreas Stieger from comment #7)

It just seems logical to have plugin temporary and database data outside of the web tree.

Sorry. I can do nothing at the moment. Because roundcube itself has trouble. For this is an other bug report open. Must wait if the roundcubemail bug is fixed. After that i can do changes and test it. -- You are receiving this mail because: You are on the CC list for the bug.