[Bug 1082822] New: VUL-0: CVE-2018-1000071: roundcubemail: Permissions issue in enigma plugin allows exfiltration of secret gpg key file
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822 Bug ID: 1082822 Summary: VUL-0: CVE-2018-1000071: roundcubemail: Permissions issue in enigma plugin allows exfiltration of secret gpg key file Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other URL: https://smash.suse.de/issue/200826/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: astieger@suse.com Reporter: jsegitz@suse.com QA Contact: security-team@suse.de CC: cmueller@suse.com Found By: Security Response Team Blocker: --- rh#1549054 Enigma plugin in roundcube installation running on nginx web server is vulnerable to insecure permissions due to which a remote attacker is able to exfiltrate user's password protected secret GPG key file using a specially crafted URL. Affected versions: before 1.3.4 => Leap 42.3 References: https://github.com/roundcube/roundcubemail/issues/6173 https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma... https://bugzilla.redhat.com/show_bug.cgi?id=1549054 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000071 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822#c2
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822#c3
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822#c4
--- Comment #4 from Eric Schirra
Leap 42.3 has 1.1.9 /srv/www/roundcubemail/plugins/enigma has root:root 755 and is in the web tree.
This was actually NOT fixed in the upstream release. This path was touched:
This is no security risc, because with root:root you can not use this plugin. Apache must have write rights to save and generate keys. With root:root apache can not do this. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822#c5
--- Comment #5 from Andreas Stieger
This is no security risc, because with root:root you can not use this plugin. Apache must have write rights to save and generate keys. With root:root apache can not do this.
Are you sure? The vulnerability is about remote attackers reading confidential files due to them being web readable and in the web tree, which is the case here. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822#c6
Eric Schirra
(In reply to Eric Schirra from comment #4)
This is no security risc, because with root:root you can not use this plugin. Apache must have write rights to save and generate keys. With root:root apache can not do this.
Are you sure? The vulnerability is about remote attackers reading confidential files due to them being web readable and in the web tree, which is the case here.
In devel, factory (Tumbleweed) and Leap 15.0 there is: # RW need for PGP plugin %attr(0700, wwwrun, root) %dir %{roundcubepath}/plugins/enigma/home So. Only wwwrun can rwx. And without this rights, the enigma-plugin can not be use. I think this is secure enough. And you can change the dir manuell to other location. We can put only this plugin outside the normal roundcube path. But why? And this will be not clearly and logical, because all other plugins are under roundcubepath. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822#c7
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822#c8
--- Comment #8 from Eric Schirra
It just seems logical to have plugin temporary and database data outside of the web tree.
Sorry. I can do nothing at the moment. Because roundcube itself has trouble. For this is an other bug report open. Must wait if the roundcubemail bug is fixed. After that i can do changes and test it. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com