From rea-fbsd@codelabs.ru  Sat Dec 27 22:03:45 2008
Return-Path: <rea-fbsd@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1D58A1065673
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 27 Dec 2008 22:03:45 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 8C6718FC0C
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 27 Dec 2008 22:03:44 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from phoenix.codelabs.ru (ppp85-141-65-28.pppoe.mtu-net.ru [85.141.65.28])
	by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1LGhG3-000GDk-6b for FreeBSD-gnats-submit@freebsd.org; Sun, 28 Dec 2008 01:03:43 +0300
Message-Id: <20081227220343.704CEB8019@phoenix.codelabs.ru>
Date: Sun, 28 Dec 2008 01:03:43 +0300 (MSK)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Reply-To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [vuxml] [patch] mail/roundcube: fix and document CVE-2008-5619
X-Send-Pr-Version: 3.113
X-GNATS-Notify: ale@freebsd.org

>Number:         129982
>Category:       ports
>Synopsis:       [vuxml] [patch] mail/roundcube: fix and document CVE-2008-5619
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    ale
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 27 22:10:04 UTC 2008
>Closed-Date:    Tue Dec 30 10:24:35 UTC 2008
>Last-Modified:  Tue Dec 30 16:50:01 UTC 2008
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE amd64

>Description:

RoundCube Mail is prone to the remote (PHP) code execution.

>How-To-Repeat:

http://trac.roundcube.net/ticket/1485618
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619

>Fix:

The following patch adds upstream fix for the issue:
--- fix-CVE-2008-5619.diff begins here ---
From 6d318348de0376b7ccf145dedcced0650dcbabb4 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sun, 28 Dec 2008 00:44:50 +0300

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 mail/roundcube/Makefile                  |    1 +
 mail/roundcube/files/patch-CVE-2008-5619 |  131 ++++++++++++++++++++++++++++++
 2 files changed, 132 insertions(+), 0 deletions(-)
 create mode 100644 mail/roundcube/files/patch-CVE-2008-5619

diff --git a/mail/roundcube/Makefile b/mail/roundcube/Makefile
index 0f3aa65..e932835 100644
--- a/mail/roundcube/Makefile
+++ b/mail/roundcube/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	roundcube
 DISTVERSION=	0.2-beta
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	mail www
 MASTER_SITES=	SF/${PORTNAME}mail
diff --git a/mail/roundcube/files/patch-CVE-2008-5619 b/mail/roundcube/files/patch-CVE-2008-5619
new file mode 100644
index 0000000..264b87e
--- /dev/null
+++ b/mail/roundcube/files/patch-CVE-2008-5619
@@ -0,0 +1,131 @@
+Fix for CVE-2008-5619
+
+Obtained from: http://trac.roundcube.net/changeset/2148?format=diff&new=2148
+
+--- program/lib/html2text.php.orig	2008-08-30 16:35:36.000000000 +0400
++++ program/lib/html2text.php	2008-12-28 00:37:43.000000000 +0300
+@@ -149,25 +149,18 @@
+         '/<script[^>]*>.*?<\/script>/i',         // <script>s -- which strip_tags supposedly has problems with
+         '/<style[^>]*>.*?<\/style>/i',           // <style>s -- which strip_tags supposedly has problems with
+         //'/<!-- .* -->/',                         // Comments -- which strip_tags might have problem a with
+-        '/<h[123][^>]*>(.*?)<\/h[123]>/ie',      // H1 - H3
+-        '/<h[456][^>]*>(.*?)<\/h[456]>/ie',      // H4 - H6
+         '/<p[^>]*>/i',                           // <P>
+         '/<br[^>]*>/i',                          // <br>
+-        '/<b[^>]*>(.*?)<\/b>/ie',                // <b>
+-        '/<strong[^>]*>(.*?)<\/strong>/ie',      // <strong>
+         '/<i[^>]*>(.*?)<\/i>/i',                 // <i>
+         '/<em[^>]*>(.*?)<\/em>/i',               // <em>
+         '/(<ul[^>]*>|<\/ul>)/i',                 // <ul> and </ul>
+         '/(<ol[^>]*>|<\/ol>)/i',                 // <ol> and </ol>
+         '/<li[^>]*>(.*?)<\/li>/i',               // <li> and </li>
+         '/<li[^>]*>/i',                          // <li>
+-        '/<a [^>]*href=("|\')([^"\']+)\1[^>]*>(.*?)<\/a>/ie',
+-                                                 // <a href="">
+         '/<hr[^>]*>/i',                          // <hr>
+         '/(<table[^>]*>|<\/table>)/i',           // <table> and </table>
+         '/(<tr[^>]*>|<\/tr>)/i',                 // <tr> and </tr>
+         '/<td[^>]*>(.*?)<\/td>/i',               // <td> and </td>
+-        '/<th[^>]*>(.*?)<\/th>/ie',              // <th> and </th>
+         '/&(nbsp|#160);/i',                      // Non-breaking space
+         '/&(quot|rdquo|ldquo|#8220|#8221|#147|#148);/i',
+ 		                                         // Double quotes
+@@ -201,25 +194,18 @@
+         '',                                     // <script>s -- which strip_tags supposedly has problems with
+         '',                                     // <style>s -- which strip_tags supposedly has problems with
+         //'',                                     // Comments -- which strip_tags might have problem a with
+-        "strtoupper(\"\n\n\\1\n\n\")",          // H1 - H3
+-        "ucwords(\"\n\n\\1\n\")",             // H4 - H6
+         "\n\n",                               // <P>
+         "\n",                                   // <br>
+-        'strtoupper("\\1")',                    // <b>
+-        'strtoupper("\\1")',                    // <strong>
+         '_\\1_',                                // <i>
+         '_\\1_',                                // <em>
+         "\n\n",                                 // <ul> and </ul>
+         "\n\n",                                 // <ol> and </ol>
+         "\t* \\1\n",                            // <li> and </li>
+         "\n\t* ",                               // <li>
+-    	'$this->_build_link_list("\\2", "\\3")',
+-    	                                	// <a href="">
+     	"\n-------------------------\n",        // <hr>
+     	"\n\n",                                 // <table> and </table>
+         "\n",                                   // <tr> and </tr>
+         "\t\t\\1\n",                            // <td> and </td>
+-        "strtoupper(\"\t\t\\1\n\")",            // <th> and </th>
+         ' ',                                    // Non-breaking space
+         '"',                                    // Double quotes
+         "'",                                    // Single quotes
+@@ -238,6 +224,22 @@
+         ' '                                     // Runs of spaces, post-handling
+     );
+ 
++    /**
++     *  List of preg* regular expression patterns to search for
++     *  and replace using callback function.
++     *
++     *  @var array $callback_search
++     *  @access public
++     */
++    var $callback_search = array(
++        '/<(h)[123456][^>]*>(.*?)<\/h[123456]>/i', // H1 - H3
++        '/<(b)[^>]*>(.*?)<\/b>/i',                 // <b>
++        '/<(strong)[^>]*>(.*?)<\/strong>/i',       // <strong>
++        '/<(a) [^>]*href=("|\')([^"\']+)\2[^>]*>(.*?)<\/a>/i',
++                                                   // <a href="">
++        '/<(th)[^>]*>(.*?)<\/th>/i',               // <th> and </th>
++    );
++
+    /**
+     *  List of preg* regular expression patterns to search for in PRE body,
+     *  used in conjunction with $pre_replace.
+@@ -471,6 +473,7 @@
+ 
+         // Strip any other HTML tags
+         $text = strip_tags($text, $this->allowed_tags);
++        $text = preg_replace_callback($this->callback_search, array('html2text', '_preg_callback'), $text);
+ 
+         // Bring down number of empty lines to 2 max
+         $text = preg_replace("/\n\s+\n/", "\n\n", $text);
+@@ -549,3 +552,41 @@
+ }
+ 
+ ?>
++
++    /**
++     *  Callback function for preg_replace_callback use.
++     *
++     *  @param  array PREG matches
++     *  @return string
++     *  @access private
++     */
++    function _preg_callback($matches)
++    {
++	switch($matches[1])
++	{
++	    case 'b':
++	    case 'strong':
++		return $this->_strtoupper($matches[2]);
++	    case 'hr':
++		return $this->_strtoupper("\t\t". $matches[2] ."\n");
++	    case 'h':
++		return $this->_strtoupper("\n\n". $matches[2] ."\n\n");
++	    case 'a':
++    	        return $this->_build_link_list($matches[3], $matches[4]);
++	}
++    }
++    
++    /**
++     *  Strtoupper multibyte wrapper function
++     *
++     *  @param  string
++     *  @return string
++     *  @access private
++     */
++    function _strtoupper($str)
++    {
++	if (function_exists('mb_strtoupper'))
++    	    return mb_strtoupper($str);
++    	else
++	    return strtoupper($str);
++    }
-- 
1.6.0.5

--- fix-CVE-2008-5619.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="8f483746-d45d-11dd-84ec-001fc66e7203">
    <topic>roundcube -- remote execution of arbitrary code</topic>
    <affects>
      <package>
        <name>roundcube</name>
        <range><lt>0.2-beta_1,1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Entry for CVE-2008-5619 says:</p>
        <blockquote
          cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619">
          <p>html2text.php in RoundCube Webmail (roundcubemail)
          0.2-1.alpha and 0.2-3.beta allows remote attackers to execute
          arbitrary code via crafted input that is processed by the
          preg_replace function with the eval switch.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-5619</cvename>
      <url>http://trac.roundcube.net/ticket/1485618</url>
    </references>
    <dates>
      <discovery>12-12-2008</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->ale 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Sat Dec 27 22:10:14 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129982 
State-Changed-From-To: open->closed 
State-Changed-By: ale 
State-Changed-When: Tue Dec 30 10:24:19 UTC 2008 
State-Changed-Why:  
Fixed, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129982 

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: ale@FreeBSD.org
Cc: bug-followup@freebsd.org
Subject: Re: ports/129982: [vuxml] [patch] mail/roundcube: fix and document
	CVE-2008-5619
Date: Tue, 30 Dec 2008 19:47:53 +0300

 Alex, good day.
 
 Tue, Dec 30, 2008 at 10:24:35AM +0000, ale@FreeBSD.org wrote:
 > Synopsis: [vuxml] [patch] mail/roundcube: fix and document CVE-2008-5619
 > 
 > State-Changed-From-To: open->closed
 > State-Changed-By: ale
 > State-Changed-When: Tue Dec 30 10:24:19 UTC 2008
 > State-Changed-Why: 
 > Fixed, thanks.
 
 Thanks for fixing the port.  I fixed VuXML entry and specified the
 current port version: it should be '0.2.b2,1'.  Will you be able to
 commit it?
 
 --- vuln.xml begins here ---
   <vuln vid="8f483746-d45d-11dd-84ec-001fc66e7203">
     <topic>roundcube -- remote execution of arbitrary code</topic>
     <affects>
       <package>
         <name>roundcube</name>
         <range><lt>0.2.b2,1</lt></range>
       </package>
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
         <p>Entry for CVE-2008-5619 says:</p>
         <blockquote
           cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619">
           <p>html2text.php in RoundCube Webmail (roundcubemail)
           0.2-1.alpha and 0.2-3.beta allows remote attackers to execute
           arbitrary code via crafted input that is processed by the
           preg_replace function with the eval switch.</p>
         </blockquote>
       </body>
     </description>
     <references>
       <cvename>CVE-2008-5619</cvename>
       <url>http://trac.roundcube.net/ticket/1485618</url>
     </references>
     <dates>
       <discovery>12-12-2008</discovery>
       <entry>TODAY</entry>
     </dates>
   </vuln>
 --- vuln.xml ends here ---
 -- 
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
     {_.-``-'         {_/            #
>Unformatted: