From: Vincent Bernat <bernat@debian.org>
Date: Sat, 13 Feb 2010 09:21:49 +0000 (+0100)
Subject: Imported Debian patch 0.3.1-3
X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=58f684d9098942e8174d63e4a693bf3f46096774;p=roundcube.git

Imported Debian patch 0.3.1-3
---

diff --git a/debian/changelog b/debian/changelog
index 9b698ff..897699f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,20 @@
+roundcube (0.3.1-3) unstable; urgency=high
+
+  * RFC 5321, section 4.5.3.1, asks to not impose any limits on length if
+    possible. We respect this by dropping limitation of the local-part of
+    an email address. Closes: #568360, #568537.
+  * Suggests php-auth-sasl to enable use of SASL mechanisms for mail
+    servers. Closes: #567550.
+  * Disable DNS prefetching to avoid information leakage through links
+    embedded in messages. This fixes CVE-2010-0464. Closes: #569660.
+  * Bump Standards-Version. No changes required.
+
+ -- Vincent Bernat <bernat@debian.org>  Sat, 13 Feb 2010 10:21:49 +0100
+
 roundcube (0.3.1-2) unstable; urgency=low
 
-  * Fix VCS links in debian/control, thanks to Torsten Landschoff. Closes: #555900.
+  * Fix VCS links in debian/control, thanks to Torsten Landschoff.
+    Closes: #555900.
   * Really ship NEWS.Debian.
   * Add changesets 3170 and 3202 from upstream to handle gracefully jQuery
     1.4. Thanks to Volker Gropp for the report. Closes: #565715.
diff --git a/debian/control b/debian/control
index ed4b59d..bb592d6 100644
--- a/debian/control
+++ b/debian/control
@@ -3,15 +3,16 @@ Section: web
 Priority: extra
 Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
 Uploaders: Vincent Bernat <bernat@debian.org>, Romain Beauxis <toots@rastageeks.org>
-Build-Depends: cdbs, debhelper, quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27), po-debconf
+Build-Depends: cdbs, debhelper (>= 5), quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27), po-debconf
 Homepage: http://www.roundcube.net/
-Standards-Version: 3.8.3
+Standards-Version: 3.8.4
 Vcs-Svn: svn://svn.debian.org/svn/pkg-roundcube/trunk
 Vcs-Browser: http://svn.debian.org/wsvn/pkg-roundcube/trunk/
 
 Package: roundcube-core
 Architecture: all
 Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-sqlite (= ${source:Version}) | roundcube-mysql (= ${source:Version}) | roundcube-pgsql (= ${source:Version}), php-mdb2, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1, php5-pspell, libjs-jquery (>= 1.3.3)
+Suggests: php-auth-sasl
 Replaces: roundcube
 Conflicts: roundcube (<< 0.1~rc2-2)
 Description: skinnable AJAX based webmail solution for IMAP servers
diff --git a/debian/control.in b/debian/control.in
index 72d681f..a006829 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -5,13 +5,14 @@ Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth
 Uploaders: Vincent Bernat <bernat@debian.org>, Romain Beauxis <toots@rastageeks.org>
 Build-Depends: @cdbs@, po-debconf
 Homepage: http://www.roundcube.net/
-Standards-Version: 3.8.3
+Standards-Version: 3.8.4
 Vcs-Svn: svn://svn.debian.org/svn/pkg-roundcube/trunk
 Vcs-Browser: http://svn.debian.org/wsvn/pkg-roundcube/trunk/
 
 Package: roundcube-core
 Architecture: all
 Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-sqlite (= ${source:Version}) | roundcube-mysql (= ${source:Version}) | roundcube-pgsql (= ${source:Version}), php-mdb2, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1, php5-pspell, libjs-jquery (>= 1.3.3)
+Suggests: php-auth-sasl
 Replaces: roundcube
 Conflicts: roundcube (<< 0.1~rc2-2)
 Description: skinnable AJAX based webmail solution for IMAP servers
diff --git a/debian/patches/disable-dns-prefetch.patch b/debian/patches/disable-dns-prefetch.patch
new file mode 100644
index 0000000..450145f
--- /dev/null
+++ b/debian/patches/disable-dns-prefetch.patch
@@ -0,0 +1,20 @@
+Disable DNS prefetching to solve CVE-2010-0464.
+
+Index: program/include/rcube_html_page.php
+===================================================================
+--- rcube/program/include/rcube_html_page.php	(revision 3214)
++++ rcube/program/include/rcube_html_page.php	(working copy)
+@@ -165,6 +165,13 @@
+             $__page_header.= $this->charset . '" />'."\n";
+         }
+ 
++        // add hint to disable DNS prefetching
++        if (!headers_sent()) {
++            header('X-DNS-Prefetch-Control: off');
++        } else {
++            $__page_header.= '<meta http-equiv="x-dns-prefetch-control" content="off" />'."\n";
++        }
++
+         // definition of the code to be placed in the document header and footer
+         if (is_array($this->script_files['head'])) {
+             foreach ($this->script_files['head'] as $file) {
diff --git a/debian/patches/dont-limit-email-local-part.patch b/debian/patches/dont-limit-email-local-part.patch
new file mode 100644
index 0000000..c9852aa
--- /dev/null
+++ b/debian/patches/dont-limit-email-local-part.patch
@@ -0,0 +1,12 @@
+To fix #568360 and #568537, don't limit local part size.
+--- roundcube-0.3.1/program/include/main.inc~	2009-10-31 14:44:19.751802878 +0100
++++ roundcube-0.3.1/program/include/main.inc	2010-02-05 19:46:12.000000000 +0100
+@@ -1427,7 +1427,7 @@
+     return false;
+ 
+   // Check that there's one @ symbol, and that the lengths are right
+-  if (!preg_match('/^([^@]{1,64})@([^@]{1,255})$/', $email, $email_array))
++  if (!preg_match('/^([^@]+)@([^@]{1,255})$/', $email, $email_array))
+     return false;
+ 
+   // Check local part
diff --git a/debian/patches/series b/debian/patches/series
index 7b7b57c..b76ac52 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,5 @@ use_pspell.patch
 loginbox-size.patch
 changeset_r3170.patch
 changeset_r3202.patch
+dont-limit-email-local-part.patch
+disable-dns-prefetch.patch
diff --git a/debian/roundcube-core.NEWS b/debian/roundcube-core.NEWS
index abdc484..58abf9a 100644
--- a/debian/roundcube-core.NEWS
+++ b/debian/roundcube-core.NEWS
@@ -1,15 +1,16 @@
 roundcube (0.3.1-2) unstable; urgency=low
 
-  * Starting from Roundcube 0.3, an incompatibility with Suhosin session
+    Starting from Roundcube 0.3, an incompatibility with Suhosin session
     encryption is present. This can be resolved by tuning php.ini for
     Roundcube with the "suhosin.session.encrypt" set to "Off".
-  
+
     We ship a .htaccess in /var/lib/roundcube to disable this
     option. However, this only works with a webserver like Apache with
-    mod_php. If you are using a webserver with PHP configured as a *CGI
-    process, you need to tune the php.ini for this process: either turn of
-    globally Suhosin session encryption in /etc/php5/conf.d/suhosin or you
-    can provide your own php.ini to php5-cgi with "-c" option.
+    mod_php. If you are using a webserver with PHP configured as a
+    *CGI process, you need to tune the php.ini for this process:
+    either turn of globally Suhosin session encryption in
+    /etc/php5/conf.d/suhosin or you can provide your own php.ini to
+    php5-cgi with "-c" option.
 
  -- Vincent Bernat <bernat@debian.org>  Mon, 02 Nov 2009 19:48:22 +0100