From: Vincent Bernat <bernat@debian.org>
Date: Thu, 25 Dec 2008 10:39:05 +0000 (+0000)
Subject: Fix a vulnerability in quota image generation. This fixes
X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=a3e984091ddbda20bcbf37217c274c18aa71a846;p=roundcube.git

Fix a vulnerability in quota image generation. This fixes
CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes:
#509596.
---

diff --git a/debian/changelog b/debian/changelog
index 5b5d498..8a5878a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,11 +5,13 @@ roundcube (0.2~alpha-4) UNRELEASED; urgency=low
   * Execute cron job only if the directory to clean exists.
   * Reload web server configuration instead of restart, thanks to a patch
     from Tiago Bortoletto Vaz. Closes: #508633.
+  * Fix a vulnerability in quota image generation. This fixes
+    CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
   * Add missing dependency on php5-gd, used for quota bar.
   * For roundcube-pgsql, depends on postgresql-client only. This package
     is provided by the currently supported real package.
 
- -- Vincent Bernat <bernat@debian.org>  Wed, 24 Dec 2008 17:16:41 +0100
+ -- Vincent Bernat <bernat@debian.org>  Thu, 25 Dec 2008 11:38:13 +0100
 
 roundcube (0.2~alpha-3) experimental; urgency=high
 
diff --git a/debian/patches/cve-2008-5620.patch b/debian/patches/cve-2008-5620.patch
new file mode 100644
index 0000000..c1fdd23
--- /dev/null
+++ b/debian/patches/cve-2008-5620.patch
@@ -0,0 +1,45 @@
+Fix CVE-2008-5620 which was caused by insufficient input sanitizing for quota bar.
+
+diff --git a/bin/quotaimg.php b/bin/quotaimg.php
+index 354f4eb..4e73c21 100644
+--- a/bin/quotaimg.php
++++ b/bin/quotaimg.php
+@@ -18,10 +18,10 @@
+ 
+ */
+ 
+-$used   = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??';
+-$quota  = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??';
+-$width  = empty($_GET['w']) ? 100 : (int)$_GET['w'];
+-$height = empty($_GET['h']) ? 14 : (int)$_GET['h'];
++$used   = isset($_GET['u']) ? intval($_GET['u']) : '??';
++$quota  = isset($_GET['q']) ? intval($_GET['q']) : '??';
++$width  = empty($_GET['w']) ? 100 : min(300, intval($_GET['w']));
++$height = empty($_GET['h']) ? 14  : min(50,  intval($_GET['h']));
+ 
+ /**
+  * Quota display
+@@ -159,7 +159,7 @@ function genQuota($used, $total, $width, $height)
+ 		}
+ 
+ 		$quota_width = $quota / 100 * $width;
+-		imagefilledrectangle($im, $border, 0, $quota, $height-2*$border, $fill);
++		imagefilledrectangle($im, $border, 0, $quota_width, $height-2*$border, $fill);
+ 
+ 		$string = $quota . '%';
+ 		$mid    = floor(($width-(strlen($string)*imagefontwidth($font)))/2)+1;
+@@ -178,6 +178,12 @@ function genQuota($used, $total, $width, $height)
+ 	imagedestroy($im);
+ }
+ 
+-genQuota($used, $quota, $width, $height);
++if ($width > 1 && $height > 1) {
++	genQuota($used, $quota, $width, $height);
++}
++else {
++	header("HTTP/1.0 404 Not Found");
++}
++
+ exit;
+ ?>
+\ No newline at end of file
diff --git a/debian/patches/series b/debian/patches/series
index b68113a..07f681f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ use-db-backend.patch
 correct-magic-path.patch
 fix_login.patch
 dont-use-preg-e-option.patch
+cve-2008-5620.patch