+roundcube (0.2~alpha-4) experimental; urgency=low
+
+ * Add missing ${misc:Depends} to make Lintian happy.
+ * Add description to each patch.
+ * Execute cron job only if the directory to clean exists.
+ * Reload web server configuration instead of restart, thanks to a patch
+ from Tiago Bortoletto Vaz. Closes: #508633.
+ * Fix a vulnerability in quota image generation. This fixes
+ CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
+ * Add missing dependency on php5-gd, used for quota bar.
+ * For roundcube-pgsql, depends on postgresql-client only. This package
+ is provided by the currently supported real package.
+
+ -- Vincent Bernat <bernat@debian.org> Thu, 25 Dec 2008 11:38:13 +0100
+
roundcube (0.2~alpha-3) experimental; urgency=high
[ Vincent Bernat ]
Package: roundcube-core
Architecture: all
-Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
+Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
Replaces: roundcube
Conflicts: roundcube (<< 0.1~rc2-2)
Description: skinnable AJAX based webmail solution for IMAP servers
Package: roundcube
Architecture: all
-Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version})
+Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version}), ${misc:Depends}
Description: skinnable AJAX based webmail solution for IMAP servers
RoundCube Webmail is a browser-based multilingual IMAP client with an
application-like user interface. It provides full functionality
Package: roundcube-mysql
Architecture: all
-Depends: php5-mysql, mysql-client | virtual-mysql-client
+Depends: php5-mysql, mysql-client | virtual-mysql-client, ${misc:Depends}
Suggests: mysql-server
Provides: roundcube-db
Description: metapackage providing MySQL dependencies for RoundCube
Package: roundcube-pgsql
Architecture: all
-Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client
+Depends: php5-pgsql, postgresql-client, ${misc:Depends}
Suggests: postgresql-server
Provides: roundcube-db
Description: metapackage providing PostgreSQL dependencies for RoundCube
Package: roundcube-sqlite
Architecture: all
-Depends: php5-sqlite, sqlite
+Depends: php5-sqlite, sqlite, ${misc:Depends}
Provides: roundcube-db
Description: metapackage providing sqlite dependencies for RoundCube
This package provides sqlite dependencies for RoundCube Webmail, a
Package: roundcube-core
Architecture: all
-Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
+Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
Replaces: roundcube
Conflicts: roundcube (<< 0.1~rc2-2)
Description: skinnable AJAX based webmail solution for IMAP servers
Package: roundcube
Architecture: all
-Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version})
+Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version}), ${misc:Depends}
Description: skinnable AJAX based webmail solution for IMAP servers
RoundCube Webmail is a browser-based multilingual IMAP client with an
application-like user interface. It provides full functionality
Package: roundcube-mysql
Architecture: all
-Depends: php5-mysql, mysql-client | virtual-mysql-client
+Depends: php5-mysql, mysql-client | virtual-mysql-client, ${misc:Depends}
Suggests: mysql-server
Provides: roundcube-db
Description: metapackage providing MySQL dependencies for RoundCube
Package: roundcube-pgsql
Architecture: all
-Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client
+Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client, ${misc:Depends}
Suggests: postgresql-server
Provides: roundcube-db
Description: metapackage providing PostgreSQL dependencies for RoundCube
Package: roundcube-sqlite
Architecture: all
-Depends: php5-sqlite, sqlite
+Depends: php5-sqlite, sqlite, ${misc:Depends}
Provides: roundcube-db
Description: metapackage providing sqlite dependencies for RoundCube
This package provides sqlite dependencies for RoundCube Webmail, a
+On Debian, the magic file is in /usr/share/file/magic.
+
--- roundcube-0.1/config/main.inc.php.dist~ 2008-02-21 11:27:19.000000000 +0100
+++ roundcube-0.1/config/main.inc.php.dist 2008-03-06 14:04:53.000000000 +0100
@@ -277,7 +277,7 @@
+Install path is /var/lib/roundcube for Debian. Don't try to guess it.
+
--- a/program/include/iniset.php~ 2008-06-09 22:57:53.000000000 +0200
+++ a/program/include/iniset.php 2008-06-22 12:10:55.000000000 +0200
@@ -27,7 +27,7 @@
--- /dev/null
+Fix CVE-2008-5620 which was caused by insufficient input sanitizing for quota bar.
+
+diff --git a/bin/quotaimg.php b/bin/quotaimg.php
+index 354f4eb..4e73c21 100644
+--- a/bin/quotaimg.php
++++ b/bin/quotaimg.php
+@@ -18,10 +18,10 @@
+
+ */
+
+-$used = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??';
+-$quota = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??';
+-$width = empty($_GET['w']) ? 100 : (int)$_GET['w'];
+-$height = empty($_GET['h']) ? 14 : (int)$_GET['h'];
++$used = isset($_GET['u']) ? intval($_GET['u']) : '??';
++$quota = isset($_GET['q']) ? intval($_GET['q']) : '??';
++$width = empty($_GET['w']) ? 100 : min(300, intval($_GET['w']));
++$height = empty($_GET['h']) ? 14 : min(50, intval($_GET['h']));
+
+ /**
+ * Quota display
+@@ -159,7 +159,7 @@ function genQuota($used, $total, $width, $height)
+ }
+
+ $quota_width = $quota / 100 * $width;
+- imagefilledrectangle($im, $border, 0, $quota, $height-2*$border, $fill);
++ imagefilledrectangle($im, $border, 0, $quota_width, $height-2*$border, $fill);
+
+ $string = $quota . '%';
+ $mid = floor(($width-(strlen($string)*imagefontwidth($font)))/2)+1;
+@@ -178,6 +178,12 @@ function genQuota($used, $total, $width, $height)
+ imagedestroy($im);
+ }
+
+-genQuota($used, $quota, $width, $height);
++if ($width > 1 && $height > 1) {
++ genQuota($used, $quota, $width, $height);
++}
++else {
++ header("HTTP/1.0 404 Not Found");
++}
++
+ exit;
+ ?>
+\ No newline at end of file
+The default db.inc.php is modified to adapt it to the use of dbconfig-common package.
+
--- roundcube_0.1~beta2.2/config/db.inc.php.dist 2006-03-20 23:08:51.000000000 +0100
+++ roundcube_0.1~beta2.2/config/db.inc.php.dist 2007-03-13 14:33:38.000000000 +0100
@@ -14,13 +14,20 @@
+Fix a vulnerability due to the use of "e" option of preg_replace.
+
--- roundcube-0.2~alpha/program/lib/html2text.php 2008-04-12 15:54:45.000000000 +0200
+++ roundcube-0.2~alpha/program/lib/html2text.php 2008-12-13 14:21:44.000000000 +0100
@@ -99,6 +99,22 @@
+Fix login redirection.
+
--- a/program/include/rcmail.php~ 2008-06-07 21:33:07.000000000 +0200
+++ a/program/include/rcmail.php 2008-06-22 13:36:57.000000000 +0200
@@ -474,7 +474,7 @@
correct-magic-path.patch
fix_login.patch
dont-use-preg-e-option.patch
+cve-2008-5620.patch
+Use db backend since mdb2 is not yet available in Debian.
+
--- roundcubemail-0.1-dep/config/db.inc.php.dist~ 2008-03-03 22:32:15.000000000 +0100
+++ roundcubemail-0.1-dep/config/db.inc.php.dist 2008-03-05 21:07:28.000000000 +0100
@@ -27,7 +27,7 @@
+Use tinymce from tinycme package instead of the shipped one.
+
Index: roundcube-0.1~rc2/program/steps/mail/sendmail.inc
===================================================================
--- a/program/steps/mail/sendmail.inc~ 2008-04-30 10:21:42.000000000 +0200
. /etc/default/roundcube-core
fi
-find /var/lib/roundcube/temp -type f -mtime +$MAX_TMPFILE_LIFETIME -print0 | xargs -0 -r rm
+if [ -d /var/lib/roundcube/temp ]; then
+ find /var/lib/roundcube/temp -type f -mtime +$MAX_TMPFILE_LIFETIME -print0 | xargs -0 -r rm
+fi
if [ "$res" = "true" ]; then
for webserver in $restart; do
webserver=${webserver%,}
+ # Redirection of 3 is needed because Debconf uses it and it might
+ # be inherited by webserver. See bug #446324.
if [ -x /usr/sbin/invoke-rc.d ]; then
- invoke-rc.d $webserver restart
+ invoke-rc.d $webserver reload 3>/dev/null || true
else
- /etc/init.d/$webserver restart
+ /etc/init.d/$webserver reload 3>/dev/null || true
fi
done
fi
if [ "$res" = "true" ]; then
for webserver in $restart; do
webserver=${webserver%,}
+ # Redirection of 3 is needed because Debconf uses it and it might
+ # be inherited by webserver. See bug #446324.
if [ -x /usr/sbin/invoke-rc.d ]; then
- invoke-rc.d $webserver restart
+ invoke-rc.d $webserver reload 3>/dev/null || true
else
- /etc/init.d/$webserver restart
+ /etc/init.d/$webserver reload 3>/dev/null || true
fi
done
fi