Fix a vulnerability in quota image generation. This fixes

CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes:
#509596.

diff --git a/debian/changelog b/debian/changelog
index 5b5d498bb48609386b4a444ca78bc13d150cbc95..8a5878a866d28314fed6a6a20fa0aef8474b86d4 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,11 +5,13 @@ roundcube (0.2~alpha-4) UNRELEASED; urgency=low
   * Execute cron job only if the directory to clean exists.
   * Reload web server configuration instead of restart, thanks to a patch
     from Tiago Bortoletto Vaz. Closes: #508633.
+  * Fix a vulnerability in quota image generation. This fixes
+    CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
   * Add missing dependency on php5-gd, used for quota bar.
   * For roundcube-pgsql, depends on postgresql-client only. This package
     is provided by the currently supported real package.
 
- -- Vincent Bernat <bernat@debian.org>  Wed, 24 Dec 2008 17:16:41 +0100
+ -- Vincent Bernat <bernat@debian.org>  Thu, 25 Dec 2008 11:38:13 +0100
 
 roundcube (0.2~alpha-3) experimental; urgency=high
 

diff --git a/debian/patches/cve-2008-5620.patch b/debian/patches/cve-2008-5620.patch
new file mode 100644 (file)
index 0000000..c1fdd23
--- /dev/null
+++ b/debian/patches/cve-2008-5620.patch
@@ -0,0 +1,45 @@
+Fix CVE-2008-5620 which was caused by insufficient input sanitizing for quota bar.
+
+diff --git a/bin/quotaimg.php b/bin/quotaimg.php
+index 354f4eb..4e73c21 100644
+--- a/bin/quotaimg.php
++++ b/bin/quotaimg.php
+@@ -18,10 +18,10 @@
+ 
+ */
+ 
+-$used   = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??';
+-$quota  = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??';
+-$width  = empty($_GET['w']) ? 100 : (int)$_GET['w'];
+-$height = empty($_GET['h']) ? 14 : (int)$_GET['h'];
++$used   = isset($_GET['u']) ? intval($_GET['u']) : '??';
++$quota  = isset($_GET['q']) ? intval($_GET['q']) : '??';
++$width  = empty($_GET['w']) ? 100 : min(300, intval($_GET['w']));
++$height = empty($_GET['h']) ? 14  : min(50,  intval($_GET['h']));
+ 
+ /**
+  * Quota display
+@@ -159,7 +159,7 @@ function genQuota($used, $total, $width, $height)
+               }
+ 
+               $quota_width = $quota / 100 * $width;
+-              imagefilledrectangle($im, $border, 0, $quota, $height-2*$border, $fill);
++              imagefilledrectangle($im, $border, 0, $quota_width, $height-2*$border, $fill);
+ 
+               $string = $quota . '%';
+               $mid    = floor(($width-(strlen($string)*imagefontwidth($font)))/2)+1;
+@@ -178,6 +178,12 @@ function genQuota($used, $total, $width, $height)
+       imagedestroy($im);
+ }
+ 
+-genQuota($used, $quota, $width, $height);
++if ($width > 1 && $height > 1) {
++      genQuota($used, $quota, $width, $height);
++}
++else {
++      header("HTTP/1.0 404 Not Found");
++}
++
+ exit;
+ ?>
+\ No newline at end of file

diff --git a/debian/patches/series b/debian/patches/series
index b68113a4f42d232eee453e70b77e4d6f0212ecad..07f681f3289391355aa4240e76138e51e5289a02 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ use-db-backend.patch
 correct-magic-path.patch
 fix_login.patch
 dont-use-preg-e-option.patch
+cve-2008-5620.patch