Roundcube: Arbitrary code execution — GLSA 201612-44

A vulnerability in Roundcube could potentially lead to arbitrary code execution.

Affected packages

mail-client/roundcube on all architectures
Affected versions < 1.2.3
Unaffected versions >= 1.2.3

Background

Free and open source webmail software for the masses, written in PHP.

Description

Roundcube, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line.

Impact

An authenticated remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition.

Workaround

Don’t use a MTA (Mail Transfer Agent) in conjunction with Roundcube which implements sendmail’s “-O” or “-X” parameter, or configure Roundcube to use a SMTP server as recommended by upstream.

Resolution

All Roundcube users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=mail-client/roundcube-1.2.3"
 

References

Release date
December 24, 2016

Latest revision
December 24, 2016: 1

Severity
normal

Exploitable
remote

Bugzilla entries