UBUNTU-CVE-2018-1000071

roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.

References

Affected packages

Ubuntu:Pro:16.04:LTS / roundcube

Package

Name: roundcube
Purl: pkg:deb/ubuntu/roundcube@1.2~beta+dfsg.1-0ubuntu1+esm7?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2~beta+dfsg.1-0ubuntu1+esm7

Affected versions

1.*

1.1.1+dfsg.1-2

1.1.2+dfsg.1-5

1.1.3+dfsg.1-1

1.1.4+dfsg.1-1

1.2~beta+dfsg.1-0ubuntu1

1.2~beta+dfsg.1-0ubuntu1+esm1

1.2~beta+dfsg.1-0ubuntu1+esm2

1.2~beta+dfsg.1-0ubuntu1+esm3

1.2~beta+dfsg.1-0ubuntu1+esm4

1.2~beta+dfsg.1-0ubuntu1+esm5

1.2~beta+dfsg.1-0ubuntu1+esm6

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "roundcube",
            "binary_version": "1.2~beta+dfsg.1-0ubuntu1+esm7"
        },
        {
            "binary_name": "roundcube-core",
            "binary_version": "1.2~beta+dfsg.1-0ubuntu1+esm7"
        },
        {
            "binary_name": "roundcube-mysql",
            "binary_version": "1.2~beta+dfsg.1-0ubuntu1+esm7"
        },
        {
            "binary_name": "roundcube-pgsql",
            "binary_version": "1.2~beta+dfsg.1-0ubuntu1+esm7"
        },
        {
            "binary_name": "roundcube-plugins",
            "binary_version": "1.2~beta+dfsg.1-0ubuntu1+esm7"
        },
        {
            "binary_name": "roundcube-sqlite3",
            "binary_version": "1.2~beta+dfsg.1-0ubuntu1+esm7"
        }
    ],
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-1000071.json"

Ubuntu:Pro:18.04:LTS / roundcube

Package

Name: roundcube
Purl: pkg:deb/ubuntu/roundcube@1.3.6+dfsg.1-1ubuntu0.1~esm7?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.6+dfsg.1-1ubuntu0.1~esm7

Affected versions

1.*

1.3.0+dfsg.1-1

1.3.1+dfsg.1-1

1.3.3+dfsg.1-1

1.3.3+dfsg.1-2

1.3.6+dfsg.1-1

1.3.6+dfsg.1-1ubuntu0.1~esm1

1.3.6+dfsg.1-1ubuntu0.1~esm2

1.3.6+dfsg.1-1ubuntu0.1~esm3

1.3.6+dfsg.1-1ubuntu0.1~esm4

1.3.6+dfsg.1-1ubuntu0.1~esm5

1.3.6+dfsg.1-1ubuntu0.1~esm6

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "roundcube",
            "binary_version": "1.3.6+dfsg.1-1ubuntu0.1~esm7"
        },
        {
            "binary_name": "roundcube-core",
            "binary_version": "1.3.6+dfsg.1-1ubuntu0.1~esm7"
        },
        {
            "binary_name": "roundcube-mysql",
            "binary_version": "1.3.6+dfsg.1-1ubuntu0.1~esm7"
        },
        {
            "binary_name": "roundcube-pgsql",
            "binary_version": "1.3.6+dfsg.1-1ubuntu0.1~esm7"
        },
        {
            "binary_name": "roundcube-plugins",
            "binary_version": "1.3.6+dfsg.1-1ubuntu0.1~esm7"
        },
        {
            "binary_name": "roundcube-sqlite3",
            "binary_version": "1.3.6+dfsg.1-1ubuntu0.1~esm7"
        }
    ],
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-1000071.json"