Roundcube Community Forum

 

RoundCube News: Security update 0.5.4 is out

Started by bpat1434, August 12, 2011, 04:11:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

bpat1434

August 12, 2011, 04:11:02 PM
We just published a new release which fixes a recently reported XSS vulnerability as an update to the stable 0.5 branch. Please update your installations with this new version or patch them with the fix which is also published in the downloads section or our sourceforge.net page.

More...
 
 

OHosNL

#1
August 12, 2011, 05:22:31 PM
A hasty release perhaps?

Code Select
Call to undefined function rcube_label_exists() in (...)
Code Select

# grep -R  rcube_label_exists roundcubemail-0.5.4/*
roundcubemail-0.5.4/program/include/rcube_json_output.php:            if (rcube_label_exists($message)) {
roundcubemail-0.5.4/program/include/rcube_template.php:            if (rcube_label_exists($message)) {
#

sk_illed

#2
August 12, 2011, 07:19:02 PM
anyone else having this issue? or NOT having the issue?

m4lvin

#3
August 12, 2011, 08:24:00 PM
I don't have this issue. But:
1) some actions bring up a red error popup "internal server error" on top, though they still happen / work. example: packing folders / purging.
2) logout is not working. /rcmail/?_task=logout is a white page and the session is still open.
so long, i better keep the old version and would like to do that patch manually... where can i find instructions?
greets and thanks for this otherwise awesome piece of software!

SKaero

#4
August 12, 2011, 09:04:18 PM
This is the fix Changeset 5037

jonabbey

#5
August 12, 2011, 09:05:15 PM
Yes, this was a hasty release.  The rcube_label_exists function is not defined in the tar ball, and is not created by the patch.  It is the source of that "Internal Server Error" popup.

jonabbey

#6
August 12, 2011, 09:11:36 PM
Even if you fix the rcube_label_exists() issue by adding that function to main.inc.php from the subversion trunk, there are other functions missing.

Looks like this release should be pulled.

Schmatze

#7
August 13, 2011, 05:36:48 AM Last Edit: August 13, 2011, 05:57:28 AM by Schmatze
I also have this issue. I've got this errors after an upgrade from 5.2 to 5.4:

PHP Fatal error:  Call to undefined function rcube_label_exists() in /.../program/include/rcube_json_output.php on line 172

and

PHP Fatal error:  Call to undefined function rcube_label_exists() in /.../program/include/rcube_template.php on line 252

EDIT: here are some lines of my /.../program/include/main.inc file:

Quote...

/**
 * Get localized text in the desired language
 * It's a global wrapper for rcmail::gettext()
 *
 * @param mixed Named parameters array or label name
 * @return string Localized text
 * @see rcmail::gettext()
 */
function rcube_label($p, $domain=null)
{
  return rcmail::get_instance()->gettext($p, $domain);
}


/**
 * Overwrite action variable
 *
 * @param string New action value
 */
function rcmail_overwrite_action($action)
  {
  $app = rcmail::get_instance();
  $app->action = $action;
  $app->output->set_env('action', $action);
  }

...

If I compare this with this one: https://svn.roundcube.net/trunk/roundcubemail/program/include/main.inc there is something missing:

Quote/**
 * Global wrapper of rcmail::text_exists()
 * to check whether a text label is defined
 *
 * @see rcmail::text_exists()
 */
function rcube_label_exists($name, $domain=null)
{
  return rcmail::get_instance()->text_exists($name, $domain);
}

EDIT2: I've inserted these lines but it seems that more strange things are going on. I've downgraded again.

JohnDoh

#8
August 13, 2011, 07:32:46 AM
a corrected package is now available for download from roundcube.net, see RoundCube Mailing Lists for more info.
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and more...

Schmatze

#9
August 13, 2011, 11:13:46 AM
You should also check the checksums on this page: Downloading Roundcube webmail
Print
Go Up Pages1
User actions