From 8ef598b88385cbe9322174c0c63118a082609748 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 21 Jan 2016 10:27:03 -0500
Subject: [PATCH] Fix (again) security issue in DBMail driver of password plugin [CVE-2015-2181] (#1490643)

---
 CHANGELOG                                 |    1 +
 plugins/password/drivers/dbmail.php       |   15 ++-------------
 plugins/password/helpers/chgdbmailusers.c |   22 ++--------------------
 3 files changed, 5 insertions(+), 33 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 5773cb4..dd3fd8d 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -16,6 +16,7 @@
 - Fix PHP7 warning "session_start(): Session callback expects true/false return value" (#1490624)
 - Fix XSS issue in SVG images handling (#1490625)
 - Fix missing language name in "Add to Dictionary" request in HTML mode (#1490634)
+- Fix (again) security issue in DBMail driver of password plugin [CVE-2015-2181] (#1490643)
 
 RELEASE 1.2-beta
 ----------------
diff --git a/plugins/password/drivers/dbmail.php b/plugins/password/drivers/dbmail.php
index 1207283..a1a0b3c 100644
--- a/plugins/password/drivers/dbmail.php
+++ b/plugins/password/drivers/dbmail.php
@@ -40,20 +40,9 @@
         $args     = rcmail::get_instance()->config->get('password_dbmail_args', '');
         $command  = "$curdir/chgdbmailusers -c $username -w $password $args";
 
-        if (strlen($command) > 1024) {
-            rcube::raise_error(array(
-                'code' => 600,
-                'type' => 'php',
-                'file' => __FILE__, 'line' => __LINE__,
-                'message' => "Password plugin: The command is too long."
-                ), true, false);
+        exec($command, $output, $return_value);
 
-            return PASSWORD_ERROR;
-        }
-
-        exec($command, $output, $returnvalue);
-
-        if ($returnvalue == 0) {
+        if ($return_value == 0) {
             return PASSWORD_SUCCESS;
         }
         else {
diff --git a/plugins/password/helpers/chgdbmailusers.c b/plugins/password/helpers/chgdbmailusers.c
index be23755..0f2fda9 100644
--- a/plugins/password/helpers/chgdbmailusers.c
+++ b/plugins/password/helpers/chgdbmailusers.c
@@ -1,5 +1,4 @@
 #include <stdio.h>
-#include <string.h>
 #include <unistd.h>
 
 // set the UID this script will run as (root user)
@@ -15,27 +14,10 @@
 
 main(int argc, char *argv[])
 {
-  int cnt,rc,cc;
-  char cmnd[1024];
-
-  strcpy(cmnd, CMD);
-
-  if (argc > 1)
-  {
-    for (cnt = 1; cnt < argc; cnt++)
-    {
-      strcat(cmnd, " ");
-      strcat(cmnd, argv[cnt]);
-    }
-  }
-  else
-  {
-    fprintf(stderr, "__ %s:  failed %d  %d\n", argv[0], rc, cc);
-    return 255;
-  }
+  int rc, cc;
 
   cc = setuid(UID);
-  rc = system(cmnd);
+  rc = execvp(CMD, argv);
 
   if ((rc != 0) || (cc != 0))
   {

--
Gitblit v1.9.1