[packages/roundcubemail] up to 1.6.13; fixes CVE-2025-49113, CVE-2024-42009, CVE-2024-42008

arekm arekm at pld-linux.org
Sat Mar 14 00:02:07 CET 2026 

commit 8a2f7220dc8f1c80b50e524fe1b36ce36ecc6db8
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Sat Mar 14 00:01:58 2026 +0100

    up to 1.6.13; fixes CVE-2025-49113, CVE-2024-42009, CVE-2024-42008

 roundcubemail-config.patch | 13 +++++------
 roundcubemail.spec         | 56 +++++++++++++---------------------------------
 2 files changed, 21 insertions(+), 48 deletions(-)
---
diff --git a/roundcubemail.spec b/roundcubemail.spec
index dff4b2c..c3c4cd4 100644
--- a/roundcubemail.spec
+++ b/roundcubemail.spec
@@ -10,16 +10,16 @@
 %bcond_with	password_anon_ldap_bind	# apply with password-anon-ldap-bind patch.
 
 %define		rcpfa_ver	1.0.5
-%define		php_min_version 5.4.0
+%define		php_min_version 7.3.0
 Summary:	RoundCube Webmail
 Summary(pl.UTF-8):	RoundCube Webmail - poczta przez WWW
 Name:		roundcubemail
-Version:	1.4.12
+Version:	1.6.13
 Release:	1
 License:	GPL v3+
 Group:		Applications/Mail
 Source0:	https://github.com/roundcube/roundcubemail/releases/download/%{version}/%{name}-%{version}-complete.tar.gz
-# Source0-md5:	eef559f03a7f5e56a92ca3bcbcc5f36e
+# Source0-md5:	dc85110cceb98058d194a2d12253b84f
 Source1:	apache.conf
 Source2:	%{name}.logrotate
 Source3:	lighttpd.conf
@@ -46,7 +46,8 @@ Requires:	php(iconv)
 Requires:	php(imap)
 Requires:	php(json)
 Requires:	php(mbstring)
-Requires:	php(mcrypt)
+Requires:	php(ctype)
+Requires:	php(intl)
 Requires:	php(openssl)
 Requires:	php(pcre)
 Requires:	php(pdo)
@@ -68,7 +69,7 @@ Suggests:	php(exif)
 Suggests:	php(fileinfo)
 Suggests:	php(gd)
 Suggests:	php(imagick)
-Suggests:	php(intl)
+Suggests:	php(ldap)
 Suggests:	php(openssl)
 Suggests:	php(xml)
 Suggests:	php(zip)
@@ -82,7 +83,9 @@ Suggests:	php-pear-Net_LDAP2
 Suggests:	php-pear-Net_Sieve >= 1.3.2
 Suggests:	php-pear-Net_Socket >= 1.0.12
 Obsoletes:	roundcube-plugin-jqueryui < 0.6
+Obsoletes:	roundcubemail-skin-classic < 1.6
 Obsoletes:	roundcubemail-skin-default < 0.8.1
+Obsoletes:	roundcubemail-skin-larry < 1.6
 Conflicts:	apache-base < 2.4.0-1
 Conflicts:	logrotate < 3.8.0
 BuildArch:	noarch
@@ -135,32 +138,6 @@ This package provides installer script for RoundCube Webmail.
 %description setup -l pl.UTF-8
 Ten pakiet zawiera skrypt instalacyjny RoundCube Webmaila.
 
-%package skin-classic
-Summary:	Classic skin for RoundCube Webmail
-Summary(pl.UTF-8):	Klasyczna skórka dla RoundCube Webmaila
-Group:		Applications/WWW
-Requires:	%{name} = %{version}-%{release}
-Provides:	%{name}-skin
-
-%description skin-classic
-Classic skin for RoundCube Webmail.
-
-%description skin-classic -l pl.UTF-8
-Klasyczna skórka dla RoundCube Webmaila.
-
-%package skin-larry
-Summary:	Larry skin for RoundCube Webmail
-Summary(pl.UTF-8):	Skórka Larry dla RoundCube Webmaila
-Group:		Applications/WWW
-Requires:	%{name} = %{version}-%{release}
-Provides:	%{name}-skin
-
-%description skin-larry
-Larry skin for RoundCube Webmail.
-
-%description skin-larry -l pl.UTF-8
-Skórka Larry dla RoundCube Webmaila.
-
 %package skin-elastic
 Summary:	Elastic skin for RoundCube Webmail
 Summary(pl.UTF-8):	Skórka Elastic dla RoundCube Webmaila
@@ -195,6 +172,7 @@ find -name .svn | xargs -r rm -rf
 
 # fill proper shebang
 %{__sed} -i -e '1s,^#!.*php,#!/usr/bin/php,' bin/*.sh plugins/enigma/bin/import_keys.sh
+%{__sed} -i -e '1s,^#!.*php,#!/usr/bin/php,' vendor/bin/crypt-gpg-pinentry vendor/pear/crypt_gpg/scripts/crypt-gpg-pinentry
 # these are php scripts really
 for a in $(grep -l '<?php' bin/*.sh); do
 	mv $a ${a%.sh}
@@ -254,6 +232,9 @@ cp -a SQL $RPM_BUILD_ROOT%{_appdir}
 # Plugins
 cp -a plugins $RPM_BUILD_ROOT%{_appdir}/plugins
 
+# Vendor (bundled dependencies from complete tarball)
+cp -a vendor $RPM_BUILD_ROOT%{_appdir}/vendor
+
 ## Configuration:
 for a in config/*.php; do
 	cp -p $a $RPM_BUILD_ROOT%{_sysconfdir}
@@ -340,7 +321,7 @@ EOF
 
 %files -f %{name}.lang
 %defattr(644,root,root,755)
-%doc CHANGELOG INSTALL README.md UPGRADING
+%doc CHANGELOG.md INSTALL README.md UPGRADING
 %dir %attr(750,root,http) %{_sysconfdir}
 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/apache.conf
 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/httpd.conf
@@ -357,10 +338,11 @@ EOF
 %{_appdir}/program/js
 %{_appdir}/program/lib
 %{_appdir}/program/resources
-%{_appdir}/program/steps
+%{_appdir}/program/actions
 %{_appdir}/program/localization/index.inc
 
 %dir %{_appdir}/plugins
+%{_appdir}/vendor
 
 %dir %{_appdir}/skins
 %dir %attr(770,root,http) %{_applogdir}
@@ -380,14 +362,6 @@ EOF
 %{_appdir}/installer/images
 %{_appdir}/SQL
 
-%files skin-classic
-%defattr(644,root,root,755)
-%{_appdir}/skins/classic
-
-%files skin-larry
-%defattr(644,root,root,755)
-%{_appdir}/skins/larry
-
 %files skin-elastic
 %defattr(644,root,root,755)
 %{_appdir}/skins/elastic
\ No newline at end of file
diff --git a/roundcubemail-config.patch b/roundcubemail-config.patch
index 5e8bd9e..1c44b98 100644
--- a/roundcubemail-config.patch
+++ b/roundcubemail-config.patch
@@ -1,17 +1,16 @@
-diff -urN roundcubemail-1.4.12-orig/config/defaults.inc.php roundcubemail-1.4.12/config/defaults.inc.php
---- roundcubemail-1.4.12-orig/config/defaults.inc.php	2021-11-12 22:39:13.000000000 +0100
-+++ roundcubemail-1.4.12/config/defaults.inc.php	2021-12-29 21:41:58.988361594 +0100
-@@ -435,11 +435,11 @@
+--- roundcubemail-1.6.13/config/defaults.inc.php.orig	2025-02-08 12:00:00.000000000 +0100
++++ roundcubemail-1.6.13/config/defaults.inc.php	2025-02-08 12:00:01.000000000 +0100
+@@ -542,11 +542,11 @@
  // use this folder to store log files
  // must be writeable for the user who runs PHP process (Apache user if mod_php is being used)
  // This is used by the 'file' log driver.
 -$config['log_dir'] = RCUBE_INSTALL_PATH . 'logs/';
 +$config['log_dir'] = '/var/log/roundcube';
- 
- // use this folder to store temp files
+
+ // Location of temporary saved files such as attachments and cache files
  // must be writeable for the user who runs PHP process (Apache user if mod_php is being used)
 -$config['temp_dir'] = RCUBE_INSTALL_PATH . 'temp/';
 +$config['temp_dir'] = '/var/lib/roundcube';
- 
+
  // expire files in temp_dir after 48 hours
  // possible units: s, m, h, d, w
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/roundcubemail.git/commitdiff/8a2f7220dc8f1c80b50e524fe1b36ce36ecc6db8

More information about the pld-cvs-commit mailing list