DOC: How to update Roundcube to version 1.6.14 (fixes 8 security vulnerabilities)

molero.renan · March 20, 2026, 10:21pm

Thank you very much, the solution worked perfectly. Now just waiting for their official fix. Cheers!

sahsanu · March 20, 2026, 10:23pm

I’ve opened this issue:

github.com/roundcube/roundcubemail

[BUG] IMAP search fails with multibyte characters (accents) after 1.6.14 upgrade

opened 10:22PM - 20 Mar 26 UTC

sahsanu

### Prerequisites - [x] I have [searched](https://github.com/roundcube/roundcub…email/issues?q=is%3Aissue) for duplicate or closed issues - [x] I can recreate the issue with all plugins disabled ### Describe the issue After upgrading from 1.6.13 to 1.6.14, searching for emails using multibyte characters (accented characters like `á`, `é`, `í`, `ó`, `ú`, etc.) fails with the following IMAP error: `Missing LF after literal size` Searching with plain ASCII characters works fine. ## Root Cause In 1.6.14, a security fix was introduced in `program/actions/mail/search.php` to prevent IMAP command injection via newlines: ```php $search_str = preg_replace('/[\r\n]+/', ' ', $search_str); ``` The problem is that this `preg_replace` is applied **after** the search string has already been converted into IMAP protocol format, which uses the literal format `{N}\r\n` for strings containing multibyte characters. For example, searching for `raúl` generates the IMAP literal: ``` HEADER SUBJECT {5}\r\nraúl ``` The `preg_replace` strips the `\r\n`, leaving: ``` HEADER SUBJECT {5} raúl ``` The IMAP server (Dovecot) then reads exactly 5 bytes after the literal size declaration, gets out of sync, and throws `Missing LF after literal size`. Note: `raúl` in UTF-8 is actually **6 bytes** (`ú` = `\xc3\xba`), which is an additional inconsistency in the literal size calculation. ## Steps to Reproduce 1. Install Roundcube 1.6.14 with Dovecot as IMAP server 2. Open any mailbox with emails 3. Search for any term containing accented or multibyte characters (e.g. `raúl`, `ángel`, `über`) 4. Observe the error in the IMAP log ## Expected Behavior Search works correctly with multibyte/accented characters, as it did in 1.6.13. ## Actual Behavior IMAP log shows: ``` C: A0007 UID SEARCH RETURN (ALL) CHARSET UTF-8 OR HEADER SUBJECT {5} raúl HEADER FROM {5} raúl S: + OK S: A0007 BAD Error in IMAP command UID SEARCH: Missing LF after literal size ``` ## Environment - Roundcube version: 1.6.14 - PHP version: 8.3.30 - IMAP server: Dovecot - OS: Debian 12 ## Proposed Fix The security sanitization should be applied to the **raw user input** before it is processed into IMAP protocol format, not after. In `program/actions/mail/search.php`, the fix should be applied earlier in the flow, before the search string is converted into IMAP literals: ```php // Sanitize user input BEFORE building IMAP commands // to prevent command injection without breaking the IMAP literal format {N}\r\n if (!empty($search_str)) { $search_str = str_replace(["\r", "\n"], ' ', $search_str); } ``` ## Workaround As a temporary workaround, in `program/lib/Roundcube/rcube_imap_generic.php`, remove `\x80-\xFF` from the `escape()` function's quoted-string check (around line 4309), so that multibyte strings are sent as quoted strings instead of IMAP literals: ```php // Before if (!preg_match('/[\r\n\x00\x80-\xFF]/', $string)) { // After if (!preg_match('/[\r\n\x00]/', $string)) { ``` This forces Roundcube to use `"raúl"` instead of `{6}\r\nraúl`, which Dovecot handles correctly. ### What browser(s) are you seeing the problem on? Firefox ### What version of PHP are you using? v8.3 ### What version of Roundcube are you using? 1.6.14 ### JavaScript errors _No response_ ### PHP errors _No response_

sahsanu · March 21, 2026, 7:57am

If you want to apply the official fix.

cd /var/lib/roundcube/program/actions/mail/
curl https://raw.githubusercontent.com/roundcube/roundcubemail/6b137adda9b042c3742b0f968692e95ed367d3d1/program/actions/mail/search.php -o search.php

As you applied the workaround, you should revert it:

cd /var/lib/roundcube/program/lib/Roundcube/
mv rcube_imap_generic.php.bak rcube_imap_generic.php

garethw · March 21, 2026, 10:06am

+1 for the above working and thanks to @sahsanu for the write up. I upgraded as root from 1.6.11 direct to 1.6.14.

I assume that after testing the update it is safe to remove the files backed up and moved from the /tmp folder?