Wheezy update of roundcube

To: toots@rastageeks.org, bernat@debian.org, pkg-roundcube-maintainers@lists.alioth.debian.org
Cc: debian-lts@lists.debian.org
Subject: Wheezy update of roundcube
From: Lucas Kanashiro <kanashiro@debian.org>
Date: Wed, 20 Jul 2016 11:33:54 -0300
Message-id: <[🔎] de6f8222-a824-85b9-aee7-27ac42d41e88@debian.org>

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of roundcube:
https://security-tracker.debian.org/tracker/CVE-2016-4069

I missed the first contact where I should answer if you want to do it
or leave it to us, sorry. I already prepared a new version where I
adapted the upstream fix to the wheezy version. The diff is attached.

I tested the upgrade of the previous version to this one and it worked.
I did some tests, but if you could review it I'll appreciate.

After your feedback I can upload it or leave it up to you.

Thank you very much.

Lucas Kanashiro,
  on behalf of the Debian LTS team.

PS: if you want the new packages are available here:
https://people.debian.org/~kanashiro/wheezy_lts/

-- 
Lucas Kanashiro
8ED6 C3F8 BAC9 DB7F C130  A870 F823 A272 9883 C97C

diff -Nru roundcube-0.7.2/debian/changelog roundcube-0.7.2/debian/changelog
--- roundcube-0.7.2/debian/changelog	2016-06-30 17:20:39.000000000 -0300
+++ roundcube-0.7.2/debian/changelog	2016-07-05 11:45:38.000000000 -0300
@@ -1,3 +1,11 @@
+roundcube (0.7.2-9+deb7u4) wheezy-security; urgency=medium
+
+  * Non-maintainer upload by LTS team.
+  * Fix CVE-2016-4069, Protect download urls against CSRF using unique request
+    tokens
+
+ -- Lucas Kanashiro <kanashiro@debian.org>  Tue, 05 Jul 2016 11:44:27 -0300
+
 roundcube (0.7.2-9+deb7u3) wheezy-security; urgency=high
 
   * Non-maintainer upload by the LTS team.
diff -Nru roundcube-0.7.2/debian/patches/CVE-2015-8864.patch roundcube-0.7.2/debian/patches/CVE-2015-8864.patch
--- roundcube-0.7.2/debian/patches/CVE-2015-8864.patch	2016-06-30 17:20:39.000000000 -0300
+++ roundcube-0.7.2/debian/patches/CVE-2015-8864.patch	2016-07-05 11:30:21.000000000 -0300
@@ -16,11 +16,9 @@
  program/steps/mail/get.inc | 9 +++++++++
  1 file changed, 9 insertions(+)
 
-diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
-index 0c11eb2..7fcc6a1 100644
 --- a/program/steps/mail/get.inc
 +++ b/program/steps/mail/get.inc
-@@ -134,6 +134,9 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) {
+@@ -134,6 +134,9 @@ else if ($pid = get_input_value('_part',
  
        header("Content-Disposition: $disposition; filename=\"$filename\"");
  
@@ -30,7 +28,7 @@
        // do content filtering to avoid XSS through fake images
        if (!empty($_REQUEST['_embed']) && $browser->ie && $browser->ver <= 8) {
          if ($part->body)
-@@ -145,6 +148,12 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) {
+@@ -145,6 +148,12 @@ else if ($pid = get_input_value('_part',
            $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $stdout);
          }
        }
diff -Nru roundcube-0.7.2/debian/patches/CVE-2016-4069.patch roundcube-0.7.2/debian/patches/CVE-2016-4069.patch
--- roundcube-0.7.2/debian/patches/CVE-2016-4069.patch	1969-12-31 21:00:00.000000000 -0300
+++ roundcube-0.7.2/debian/patches/CVE-2016-4069.patch	2016-07-20 10:41:09.000000000 -0300
@@ -0,0 +1,153 @@
+Description: Fix CVE-2016-4069
+ Protect download urls against CSRF using unique request tokens. Send
+ X-Frame-Options headers with every HTTP response.
+Author: Lucas Kanashiro <kanashiro@debian.org>
+Last-Updated: 2016-07-05
+
+--- a/plugins/managesieve/managesieve.php
++++ b/plugins/managesieve/managesieve.php
+@@ -426,6 +426,8 @@ class managesieve extends rcube_plugin
+                 }
+             }
+             else if ($action == 'setget') {
++                $this->rc->request_security_check(RCUBE_INPUT_GET);
++
+                 $script_name = get_input_value('_set', RCUBE_INPUT_GPC, true);
+                 $script = $this->sieve->get_script($script_name);
+ 
+--- a/plugins/managesieve/managesieve.js
++++ b/plugins/managesieve/managesieve.js
+@@ -183,7 +183,7 @@ rcube_webmail.prototype.managesieve_setg
+   var id = this.filtersets_list.get_single_selection(),
+     script = this.env.filtersets[id];
+ 
+-  location.href = this.env.comm_path+'&_action=plugin.managesieve&_act=setget&_set='+urlencode(script);
++  this.goto_url('plugin.managesieve-action', {_act: 'setget', _set: script}, false, true);
+ };
+ 
+ // Set activate/deactivate request
+--- a/program/include/rcube_template.php
++++ b/program/include/rcube_template.php
+@@ -369,10 +369,11 @@ class rcube_template extends rcube_html_
+         $js .= $this->get_js_commands() . ($this->framed ? ' }' : '');
+         $this->add_script($js, 'head_top');
+ 
+-        // send clickjacking protection headers
++        // allow (legal) iframe content to be loaded
+         $iframe = $this->framed || !empty($_REQUEST['_framed']);
+-        if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')))
+-            header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe));
++        if (!headers_sent() && $iframe && $this->app->config->get('x_frame_options', 'sameorigin') === 'deny') {
++            header('X-Frame-Options: sameorigin', true);
++        }
+ 
+         // call super method
+         parent::write($template, $this->config['skin_path']);
+--- a/program/js/app.js.src
++++ b/program/js/app.js.src
+@@ -769,7 +769,7 @@ function rcube_webmail()
+           }
+         }
+ 
+-        this.goto_url('get', qstring+'&_download=1', false);
++        this.goto_url('get', qstring+'&_download=1', false, true);
+         break;
+ 
+       case 'select-all':
+@@ -981,7 +981,7 @@ function rcube_webmail()
+ 
+       case 'download':
+         if (uid = this.get_single_uid())
+-          this.goto_url('viewsource', '&_uid='+uid+'&_mbox='+urlencode(this.env.mailbox)+'&_save=1');
++          this.goto_url('viewsource', '&_uid='+uid+'&_mbox='+urlencode(this.env.mailbox)+'&_save=1', false, true);
+         break;
+ 
+       // quicksearch
+@@ -1034,7 +1034,7 @@ function rcube_webmail()
+ 
+       case 'export':
+         if (this.contact_list.rowcount > 0) {
+-          this.goto_url('export', { _source:this.env.source, _gid:this.env.group, _search:this.env.search_request });
++          this.goto_url('export', { _source:this.env.source, _gid:this.env.group, _search:this.env.search_request }, false, true);
+         }
+         break;
+ 
+@@ -5796,9 +5796,11 @@ function rcube_webmail()
+       this.location_href(url, window);
+   };
+ 
+-  this.goto_url = function(action, query, lock)
++  this.goto_url = function(action, query, lock, secure)
+   {
+-    this.redirect(this.url(action, query));
++    var url = this.url(action, query)
++    if (secure) url = this.secure_url(url);
++    this.redirect(url, lock);
+   };
+ 
+   this.location_href = function(url, target, frame)
+--- a/program/include/main.inc
++++ b/program/include/main.inc
+@@ -127,7 +127,8 @@ function rcmail_overwrite_action($action
+ function rcmail_url($action, $p=array(), $task=null)
+ {
+   $app = rcmail::get_instance();
+-  return $app->url((array)$p + array('_action' => $action, 'task' => $task));
++  return $app->url((array)$p + array('_action' => $action, 'task' => $task),
++                    false, false, true);
+ }
+ 
+ 
+--- a/program/include/rcube_shared.inc
++++ b/program/include/rcube_shared.inc
+@@ -42,6 +42,12 @@ function send_nocacheing_headers()
+   // Request browser to disable DNS prefetching (CVE-2010-0464)
+   header("X-DNS-Prefetch-Control: off");
+ 
++  // send CSRF and clickjacking protection headers
++  $app = rcmail::get_instance();
++  if ($xframe = $app->config->get('x_frame_options', 'sameorigin')) {
++    header('X-Frame-Options: ' . $xframe);
++  }
++
+   // We need to set the following headers to make downloads work using IE in HTTPS mode.
+   if ($OUTPUT->browser->ie && rcube_https_check()) {
+     header('Pragma: private');
+--- a/program/steps/addressbook/export.inc
++++ b/program/steps/addressbook/export.inc
+@@ -21,6 +21,8 @@
+ 
+ */
+ 
++$RCMAIL->request_security_check(RCUBE_INPUT_GET);
++
+ // Use search result
+ if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']]))
+ {
+--- a/program/steps/mail/get.inc
++++ b/program/steps/mail/get.inc
+@@ -84,6 +84,11 @@ else if ($pid = get_input_value('_part',
+     if ($plugin['abort'])
+       exit;
+ 
++    // require CSRF protected url for downloads
++    if ($plugin['download']) {
++      $RCMAIL->request_security_check(RCUBE_INPUT_GET);
++    }
++
+     // overwrite modified vars from plugin
+     $mimetype = $plugin['mimetype'];
+     list($ctype_primary, $ctype_secondary) = explode('/', $mimetype);
+--- a/program/steps/mail/viewsource.inc
++++ b/program/steps/mail/viewsource.inc
+@@ -19,6 +19,10 @@
+ 
+ */
+ 
++if (!empty($_GET['_save'])) {
++  $RCMAIL->request_security_check(RCUBE_INPUT_GET);
++}
++
+ ob_end_clean();
+ 
+ // similar code as in program/steps/mail/get.inc
diff -Nru roundcube-0.7.2/debian/patches/series roundcube-0.7.2/debian/patches/series
--- roundcube-0.7.2/debian/patches/series	2016-06-30 17:20:39.000000000 -0300
+++ roundcube-0.7.2/debian/patches/series	2016-07-05 10:06:59.000000000 -0300
@@ -12,3 +12,4 @@
 CVE-2013-6172.patch
 CVE-2015-8770.patch
 CVE-2015-8864.patch
+CVE-2016-4069.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Wheezy update of roundcube
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Re: Wheezy update of python-django?
Next by Date: Re: Wheezy update of roundcube
Previous by thread: dietlibc: insecure default PATH
Next by thread: Re: Wheezy update of roundcube
Index(es):
- Date
- Thread