[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of roundcube

Hi Raphael,

On 06.09.2016 18:13, Raphael Hertzog wrote:
> Hi Markus,
> On Wed, 20 Jul 2016, Markus Koschany wrote:
>> Feel free to work on everything you like. Fixing CVE-2014-9587 together
>> with CVE-2016-4069 isn't strictly required but you could probably reuse
>> some of your work if you try to tackle these issue. In any case the
>> whole CSRF complex requires much more work IMO and unless you are
>> already familiar with Roundcube and PHP it might not be the right
>> package to start with. It's up to you.
> It was indeed a non-trivial amount of work... but the attached patch
> fixes CVE-2016-4069 according to my tests (i.e. downloads requests
> without _token do fail).
> On thursday I will see if I can deal with CVE-2014-9587 as well.

I've just tested your patch in Firefox with Firebug addon. It looks
solid and it works for me. As you said when the _token id is removed, it
is no longer possible to download the image now.

> Then there's https://security-tracker.debian.org/tracker/CVE-2016-4068
> you left it open but it's mitigated since one cannot view SVG files.
> There is a patch available now
> (https://github.com/roundcube/roundcubemail/commit/a1fdb205f824dee7fd42dda739f207abc85ce158)
> but I'm not sure it's worth the effort of the backport. Because
> backporting this patch would also require backporting the real
> fix for https://security-tracker.debian.org/tracker/CVE-2015-8864
> which is also rather involved.
> Thus I'm tempted to just mark the CVE-2016-4068 as fixed with your DLA-537-1.
> What do you think?
> I just spent 5 hours just for the attached patch...

I also think that it is safe to mark CVE-2016-4068 as fixed since SVG
files are not displayed anymore hence the attack vector is void. It is
probably not very reasonable to invest more time into creating a perfect
solution, if the current one works acceptably well.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: