roundcube: CVE-2020-35730: XSS vulnerability via malious HTML or plaintext messages

[Guilhem Moulin <guilhem@debian.org>]

Dear LTS team,

In a recent post roundcube webmail upstream has announced the following
security fix for #978491:

    Cross-site scripting (XSS) via HTML or Plain text messages with
    malicious content (CVE-2020-35730)
    — responsible disclosure from Alex Birnberg

Debdiff tested and attached.  I can upload if you'd like but would
appreciate if you could take care of the DLA :-)

Thanks!
Cheers,
-- 
Guilhem.

diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1

 changelog                    |    8 ++++
 patches/CVE-2020-35730.patch |   77 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 86 insertions(+)

diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog	2020-08-11 18:38:40.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/changelog	2020-12-28 03:25:57.000000000 +0100
@@ -1,3 +1,11 @@
+roundcube (1.2.3+dfsg.1-4+deb9u8) stretch-security; urgency=high
+
+  * Backport security fix for CVE-2020-35730: Cross-site scripting (XSS)
+    Cross-site scripting (XSS) vulnerability via HTML or Plain text messages
+    with malicious content svg/namespace. (Closes: #978491)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Mon, 28 Dec 2020 03:25:57 +0100
+
 roundcube (1.2.3+dfsg.1-4+deb9u7) stretch-security; urgency=high
 
   * Backport security fix for CVE-2020-16145: Cross-site scripting (XSS)
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-35730.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-35730.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-35730.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-35730.patch	2020-12-28 03:25:57.000000000 +0100
@@ -0,0 +1,77 @@
+commit 47e4d44f62ea16f923761d57f1773a66d51afad4
+Author: Aleksander Machniak <alec@alec.pl>
+Date:   Sun Dec 27 18:27:42 2020 +0100
+
+    Fix cross-site scripting (XSS) via HTML or Plain text messages with malicious content [CVE-2020-35730]
+    
+    Credits to Alex Birnberg <birnbergalex@gmail.com>
+
+diff --git a/program/lib/Roundcube/rcube_string_replacer.php b/program/lib/Roundcube/rcube_string_replacer.php
+index 284d58547..d4ec20f23 100644
+--- a/program/lib/Roundcube/rcube_string_replacer.php
++++ b/program/lib/Roundcube/rcube_string_replacer.php
+@@ -24,7 +24,7 @@
+  */
+ class rcube_string_replacer
+ {
+-    public static $pattern = '/##str_replacement_(\d+)##/';
++    public $pattern;
+     public $mailto_pattern;
+     public $link_pattern;
+     public $linkref_index;
+@@ -39,6 +39,10 @@ class rcube_string_replacer
+ 
+     function __construct($options = array())
+     {
++        // Create hard-to-guess replacement string
++        $uniq_ident    = sprintf('%010d%010d', mt_rand(), mt_rand());
++        $this->pattern = '/##' . $uniq_ident . '##(\d+)##/';
++
+         // Simplified domain expression for UTF8 characters handling
+         // Support unicode/punycode in top-level domain part
+         $utf_domain = '[^?&@"\'\\/()<>\s\r\t\n]+\\.?([^\\x00-\\x2f\\x3b-\\x40\\x5b-\\x60\\x7b-\\x7f]{2,}|xn--[a-zA-Z0-9]{2,})';
+@@ -49,7 +53,7 @@ class rcube_string_replacer
+         $link_prefix = "([\w]+:\/\/|{$this->noword}[Ww][Ww][Ww]\.|^[Ww][Ww][Ww]\.)";
+ 
+         $this->options         = $options;
+-        $this->linkref_index   = '/\[([^\]#]+)\](:?\s*##str_replacement_(\d+)##)/';
++        $this->linkref_index   = '/\[([^\]#]+)\](:?\s*' . substr($this->pattern, 1, -1) . ')/';
+         $this->linkref_pattern = '/\[([^\]#]+)\]/';
+         $this->link_pattern    = "/$link_prefix($utf_domain([$url1]*[$url2]+)*)/";
+         $this->mailto_pattern  = "/("
+@@ -78,7 +82,7 @@ class rcube_string_replacer
+      */
+     public function get_replacement($i)
+     {
+-        return '##str_replacement_' . $i . '##';
++        return str_replace('(\d+)', $i, substr($this->pattern, 1, -1));
+     }
+ 
+     /**
+@@ -121,7 +125,7 @@ class rcube_string_replacer
+     public function linkref_addindex($matches)
+     {
+         $key = $matches[1];
+-        $this->linkrefs[$key] = $this->urls[$matches[3]];
++        $this->linkrefs[$key] = isset($this->urls[$matches[3]]) ? $this->urls[$matches[3]] : null;
+ 
+         return $this->get_replacement($this->add('['.$key.']')) . $matches[2];
+     }
+@@ -166,7 +170,7 @@ class rcube_string_replacer
+      */
+     public function replace_callback($matches)
+     {
+-        return $this->values[$matches[1]];
++        return isset($this->values[$matches[1]]) ? $this->values[$matches[1]] : null;
+     }
+ 
+     /**
+@@ -193,7 +197,7 @@ class rcube_string_replacer
+      */
+     public function resolve($str)
+     {
+-        return preg_replace_callback(self::$pattern, array($this, 'replace_callback'), $str);
++        return preg_replace_callback($this->pattern, array($this, 'replace_callback'), $str);
+     }
+ 
+     /**
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series	2020-08-11 18:38:40.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/patches/series	2020-12-28 03:25:57.000000000 +0100
@@ -22,3 +22,4 @@
 CVE-2020-13965.patch
 CVE-2020-15562.patch
 CVE-2020-16145.patch
+CVE-2020-35730.patch

Attachment: signature.asc
Description: PGP signature