[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content



Dear LTS Team,

In a recent post roundcube webmail upstream has announced the following
security fix for #1003027.

    CVE-2021-46144: Cross-site scripting (XSS) vulnerability via HTML
    messages with malicious CSS content.

(Upstream only released fixes for 1.4 and 1.5 LTS branches, but 1.2 and
1.3 are affected too and the same fix applies cleanly.  buster- and
bullseye-security are no longer affected.)

Debdiff against 1.2.3+dfsg.1-4+deb9u9 tested and attached.  I can upload
if you'd like but would appreciate if you could take care of the DLA :-)

Thanks!
Cheers,
-- 
Guilhem.
diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1

 changelog                    |    7 +++++++
 patches/CVE-2021-46144.patch |   21 +++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 29 insertions(+)

diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog	2021-12-06 11:51:48.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/changelog	2022-01-12 12:56:32.000000000 +0100
@@ -1,3 +1,10 @@
+roundcube (1.2.3+dfsg.1-4+deb9u10) stretch-security; urgency=high
+
+  * Backport fix for CVE-2021-46144: Fix cross-site scripting (XSS) via HTML
+    messages with malicious CSS content. (Closes: #1003027)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Wed, 12 Jan 2022 12:56:32 +0100
+
 roundcube (1.2.3+dfsg.1-4+deb9u9) stretch-security; urgency=high
 
   * Non-maintainer upload by the LTS team.
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch	2022-01-12 12:56:32.000000000 +0100
@@ -0,0 +1,21 @@
+commit b2400a4b592e3094b6c84e6000d512f99ae0eed8
+Author: Aleksander Machniak <alec@alec.pl>
+Date:   Wed Dec 29 19:02:43 2021 +0100
+
+    Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
+
+---
+ program/lib/Roundcube/rcube_washtml.php |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -304,7 +304,7 @@ class rcube_washtml
+                         if (preg_match('/^([a-z:]*url)\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)/iu', $value, $match)) {
+                             if ($url = $this->wash_uri($match[2])) {
+                                 $result .= ' ' . $attr->nodeName . '="' . $match[1] . '(' . htmlspecialchars($url, ENT_QUOTES) . ')'
+-                                     . substr($val, strlen($match[0])) . '"';
++                                     . htmlspecialchars(substr($val, strlen($match[0])), ENT_QUOTES) . '"';
+                                 continue;
+                             }
+                         }
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series	2021-12-06 11:51:48.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/series	2022-01-12 12:56:32.000000000 +0100
@@ -25,3 +25,4 @@
 CVE-2020-35730.patch
 CVE-2021-44025.patch
 CVE-2021-44026.patch
+CVE-2021-46144.patch

Attachment: signature.asc
Description: PGP signature


Reply to: