Re: Sogo for Trixie

To: team@security.debian.org
Cc: Debian LTS <debian-lts@lists.debian.org>, sogo@packages.debian.org
Subject: Re: Sogo for Trixie
From: Tobias Frost <tobi@debian.org>
Date: Thu, 25 Dec 2025 11:33:50 +0100
Message-id: <[🔎] aU0TDocYcUX9fhOa@isildor2.loewenhoehle.ip>
In-reply-to: <[🔎] aUvfJuY5qQjgHQFa@isildor2.loewenhoehle.ip>
References: <[🔎] aUvfJuY5qQjgHQFa@isildor2.loewenhoehle.ip>

Hi,

Trixie is ready [1]. debdiff attached.

I've verified that the POCs the tracker mentions stops working (they did
trigger before) in a Trixie VM.

[1] Of course the target suite needs to be adapted, whether this will be a
spu or security upload

salsa:
https://salsa.debian.org/debian/sogo/-/tree/trixie?ref_type=heads

--
tobi


On Wed, Dec 24, 2025 at 01:40:06PM +0100, Tobias Frost wrote:
> Hi,
> 
> I'm currently working (for LTS) on sogo, and for that I've just uploaded
> an fix for CVE-2025-63499 to DELAYED-2 for unstable.
> 
> After that I'd go for trixie, with additionally fixing CVE-2025-63498.
> 
> (As the final target is providing fixes for LTS, I'll also tackle the
> open vulnerabilities for bookworm.)
> 
> sogo is in dsa-needed.txt, trixies CVEs are all triaged "vulnerable",
> boowkorm's are mixed "no-dsa" and "vulnerable."
> 
> As the next point release are near too, I can also do a s-p-u, or
> prepare a security upload and then hand over to you (like we did for
> libpng)
> 
> Please let me know how I should proceed..
> 
> --
> happy holidays,
> tobi

diff -Nru sogo-5.12.1/debian/changelog sogo-5.12.1/debian/changelog
--- sogo-5.12.1/debian/changelog	2025-07-25 11:26:33.000000000 +0200
+++ sogo-5.12.1/debian/changelog	2025-12-24 13:43:41.000000000 +0100
@@ -1,3 +1,11 @@
+sogo (5.12.1-3+deb13u1) trixie-UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2025-63498 - Cross Site Scripting (XSS)
+  * CVE-2025-63499 - Cross Site Scripting (XSS) (Closes: #1121952)
+
+ -- Tobias Frost <tobi@debian.org>  Wed, 24 Dec 2025 13:43:41 +0100
+
 sogo (5.12.1-3) unstable; urgency=medium
 
   * Add upstream patch to fix freebusy calculation.
diff -Nru sogo-5.12.1/debian/patches/CVE-2025-63498.patch sogo-5.12.1/debian/patches/CVE-2025-63498.patch
--- sogo-5.12.1/debian/patches/CVE-2025-63498.patch	1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.12.1/debian/patches/CVE-2025-63498.patch	2025-12-24 13:43:41.000000000 +0100
@@ -0,0 +1,54 @@
+Description: CVE-2025-63498 - Cross Site Scripting (XSS) via the "userName" parameter
+Origin: https://github.com/Alinto/sogo/commit/9e20190fad1a437f7e1307f0adcfe19a8d45184c
+Bug: https://github.com/xryptoh/CVE-2025-63498
+
+From 9e20190fad1a437f7e1307f0adcfe19a8d45184c Mon Sep 17 00:00:00 2001
+From: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date: Thu, 2 Oct 2025 13:37:56 +0200
+Subject: [PATCH] fix(login): Only remember the login if the auth was
+ successful
+
+---
+ UI/MainUI/SOGoRootPage.m | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/UI/MainUI/SOGoRootPage.m b/UI/MainUI/SOGoRootPage.m
+index f3d54dd6fb..79533e42d1 100644
+--- a/UI/MainUI/SOGoRootPage.m
++++ b/UI/MainUI/SOGoRootPage.m
+@@ -274,7 +274,7 @@ - (WOResponse *) connectAction
+ 
+   SOGoPasswordPolicyError err;
+   int expire, grace;
+-  BOOL rememberLogin, b;
++  BOOL rememberLogin, b, loginSuccess;
+ 
+   err = PolicyNoError;
+   expire = grace = -1;
+@@ -296,12 +296,14 @@ - (WOResponse *) connectAction
+ 		 perr: &err expire: &expire grace: &grace additionalInfo: &additionalLoginInformations useCache: NO];
+   [self translateAdditionalLoginInformations: &additionalLoginInformations];
+ 
+-  if (b
++  loginSuccess = b
+       && (err == PolicyNoError)
+       // no password policy
+       && ((expire < 0 && grace < 0)     // no password policy or everything is alright
+       || (expire < 0 && grace > 0)      // password expired, grace still permits login
+-      || (expire >= 0 && grace == -1))) // password about to expire OR ppolicy activated and passwd never changed
++      || (expire >= 0 && grace == -1)); // password about to expire OR ppolicy activated and passwd never changed
++
++  if (loginSuccess) 
+     {
+       NSMutableDictionary *json = [NSMutableDictionary dictionary];
+ 
+@@ -442,7 +444,8 @@ - (WOResponse *) connectAction
+       response = [self _responseWithLDAPPolicyError: err additionalInfos: additionalLoginInformations];
+     }
+ 
+-  if (rememberLogin)
++  //Only remember login If the auth was succesful...
++  if (rememberLogin && loginSuccess)
+     [response addCookie: [self _cookieWithUsername: [params objectForKey: @"userName"]]];
+   else
+     [response addCookie: [self _cookieWithUsername: nil]];
diff -Nru sogo-5.12.1/debian/patches/CVE-2025-63499.patch sogo-5.12.1/debian/patches/CVE-2025-63499.patch
--- sogo-5.12.1/debian/patches/CVE-2025-63499.patch	1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.12.1/debian/patches/CVE-2025-63499.patch	2025-12-24 13:40:41.000000000 +0100
@@ -0,0 +1,40 @@
+Description: CVE-2025-63499 - Reflected XSS Vulnerability
+Origin: https://github.com/Alinto/sogo/commit/16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb
+Bug: https://github.com/poblaguev-tot/CVE-2025-63499
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121952
+
+From 16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb Mon Sep 17 00:00:00 2001
+From: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date: Wed, 26 Nov 2025 13:22:38 +0100
+Subject: [PATCH] fix(vulnerability): prevent sogo to execute scripts pass in
+ theme query
+
+---
+ UI/SOGoUI/UIxComponent.m | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/UI/SOGoUI/UIxComponent.m b/UI/SOGoUI/UIxComponent.m
+index a8658e772b..012d6edea7 100644
+--- a/UI/SOGoUI/UIxComponent.m
++++ b/UI/SOGoUI/UIxComponent.m
+@@ -395,14 +395,18 @@ - (NSString *) ownPath
+ 
+ - (NSString *) relativePathToUserFolderSubPath: (NSString *) _sub
+ {
+-  NSString *dst, *rel, *theme;
++  NSString *dst, *rel, *theme, *safeTheme;
+ 
+   dst = [[self userFolderPath] stringByAppendingPathComponent: _sub];
+   rel = [dst urlPathRelativeToPath:[self ownPath]];
+ 
+   theme = [[context request] formValueForKey: @"theme"];
+   if ([theme length])
+-    rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme];
++  {
++    safeTheme = [theme stringWithoutHTMLInjection: YES];
++    if([safeTheme isEqualToString: theme])
++      rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme];
++  }
+ 
+   return rel;
+ }
diff -Nru sogo-5.12.1/debian/patches/series sogo-5.12.1/debian/patches/series
--- sogo-5.12.1/debian/patches/series	2025-07-25 11:24:14.000000000 +0200
+++ sogo-5.12.1/debian/patches/series	2025-12-24 13:43:41.000000000 +0100
@@ -15,3 +15,5 @@
 upstream_password_regex.patch
 upstream_fix_evaluation_freebusy.patch
 upstream_use_openid_libcurl.patch
+CVE-2025-63499.patch
+CVE-2025-63498.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Sogo for Trixie
  - From: Tobias Frost <tobi@debian.org>

Prev by Date: Sogo for Trixie
Next by Date: Debian (E)LTS report for December 2025
Previous by thread: Sogo for Trixie
Next by thread: Re: Sogo for Trixie
Index(es):
- Date
- Thread