Bug#685918: unblock: roundcube/0.7.2-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear release team,
Please unblock package roundcube
The upload fixes an XSS issue (CVE-2012-3508). I am attaching the
debdiff against the current package in testing.
unblock roundcube/0.7.2-4
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQOh75AAoJEJWkL+g1NSX5j7EQAIVT4YcKcO+2Q2TOUzoeR7rW
1KdSvQobt76wG0MMqdXc1Sl9FOILQfwfbKPbuh/xHcTAW+vR/lQ5HCDbkZ3ughox
7qPcTNzkOxHxQP3gw2/MY+VBQIh9fhBF5/ShVli2l3PX9AzyqHT7ZoVJ5A75JkND
no1n/b9rbpN5qJVI5arrHaS9Cocb4+xMf3dKvBJJpckU1PmyMaxSEtoyJfYJ8a7Q
E99kA2ajMZlkBGZdCM/B61IT0dkJw4Bff3yaEIYbD21dhUzZEpGokT8fv9XfhNOA
JjLqfVEQHaXG0mQHMhcCJ7U19WN6UcCnbnTfpDVhc54aq3tfFVta7BBwQOe2wBYr
b2+woe+ow3g+sj3Zl/dt2oBJO9253U9p4A6pi1aLECHjGnAY7uAi5Kjvc79ffXWw
CXnwrPgO5j8YA8oFhMiFdtjuZmmefKXURpA0eVvEn3ywZkoaPsygIWzy36nL7cbK
/yEEecXLfsTnHSuictqbsJkIr+sfycOsUWdibSDYrzJKiGhRG6Qt3jV51tCTLC6s
WHEfsR7urQK6fwT7bJorySMCt6fAxr4/OH6Z5PionVLpAbw9DA4jq+byI2GFuiHY
PAATqw6Ny9UqWARzjZOvgZ2hx0GkRqLenIAiYR6hSrONfwlpq37cQ7D4N5Mpg6vN
8q3vWKOBwQ50+4rZahGg
=aj71
-----END PGP SIGNATURE-----
diff -Nru roundcube-0.7.2/debian/changelog roundcube-0.7.2/debian/changelog
--- roundcube-0.7.2/debian/changelog 2012-06-24 01:51:00.000000000 +0200
+++ roundcube-0.7.2/debian/changelog 2012-08-26 14:21:48.000000000 +0200
@@ -1,3 +1,9 @@
+roundcube (0.7.2-4) unstable; urgency=high
+
+ * Fix self XSS with plain signatures. CVE-2012-3508. Closes: #685475.
+
+ -- Vincent Bernat <bernat@debian.org> Sun, 26 Aug 2012 14:20:24 +0200
+
roundcube (0.7.2-3) unstable; urgency=low
* Remove old Replaces/Breaks for roundcube-core since it is not needed
diff -Nru roundcube-0.7.2/debian/patches/cve-2012-3508.patch roundcube-0.7.2/debian/patches/cve-2012-3508.patch
--- roundcube-0.7.2/debian/patches/cve-2012-3508.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-0.7.2/debian/patches/cve-2012-3508.patch 2012-08-26 14:21:48.000000000 +0200
@@ -0,0 +1,126 @@
+Fix CVE-2012-3508. Self XSS with signature.
+See:
+ https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
+
+Index: roundcube/program/js/app.js.src
+===================================================================
+--- roundcube.orig/program/js/app.js.src 2012-04-28 10:26:30.133307979 +0200
++++ roundcube/program/js/app.js.src 2012-08-26 14:19:04.611476200 +0200
+@@ -3183,8 +3183,7 @@
+ input_message = $("[name='_message']"),
+ message = input_message.val(),
+ is_html = ($("input[name='_is_html']").val() == '1'),
+- sig = this.env.identity,
+- sig_separator = this.env.sig_above && (this.env.compose_mode == 'reply' || this.env.compose_mode == 'forward') ? '---' : '-- ';
++ sig = this.env.identity;
+
+ // enable manual signature insert
+ if (this.env.signatures && this.env.signatures[id]) {
+@@ -3197,25 +3196,18 @@
+ if (!is_html) {
+ // remove the 'old' signature
+ if (show_sig && sig && this.env.signatures && this.env.signatures[sig]) {
+-
+- sig = this.env.signatures[sig].is_html ? this.env.signatures[sig].plain_text : this.env.signatures[sig].text;
++ sig = this.env.signatures[sig].text;
+ sig = sig.replace(/\r\n/g, '\n');
+
+- if (!sig.match(/^--[ -]\n/m))
+- sig = sig_separator + '\n' + sig;
+-
+ p = this.env.sig_above ? message.indexOf(sig) : message.lastIndexOf(sig);
+ if (p >= 0)
+ message = message.substring(0, p) + message.substring(p+sig.length, message.length);
+ }
+ // add the new signature string
+ if (show_sig && this.env.signatures && this.env.signatures[id]) {
+- sig = this.env.signatures[id]['is_html'] ? this.env.signatures[id]['plain_text'] : this.env.signatures[id]['text'];
++ sig = this.env.signatures[id].text;
+ sig = sig.replace(/\r\n/g, '\n');
+
+- if (!sig.match(/^--[ -]\n/m))
+- sig = sig_separator + '\n' + sig;
+-
+ if (this.env.sig_above) {
+ if (p >= 0) { // in place of removed signature
+ message = message.substring(0, p) + sig + message.substring(p, message.length);
+@@ -3279,21 +3271,8 @@
+ }
+ }
+
+- if (this.env.signatures[id]) {
+- if (this.env.signatures[id].is_html) {
+- sig = this.env.signatures[id].text;
+- if (!this.env.signatures[id].plain_text.match(/^--[ -]\r?\n/m))
+- sig = sig_separator + '<br />' + sig;
+- }
+- else {
+- sig = this.env.signatures[id].text;
+- if (!sig.match(/^--[ -]\r?\n/m))
+- sig = sig_separator + '\n' + sig;
+- sig = '<pre>' + sig + '</pre>';
+- }
+-
+- sigElem.innerHTML = sig;
+- }
++ if (this.env.signatures[id])
++ sigElem.innerHTML = this.env.signatures[id].html;
+ }
+
+ this.env.identity = id;
+Index: roundcube/program/steps/mail/compose.inc
+===================================================================
+--- roundcube.orig/program/steps/mail/compose.inc 2012-02-04 09:18:15.186795165 +0100
++++ roundcube/program/steps/mail/compose.inc 2012-08-26 14:19:04.615476279 +0200
+@@ -520,7 +520,7 @@
+
+ function rcmail_compose_header_from($attrib)
+ {
+- global $MESSAGE, $OUTPUT;
++ global $MESSAGE, $OUTPUT, $RCMAIL, $compose_mode;
+
+ // pass the following attributes to the form class
+ $field_attrib = array('name' => '_from');
+@@ -531,6 +531,8 @@
+ if (count($MESSAGE->identities))
+ {
+ $a_signatures = array();
++ $separator = $RCMAIL->config->get('sig_above')
++ && ($compose_mode == RCUBE_COMPOSE_REPLY || $compose_mode == RCUBE_COMPOSE_FORWARD) ? '---' : '-- ';
+
+ $field_attrib['onchange'] = JS_OBJECT_NAME.".change_identity(this)";
+ $select_from = new html_select($field_attrib);
+@@ -544,13 +546,27 @@
+ // add signature to array
+ if (!empty($sql_arr['signature']) && empty($COMPOSE['param']['nosig']))
+ {
+- $a_signatures[$identity_id]['text'] = $sql_arr['signature'];
+- $a_signatures[$identity_id]['is_html'] = ($sql_arr['html_signature'] == 1) ? true : false;
+- if ($a_signatures[$identity_id]['is_html'])
+- {
+- $h2t = new html2text($a_signatures[$identity_id]['text'], false, false);
+- $a_signatures[$identity_id]['plain_text'] = trim($h2t->get_text());
++ $text = $html = $sql_arr['signature'];
++
++ if ($sql_arr['html_signature']) {
++ $h2t = new html2text($sql_arr['signature'], false, false);
++ $text = trim($h2t->get_text());
++ }
++ else {
++ $html = htmlentities($html, ENT_NOQUOTES, RCMAIL_CHARSET);
++ }
++
++ if (!preg_match('/^--[ -]\r?\n/m', $text)) {
++ $text = $separator . "\n" . $text;
++ $html = $separator . "<br>" . $html;
+ }
++
++ if (!$sql_arr['html_signature']) {
++ $html = "<pre>" . $html . "</pre>";
++ }
++
++ $a_signatures[$identity_id]['text'] = $text;
++ $a_signatures[$identity_id]['html'] = $html;
+ }
+ }
+
diff -Nru roundcube-0.7.2/debian/patches/series roundcube-0.7.2/debian/patches/series
--- roundcube-0.7.2/debian/patches/series 2012-06-24 01:51:00.000000000 +0200
+++ roundcube-0.7.2/debian/patches/series 2012-08-26 14:21:48.000000000 +0200
@@ -6,3 +6,4 @@
default-charset-utf8.patch
debianize_password_plugin.patch
use-debian-jquery-ui.patch
+cve-2012-3508.patch
Reply to: