Bug#685918: marked as done (unblock: roundcube/0.7.2-4)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 31 Aug 2012 21:58:50 +0100
with message-id <1346446730.7606.33.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#685918: unblock: roundcube/0.7.2-4
has caused the Debian Bug report #685918,
regarding unblock: roundcube/0.7.2-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
685918: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685918
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: roundcube/0.7.2-4
• From: Vincent Bernat <bernat@debian.org>
• Date: Sun, 26 Aug 2012 15:05:05 +0200
• Message-id: <[🔎] 20120826130505.5506.40311.reportbug@neo.luffy.cx>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear release team,

Please unblock package roundcube

The upload fixes an XSS issue (CVE-2012-3508). I am attaching the
debdiff against the current package in testing.

unblock roundcube/0.7.2-4

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQOh75AAoJEJWkL+g1NSX5j7EQAIVT4YcKcO+2Q2TOUzoeR7rW
1KdSvQobt76wG0MMqdXc1Sl9FOILQfwfbKPbuh/xHcTAW+vR/lQ5HCDbkZ3ughox
7qPcTNzkOxHxQP3gw2/MY+VBQIh9fhBF5/ShVli2l3PX9AzyqHT7ZoVJ5A75JkND
no1n/b9rbpN5qJVI5arrHaS9Cocb4+xMf3dKvBJJpckU1PmyMaxSEtoyJfYJ8a7Q
E99kA2ajMZlkBGZdCM/B61IT0dkJw4Bff3yaEIYbD21dhUzZEpGokT8fv9XfhNOA
JjLqfVEQHaXG0mQHMhcCJ7U19WN6UcCnbnTfpDVhc54aq3tfFVta7BBwQOe2wBYr
b2+woe+ow3g+sj3Zl/dt2oBJO9253U9p4A6pi1aLECHjGnAY7uAi5Kjvc79ffXWw
CXnwrPgO5j8YA8oFhMiFdtjuZmmefKXURpA0eVvEn3ywZkoaPsygIWzy36nL7cbK
/yEEecXLfsTnHSuictqbsJkIr+sfycOsUWdibSDYrzJKiGhRG6Qt3jV51tCTLC6s
WHEfsR7urQK6fwT7bJorySMCt6fAxr4/OH6Z5PionVLpAbw9DA4jq+byI2GFuiHY
PAATqw6Ny9UqWARzjZOvgZ2hx0GkRqLenIAiYR6hSrONfwlpq37cQ7D4N5Mpg6vN
8q3vWKOBwQ50+4rZahGg
=aj71
-----END PGP SIGNATURE-----

diff -Nru roundcube-0.7.2/debian/changelog roundcube-0.7.2/debian/changelog
--- roundcube-0.7.2/debian/changelog	2012-06-24 01:51:00.000000000 +0200
+++ roundcube-0.7.2/debian/changelog	2012-08-26 14:21:48.000000000 +0200
@@ -1,3 +1,9 @@
+roundcube (0.7.2-4) unstable; urgency=high
+
+  * Fix self XSS with plain signatures. CVE-2012-3508. Closes: #685475.
+
+ -- Vincent Bernat <bernat@debian.org>  Sun, 26 Aug 2012 14:20:24 +0200
+
 roundcube (0.7.2-3) unstable; urgency=low
 
   * Remove old Replaces/Breaks for roundcube-core since it is not needed
diff -Nru roundcube-0.7.2/debian/patches/cve-2012-3508.patch roundcube-0.7.2/debian/patches/cve-2012-3508.patch
--- roundcube-0.7.2/debian/patches/cve-2012-3508.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-0.7.2/debian/patches/cve-2012-3508.patch	2012-08-26 14:21:48.000000000 +0200
@@ -0,0 +1,126 @@
+Fix CVE-2012-3508. Self XSS with signature.
+See:
+ https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
+
+Index: roundcube/program/js/app.js.src
+===================================================================
+--- roundcube.orig/program/js/app.js.src	2012-04-28 10:26:30.133307979 +0200
++++ roundcube/program/js/app.js.src	2012-08-26 14:19:04.611476200 +0200
+@@ -3183,8 +3183,7 @@
+       input_message = $("[name='_message']"),
+       message = input_message.val(),
+       is_html = ($("input[name='_is_html']").val() == '1'),
+-      sig = this.env.identity,
+-      sig_separator = this.env.sig_above && (this.env.compose_mode == 'reply' || this.env.compose_mode == 'forward') ? '---' : '-- ';
++      sig = this.env.identity;
+ 
+     // enable manual signature insert
+     if (this.env.signatures && this.env.signatures[id]) {
+@@ -3197,25 +3196,18 @@
+     if (!is_html) {
+       // remove the 'old' signature
+       if (show_sig && sig && this.env.signatures && this.env.signatures[sig]) {
+-
+-        sig = this.env.signatures[sig].is_html ? this.env.signatures[sig].plain_text : this.env.signatures[sig].text;
++        sig = this.env.signatures[sig].text;
+         sig = sig.replace(/\r\n/g, '\n');
+ 
+-        if (!sig.match(/^--[ -]\n/m))
+-          sig = sig_separator + '\n' + sig;
+-
+         p = this.env.sig_above ? message.indexOf(sig) : message.lastIndexOf(sig);
+         if (p >= 0)
+           message = message.substring(0, p) + message.substring(p+sig.length, message.length);
+       }
+       // add the new signature string
+       if (show_sig && this.env.signatures && this.env.signatures[id]) {
+-        sig = this.env.signatures[id]['is_html'] ? this.env.signatures[id]['plain_text'] : this.env.signatures[id]['text'];
++        sig = this.env.signatures[id].text;
+         sig = sig.replace(/\r\n/g, '\n');
+ 
+-        if (!sig.match(/^--[ -]\n/m))
+-          sig = sig_separator + '\n' + sig;
+-
+         if (this.env.sig_above) {
+           if (p >= 0) { // in place of removed signature
+             message = message.substring(0, p) + sig + message.substring(p, message.length);
+@@ -3279,21 +3271,8 @@
+         }
+       }
+ 
+-      if (this.env.signatures[id]) {
+-        if (this.env.signatures[id].is_html) {
+-          sig = this.env.signatures[id].text;
+-          if (!this.env.signatures[id].plain_text.match(/^--[ -]\r?\n/m))
+-            sig = sig_separator + '<br />' + sig;
+-        }
+-        else {
+-          sig = this.env.signatures[id].text;
+-          if (!sig.match(/^--[ -]\r?\n/m))
+-            sig = sig_separator + '\n' + sig;
+-          sig = '<pre>' + sig + '</pre>';
+-        }
+-
+-        sigElem.innerHTML = sig;
+-      }
++      if (this.env.signatures[id])
++        sigElem.innerHTML = this.env.signatures[id].html;
+     }
+ 
+     this.env.identity = id;
+Index: roundcube/program/steps/mail/compose.inc
+===================================================================
+--- roundcube.orig/program/steps/mail/compose.inc	2012-02-04 09:18:15.186795165 +0100
++++ roundcube/program/steps/mail/compose.inc	2012-08-26 14:19:04.615476279 +0200
+@@ -520,7 +520,7 @@
+ 
+ function rcmail_compose_header_from($attrib)
+ {
+-  global $MESSAGE, $OUTPUT;
++  global $MESSAGE, $OUTPUT, $RCMAIL, $compose_mode;
+ 
+   // pass the following attributes to the form class
+   $field_attrib = array('name' => '_from');
+@@ -531,6 +531,8 @@
+   if (count($MESSAGE->identities))
+   {
+     $a_signatures = array();
++    $separator    = $RCMAIL->config->get('sig_above')
++      && ($compose_mode == RCUBE_COMPOSE_REPLY || $compose_mode == RCUBE_COMPOSE_FORWARD) ? '---' : '-- ';
+ 
+     $field_attrib['onchange'] = JS_OBJECT_NAME.".change_identity(this)";
+     $select_from = new html_select($field_attrib);
+@@ -544,13 +546,27 @@
+       // add signature to array
+       if (!empty($sql_arr['signature']) && empty($COMPOSE['param']['nosig']))
+       {
+-        $a_signatures[$identity_id]['text'] = $sql_arr['signature'];
+-        $a_signatures[$identity_id]['is_html'] = ($sql_arr['html_signature'] == 1) ? true : false;
+-        if ($a_signatures[$identity_id]['is_html'])
+-        {
+-            $h2t = new html2text($a_signatures[$identity_id]['text'], false, false);
+-            $a_signatures[$identity_id]['plain_text'] = trim($h2t->get_text());
++        $text = $html = $sql_arr['signature'];
++
++        if ($sql_arr['html_signature']) {
++            $h2t  = new html2text($sql_arr['signature'], false, false);
++            $text = trim($h2t->get_text());
++        }
++        else {
++            $html = htmlentities($html, ENT_NOQUOTES, RCMAIL_CHARSET);
++        }
++
++        if (!preg_match('/^--[ -]\r?\n/m', $text)) {
++            $text = $separator . "\n" . $text;
++            $html = $separator . "<br>" . $html;
+         }
++
++        if (!$sql_arr['html_signature']) {
++            $html = "<pre>" . $html . "</pre>";
++        }
++
++        $a_signatures[$identity_id]['text'] = $text;
++        $a_signatures[$identity_id]['html'] = $html;
+       }
+     }
+ 
diff -Nru roundcube-0.7.2/debian/patches/series roundcube-0.7.2/debian/patches/series
--- roundcube-0.7.2/debian/patches/series	2012-06-24 01:51:00.000000000 +0200
+++ roundcube-0.7.2/debian/patches/series	2012-08-26 14:21:48.000000000 +0200
@@ -6,3 +6,4 @@
 default-charset-utf8.patch
 debianize_password_plugin.patch
 use-debian-jquery-ui.patch
+cve-2012-3508.patch

--- End Message ---

--- Begin Message ---

• To: Vincent Bernat <bernat@debian.org>, 685918-done@bugs.debian.org
• Subject: Re: Bug#685918: unblock: roundcube/0.7.2-4
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Fri, 31 Aug 2012 21:58:50 +0100
• Message-id: <1346446730.7606.33.camel@jacala.jungle.funky-badger.org>
• In-reply-to: <[🔎] 20120826130505.5506.40311.reportbug@neo.luffy.cx>
• References: <[🔎] 20120826130505.5506.40311.reportbug@neo.luffy.cx>

On Sun, 2012-08-26 at 15:05 +0200, Vincent Bernat wrote:
> Please unblock package roundcube
> 
> The upload fixes an XSS issue (CVE-2012-3508). I am attaching the
> debdiff against the current package in testing.

Unblocked; thanks.

Regards,

Adam

--- End Message ---