[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#964456: stretch-pu: package roundcube/1.2.3+dfsg.1-4+deb9u6

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi there,

In a recent post roundcube webmail upstream has announced the following
security fix:

    CVE-2020-15562: Prevent cross-site scripting (XSS) via HTML messages
    with malicious svg/namespace.

This is tracker as #964355.  The security team gave the green light for
an upload of 1.3.14+dfsg.1-1~deb10u1 to buster-security, but suggested
to target old-p-u for stretch.   stretch currently has 1.2.3+dfsg.1-4+deb9u3
wwhile stretch-security and stretch-pu have 1.2.3+dfsg.1-4+deb9u5.  Both
debdiffs attached.

unblock roundcube/1.2.3+dfsg.1-4+deb9u6
cheers
-- 
Guilhem.

diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1

 changelog                    |    8 ++++++++
 patches/CVE-2020-15562.patch |   33 +++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 42 insertions(+)

diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog	2020-06-09 13:46:01.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/changelog	2020-07-06 16:14:59.000000000 +0200
@@ -1,3 +1,11 @@
+roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high
+
+  * Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS)
+    vulnerability via HTML messages with malicious svg/namespace
+    (Closes: #964355)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Mon, 06 Jul 2020 16:14:59 +0200
+
 roundcube (1.2.3+dfsg.1-4+deb9u5) stretch-security; urgency=high
 
   * Backport security fixes from 1.3.12:
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch	2020-07-06 16:14:59.000000000 +0200
@@ -0,0 +1,33 @@
+From f3d1566cf223eb04f47b6dfffcd88753f66c36ee Mon Sep 17 00:00:00 2001
+From: Aleksander Machniak <alec@alec.pl>
+Date: Fri, 3 Jul 2020 11:29:50 +0200
+Subject: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
+
+Credits to SSD Secure Disclosure (https://ssd-disclosure.com/)
+---
+ program/lib/Roundcube/rcube_washtml.php |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -445,7 +445,10 @@ class rcube_washtml
+                         $xpath = new DOMXPath($node->ownerDocument);
+                         foreach ($xpath->query('namespace::*') as $ns) {
+                             if ($ns->nodeName != 'xmlns:xml') {
+-                                $dump .= ' ' . $ns->nodeName . '="' . $ns->nodeValue . '"';
++                                $dump .= sprintf(' %s="%s"',
++                                    $ns->nodeName,
++                                    htmlspecialchars($ns->nodeValue, ENT_QUOTES, $this->config['charset'])
++                                );
+                             }
+                         }
+                     }
+@@ -507,7 +510,7 @@ class rcube_washtml
+         $this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level');
+ 
+         // SVG need to be parsed as XML
+-        $this->is_xml = stripos($html, '<html') === false && stripos($html, '<svg') !== false;
++        $this->is_xml = !preg_match('/<(html|head|body)/i', $html) && stripos($html, '<svg') !== false;
+         $method       = $this->is_xml ? 'loadXML' : 'loadHTML';
+         $options      = 0;
+ 
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series	2020-06-09 13:46:01.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/patches/series	2020-07-06 16:14:59.000000000 +0200
@@ -20,3 +20,4 @@
 CVE-2020-12626.patch
 CVE-2020-13964.patch
 CVE-2020-13965.patch
+CVE-2020-15562.patch

diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1

 changelog                    |    8 ++++++++
 patches/CVE-2020-15562.patch |   33 +++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 42 insertions(+)

diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog	2020-06-09 13:46:01.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/changelog	2020-07-06 16:14:59.000000000 +0200
@@ -1,3 +1,11 @@
+roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high
+
+  * Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS)
+    vulnerability via HTML messages with malicious svg/namespace
+    (Closes: #964355)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Mon, 06 Jul 2020 16:14:59 +0200
+
 roundcube (1.2.3+dfsg.1-4+deb9u5) stretch-security; urgency=high
 
   * Backport security fixes from 1.3.12:
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch	2020-07-06 16:14:59.000000000 +0200
@@ -0,0 +1,33 @@
+From f3d1566cf223eb04f47b6dfffcd88753f66c36ee Mon Sep 17 00:00:00 2001
+From: Aleksander Machniak <alec@alec.pl>
+Date: Fri, 3 Jul 2020 11:29:50 +0200
+Subject: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
+
+Credits to SSD Secure Disclosure (https://ssd-disclosure.com/)
+---
+ program/lib/Roundcube/rcube_washtml.php |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -445,7 +445,10 @@ class rcube_washtml
+                         $xpath = new DOMXPath($node->ownerDocument);
+                         foreach ($xpath->query('namespace::*') as $ns) {
+                             if ($ns->nodeName != 'xmlns:xml') {
+-                                $dump .= ' ' . $ns->nodeName . '="' . $ns->nodeValue . '"';
++                                $dump .= sprintf(' %s="%s"',
++                                    $ns->nodeName,
++                                    htmlspecialchars($ns->nodeValue, ENT_QUOTES, $this->config['charset'])
++                                );
+                             }
+                         }
+                     }
+@@ -507,7 +510,7 @@ class rcube_washtml
+         $this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level');
+ 
+         // SVG need to be parsed as XML
+-        $this->is_xml = stripos($html, '<html') === false && stripos($html, '<svg') !== false;
++        $this->is_xml = !preg_match('/<(html|head|body)/i', $html) && stripos($html, '<svg') !== false;
+         $method       = $this->is_xml ? 'loadXML' : 'loadHTML';
+         $options      = 0;
+ 
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series	2020-06-09 13:46:01.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/patches/series	2020-07-06 16:14:59.000000000 +0200
@@ -20,3 +20,4 @@
 CVE-2020-12626.patch
 CVE-2020-13964.patch
 CVE-2020-13965.patch
+CVE-2020-15562.patch

Attachment: signature.asc
Description: PGP signature

Reply to: