[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#964456: marked as done (stretch-pu: package roundcube/1.2.3+dfsg.1-4+deb9u6)

Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id <b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.camel@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964456,
regarding stretch-pu: package roundcube/1.2.3+dfsg.1-4+deb9u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
964456: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964456
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi there,

In a recent post roundcube webmail upstream has announced the following
security fix:

    CVE-2020-15562: Prevent cross-site scripting (XSS) via HTML messages
    with malicious svg/namespace.

This is tracker as #964355.  The security team gave the green light for
an upload of 1.3.14+dfsg.1-1~deb10u1 to buster-security, but suggested
to target old-p-u for stretch.   stretch currently has 1.2.3+dfsg.1-4+deb9u3
wwhile stretch-security and stretch-pu have 1.2.3+dfsg.1-4+deb9u5.  Both
debdiffs attached.

unblock roundcube/1.2.3+dfsg.1-4+deb9u6
cheers
-- 
Guilhem.

diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1

 changelog                    |    8 ++++++++
 patches/CVE-2020-15562.patch |   33 +++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 42 insertions(+)

diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog	2020-06-09 13:46:01.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/changelog	2020-07-06 16:14:59.000000000 +0200
@@ -1,3 +1,11 @@
+roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high
+
+  * Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS)
+    vulnerability via HTML messages with malicious svg/namespace
+    (Closes: #964355)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Mon, 06 Jul 2020 16:14:59 +0200
+
 roundcube (1.2.3+dfsg.1-4+deb9u5) stretch-security; urgency=high
 
   * Backport security fixes from 1.3.12:
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch	2020-07-06 16:14:59.000000000 +0200
@@ -0,0 +1,33 @@
+From f3d1566cf223eb04f47b6dfffcd88753f66c36ee Mon Sep 17 00:00:00 2001
+From: Aleksander Machniak <alec@alec.pl>
+Date: Fri, 3 Jul 2020 11:29:50 +0200
+Subject: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
+
+Credits to SSD Secure Disclosure (https://ssd-disclosure.com/)
+---
+ program/lib/Roundcube/rcube_washtml.php |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -445,7 +445,10 @@ class rcube_washtml
+                         $xpath = new DOMXPath($node->ownerDocument);
+                         foreach ($xpath->query('namespace::*') as $ns) {
+                             if ($ns->nodeName != 'xmlns:xml') {
+-                                $dump .= ' ' . $ns->nodeName . '="' . $ns->nodeValue . '"';
++                                $dump .= sprintf(' %s="%s"',
++                                    $ns->nodeName,
++                                    htmlspecialchars($ns->nodeValue, ENT_QUOTES, $this->config['charset'])
++                                );
+                             }
+                         }
+                     }
+@@ -507,7 +510,7 @@ class rcube_washtml
+         $this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level');
+ 
+         // SVG need to be parsed as XML
+-        $this->is_xml = stripos($html, '<html') === false && stripos($html, '<svg') !== false;
++        $this->is_xml = !preg_match('/<(html|head|body)/i', $html) && stripos($html, '<svg') !== false;
+         $method       = $this->is_xml ? 'loadXML' : 'loadHTML';
+         $options      = 0;
+ 
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series	2020-06-09 13:46:01.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/patches/series	2020-07-06 16:14:59.000000000 +0200
@@ -20,3 +20,4 @@
 CVE-2020-12626.patch
 CVE-2020-13964.patch
 CVE-2020-13965.patch
+CVE-2020-15562.patch

diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1

 changelog                    |    8 ++++++++
 patches/CVE-2020-15562.patch |   33 +++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 42 insertions(+)

diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog	2020-06-09 13:46:01.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/changelog	2020-07-06 16:14:59.000000000 +0200
@@ -1,3 +1,11 @@
+roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high
+
+  * Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS)
+    vulnerability via HTML messages with malicious svg/namespace
+    (Closes: #964355)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Mon, 06 Jul 2020 16:14:59 +0200
+
 roundcube (1.2.3+dfsg.1-4+deb9u5) stretch-security; urgency=high
 
   * Backport security fixes from 1.3.12:
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch	2020-07-06 16:14:59.000000000 +0200
@@ -0,0 +1,33 @@
+From f3d1566cf223eb04f47b6dfffcd88753f66c36ee Mon Sep 17 00:00:00 2001
+From: Aleksander Machniak <alec@alec.pl>
+Date: Fri, 3 Jul 2020 11:29:50 +0200
+Subject: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
+
+Credits to SSD Secure Disclosure (https://ssd-disclosure.com/)
+---
+ program/lib/Roundcube/rcube_washtml.php |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -445,7 +445,10 @@ class rcube_washtml
+                         $xpath = new DOMXPath($node->ownerDocument);
+                         foreach ($xpath->query('namespace::*') as $ns) {
+                             if ($ns->nodeName != 'xmlns:xml') {
+-                                $dump .= ' ' . $ns->nodeName . '="' . $ns->nodeValue . '"';
++                                $dump .= sprintf(' %s="%s"',
++                                    $ns->nodeName,
++                                    htmlspecialchars($ns->nodeValue, ENT_QUOTES, $this->config['charset'])
++                                );
+                             }
+                         }
+                     }
+@@ -507,7 +510,7 @@ class rcube_washtml
+         $this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level');
+ 
+         // SVG need to be parsed as XML
+-        $this->is_xml = stripos($html, '<html') === false && stripos($html, '<svg') !== false;
++        $this->is_xml = !preg_match('/<(html|head|body)/i', $html) && stripos($html, '<svg') !== false;
+         $method       = $this->is_xml ? 'loadXML' : 'loadHTML';
+         $options      = 0;
+ 
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series	2020-06-09 13:46:01.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/patches/series	2020-07-06 16:14:59.000000000 +0200
@@ -20,3 +20,4 @@
 CVE-2020-12626.patch
 CVE-2020-13964.patch
 CVE-2020-13965.patch
+CVE-2020-15562.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam

--- End Message ---
Reply to: