Bug#1124367: trixie-pu: package sogo/5.12.1-3+deb13u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1124367: trixie-pu: package sogo/5.12.1-3+deb13u1
From: Tobias Frost <tobi@debian.org>
Date: Wed, 31 Dec 2025 11:43:59 +0100
Message-id: <[🔎] aVT-b5_pd8VaFWZt@frost.de>
Reply-to: Tobias Frost <tobi@debian.org>, 1124367@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: sogo@packages.debian.org, team@security.debian.org
Control: affects -1 + src:sogo
User: release.debian.org@packages.debian.org
Usertags: pu


[ Reason ]

This s-p-u fixes CVE-2025-63498 and CVE-2025-63499, two XSS
vulnerabilities.
The plan is to fix sogos vulnerabilities in all the releases, also LTS,
being stable the first step.
Fixing
  * CVE-2025-63498 - Cross Site Scripting (XSS)
  * CVE-2025-63499 - Cross Site Scripting (XSS) (Closes: #1121952)

[ Tests ]
I've verified that the POCs the tracker mentions stops working (they did
trigger before) in a Trixie VM.


[ Risks ]
Patch is cherry-picked from upstream are small and quite straight
forward. See the dep3 headers for pointers to the upstream changes.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
see above

[ Other info ]

The Security team gave their OK for this upload as s-p-u.

I'll upload the changes after this mail has been sent.

-- 
tobi

diff -Nru sogo-5.12.1/debian/changelog sogo-5.12.1/debian/changelog
--- sogo-5.12.1/debian/changelog	2025-07-25 11:26:33.000000000 +0200
+++ sogo-5.12.1/debian/changelog	2025-12-31 11:33:39.000000000 +0100
@@ -1,3 +1,11 @@
+sogo (5.12.1-3+deb13u1) trixie; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2025-63498 - Cross Site Scripting (XSS)
+  * CVE-2025-63499 - Cross Site Scripting (XSS) (Closes: #1121952)
+
+ -- Tobias Frost <tobi@debian.org>  Wed, 31 Dec 2025 11:33:39 +0100
+
 sogo (5.12.1-3) unstable; urgency=medium
 
   * Add upstream patch to fix freebusy calculation.
diff -Nru sogo-5.12.1/debian/patches/CVE-2025-63498.patch sogo-5.12.1/debian/patches/CVE-2025-63498.patch
--- sogo-5.12.1/debian/patches/CVE-2025-63498.patch	1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.12.1/debian/patches/CVE-2025-63498.patch	2025-12-31 10:20:54.000000000 +0100
@@ -0,0 +1,54 @@
+Description: CVE-2025-63498 - Cross Site Scripting (XSS) via the "userName" parameter
+Origin: https://github.com/Alinto/sogo/commit/9e20190fad1a437f7e1307f0adcfe19a8d45184c
+Bug: https://github.com/xryptoh/CVE-2025-63498
+
+From 9e20190fad1a437f7e1307f0adcfe19a8d45184c Mon Sep 17 00:00:00 2001
+From: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date: Thu, 2 Oct 2025 13:37:56 +0200
+Subject: [PATCH] fix(login): Only remember the login if the auth was
+ successful
+
+---
+ UI/MainUI/SOGoRootPage.m | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/UI/MainUI/SOGoRootPage.m b/UI/MainUI/SOGoRootPage.m
+index f3d54dd6fb..79533e42d1 100644
+--- a/UI/MainUI/SOGoRootPage.m
++++ b/UI/MainUI/SOGoRootPage.m
+@@ -274,7 +274,7 @@ - (WOResponse *) connectAction
+ 
+   SOGoPasswordPolicyError err;
+   int expire, grace;
+-  BOOL rememberLogin, b;
++  BOOL rememberLogin, b, loginSuccess;
+ 
+   err = PolicyNoError;
+   expire = grace = -1;
+@@ -296,12 +296,14 @@ - (WOResponse *) connectAction
+ 		 perr: &err expire: &expire grace: &grace additionalInfo: &additionalLoginInformations useCache: NO];
+   [self translateAdditionalLoginInformations: &additionalLoginInformations];
+ 
+-  if (b
++  loginSuccess = b
+       && (err == PolicyNoError)
+       // no password policy
+       && ((expire < 0 && grace < 0)     // no password policy or everything is alright
+       || (expire < 0 && grace > 0)      // password expired, grace still permits login
+-      || (expire >= 0 && grace == -1))) // password about to expire OR ppolicy activated and passwd never changed
++      || (expire >= 0 && grace == -1)); // password about to expire OR ppolicy activated and passwd never changed
++
++  if (loginSuccess) 
+     {
+       NSMutableDictionary *json = [NSMutableDictionary dictionary];
+ 
+@@ -442,7 +444,8 @@ - (WOResponse *) connectAction
+       response = [self _responseWithLDAPPolicyError: err additionalInfos: additionalLoginInformations];
+     }
+ 
+-  if (rememberLogin)
++  //Only remember login If the auth was succesful...
++  if (rememberLogin && loginSuccess)
+     [response addCookie: [self _cookieWithUsername: [params objectForKey: @"userName"]]];
+   else
+     [response addCookie: [self _cookieWithUsername: nil]];
diff -Nru sogo-5.12.1/debian/patches/CVE-2025-63499.patch sogo-5.12.1/debian/patches/CVE-2025-63499.patch
--- sogo-5.12.1/debian/patches/CVE-2025-63499.patch	1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.12.1/debian/patches/CVE-2025-63499.patch	2025-12-25 11:52:09.000000000 +0100
@@ -0,0 +1,40 @@
+Description: CVE-2025-63499 - Reflected XSS Vulnerability
+Origin: https://github.com/Alinto/sogo/commit/16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb
+Bug: https://github.com/poblaguev-tot/CVE-2025-63499
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121952
+
+From 16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb Mon Sep 17 00:00:00 2001
+From: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date: Wed, 26 Nov 2025 13:22:38 +0100
+Subject: [PATCH] fix(vulnerability): prevent sogo to execute scripts pass in
+ theme query
+
+---
+ UI/SOGoUI/UIxComponent.m | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/UI/SOGoUI/UIxComponent.m b/UI/SOGoUI/UIxComponent.m
+index a8658e772b..012d6edea7 100644
+--- a/UI/SOGoUI/UIxComponent.m
++++ b/UI/SOGoUI/UIxComponent.m
+@@ -395,14 +395,18 @@ - (NSString *) ownPath
+ 
+ - (NSString *) relativePathToUserFolderSubPath: (NSString *) _sub
+ {
+-  NSString *dst, *rel, *theme;
++  NSString *dst, *rel, *theme, *safeTheme;
+ 
+   dst = [[self userFolderPath] stringByAppendingPathComponent: _sub];
+   rel = [dst urlPathRelativeToPath:[self ownPath]];
+ 
+   theme = [[context request] formValueForKey: @"theme"];
+   if ([theme length])
+-    rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme];
++  {
++    safeTheme = [theme stringWithoutHTMLInjection: YES];
++    if([safeTheme isEqualToString: theme])
++      rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme];
++  }
+ 
+   return rel;
+ }
diff -Nru sogo-5.12.1/debian/patches/series sogo-5.12.1/debian/patches/series
--- sogo-5.12.1/debian/patches/series	2025-07-25 11:24:14.000000000 +0200
+++ sogo-5.12.1/debian/patches/series	2025-12-31 10:20:54.000000000 +0100
@@ -15,3 +15,5 @@
 upstream_password_regex.patch
 upstream_fix_evaluation_freebusy.patch
 upstream_use_openid_libcurl.patch
+CVE-2025-63499.patch
+CVE-2025-63498.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Processed: trixie-pu: package sogo/5.12.1-3+deb13u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1124367: trixie-pu: package sogo/5.12.1-3+deb13u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Processed: trixie-pu: package sogo/5.12.1-3+deb13u1
Next by Date: Bug#1123577: marked as done (nmu: mesa_25.2.8-2: +b3 on !amd64)
Previous by thread: Processed: Re: Updated PU for imagemagick
Next by thread: Processed: trixie-pu: package sogo/5.12.1-3+deb13u1
Index(es):
- Date
- Thread