[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1124367: marked as done (trixie-pu: package sogo/5.12.1-3+deb13u1)

Your message dated Sat, 10 Jan 2026 11:52:34 +0000
with message-id <E1veXWE-00000004RhZ-44Jc@coccia.debian.org>
and subject line Released with 13.3
has caused the Debian Bug report #1124367,
regarding trixie-pu: package sogo/5.12.1-3+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1124367: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124367
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: sogo@packages.debian.org, team@security.debian.org
Control: affects -1 + src:sogo
User: release.debian.org@packages.debian.org
Usertags: pu


[ Reason ]

This s-p-u fixes CVE-2025-63498 and CVE-2025-63499, two XSS
vulnerabilities.
The plan is to fix sogos vulnerabilities in all the releases, also LTS,
being stable the first step.
Fixing
  * CVE-2025-63498 - Cross Site Scripting (XSS)
  * CVE-2025-63499 - Cross Site Scripting (XSS) (Closes: #1121952)

[ Tests ]
I've verified that the POCs the tracker mentions stops working (they did
trigger before) in a Trixie VM.


[ Risks ]
Patch is cherry-picked from upstream are small and quite straight
forward. See the dep3 headers for pointers to the upstream changes.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
see above

[ Other info ]

The Security team gave their OK for this upload as s-p-u.

I'll upload the changes after this mail has been sent.

-- 
tobi

diff -Nru sogo-5.12.1/debian/changelog sogo-5.12.1/debian/changelog
--- sogo-5.12.1/debian/changelog	2025-07-25 11:26:33.000000000 +0200
+++ sogo-5.12.1/debian/changelog	2025-12-31 11:33:39.000000000 +0100
@@ -1,3 +1,11 @@
+sogo (5.12.1-3+deb13u1) trixie; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2025-63498 - Cross Site Scripting (XSS)
+  * CVE-2025-63499 - Cross Site Scripting (XSS) (Closes: #1121952)
+
+ -- Tobias Frost <tobi@debian.org>  Wed, 31 Dec 2025 11:33:39 +0100
+
 sogo (5.12.1-3) unstable; urgency=medium
 
   * Add upstream patch to fix freebusy calculation.
diff -Nru sogo-5.12.1/debian/patches/CVE-2025-63498.patch sogo-5.12.1/debian/patches/CVE-2025-63498.patch
--- sogo-5.12.1/debian/patches/CVE-2025-63498.patch	1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.12.1/debian/patches/CVE-2025-63498.patch	2025-12-31 10:20:54.000000000 +0100
@@ -0,0 +1,54 @@
+Description: CVE-2025-63498 - Cross Site Scripting (XSS) via the "userName" parameter
+Origin: https://github.com/Alinto/sogo/commit/9e20190fad1a437f7e1307f0adcfe19a8d45184c
+Bug: https://github.com/xryptoh/CVE-2025-63498
+
+From 9e20190fad1a437f7e1307f0adcfe19a8d45184c Mon Sep 17 00:00:00 2001
+From: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date: Thu, 2 Oct 2025 13:37:56 +0200
+Subject: [PATCH] fix(login): Only remember the login if the auth was
+ successful
+
+---
+ UI/MainUI/SOGoRootPage.m | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/UI/MainUI/SOGoRootPage.m b/UI/MainUI/SOGoRootPage.m
+index f3d54dd6fb..79533e42d1 100644
+--- a/UI/MainUI/SOGoRootPage.m
++++ b/UI/MainUI/SOGoRootPage.m
+@@ -274,7 +274,7 @@ - (WOResponse *) connectAction
+ 
+   SOGoPasswordPolicyError err;
+   int expire, grace;
+-  BOOL rememberLogin, b;
++  BOOL rememberLogin, b, loginSuccess;
+ 
+   err = PolicyNoError;
+   expire = grace = -1;
+@@ -296,12 +296,14 @@ - (WOResponse *) connectAction
+ 		 perr: &err expire: &expire grace: &grace additionalInfo: &additionalLoginInformations useCache: NO];
+   [self translateAdditionalLoginInformations: &additionalLoginInformations];
+ 
+-  if (b
++  loginSuccess = b
+       && (err == PolicyNoError)
+       // no password policy
+       && ((expire < 0 && grace < 0)     // no password policy or everything is alright
+       || (expire < 0 && grace > 0)      // password expired, grace still permits login
+-      || (expire >= 0 && grace == -1))) // password about to expire OR ppolicy activated and passwd never changed
++      || (expire >= 0 && grace == -1)); // password about to expire OR ppolicy activated and passwd never changed
++
++  if (loginSuccess) 
+     {
+       NSMutableDictionary *json = [NSMutableDictionary dictionary];
+ 
+@@ -442,7 +444,8 @@ - (WOResponse *) connectAction
+       response = [self _responseWithLDAPPolicyError: err additionalInfos: additionalLoginInformations];
+     }
+ 
+-  if (rememberLogin)
++  //Only remember login If the auth was succesful...
++  if (rememberLogin && loginSuccess)
+     [response addCookie: [self _cookieWithUsername: [params objectForKey: @"userName"]]];
+   else
+     [response addCookie: [self _cookieWithUsername: nil]];
diff -Nru sogo-5.12.1/debian/patches/CVE-2025-63499.patch sogo-5.12.1/debian/patches/CVE-2025-63499.patch
--- sogo-5.12.1/debian/patches/CVE-2025-63499.patch	1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.12.1/debian/patches/CVE-2025-63499.patch	2025-12-25 11:52:09.000000000 +0100
@@ -0,0 +1,40 @@
+Description: CVE-2025-63499 - Reflected XSS Vulnerability
+Origin: https://github.com/Alinto/sogo/commit/16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb
+Bug: https://github.com/poblaguev-tot/CVE-2025-63499
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121952
+
+From 16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb Mon Sep 17 00:00:00 2001
+From: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date: Wed, 26 Nov 2025 13:22:38 +0100
+Subject: [PATCH] fix(vulnerability): prevent sogo to execute scripts pass in
+ theme query
+
+---
+ UI/SOGoUI/UIxComponent.m | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/UI/SOGoUI/UIxComponent.m b/UI/SOGoUI/UIxComponent.m
+index a8658e772b..012d6edea7 100644
+--- a/UI/SOGoUI/UIxComponent.m
++++ b/UI/SOGoUI/UIxComponent.m
+@@ -395,14 +395,18 @@ - (NSString *) ownPath
+ 
+ - (NSString *) relativePathToUserFolderSubPath: (NSString *) _sub
+ {
+-  NSString *dst, *rel, *theme;
++  NSString *dst, *rel, *theme, *safeTheme;
+ 
+   dst = [[self userFolderPath] stringByAppendingPathComponent: _sub];
+   rel = [dst urlPathRelativeToPath:[self ownPath]];
+ 
+   theme = [[context request] formValueForKey: @"theme"];
+   if ([theme length])
+-    rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme];
++  {
++    safeTheme = [theme stringWithoutHTMLInjection: YES];
++    if([safeTheme isEqualToString: theme])
++      rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme];
++  }
+ 
+   return rel;
+ }
diff -Nru sogo-5.12.1/debian/patches/series sogo-5.12.1/debian/patches/series
--- sogo-5.12.1/debian/patches/series	2025-07-25 11:24:14.000000000 +0200
+++ sogo-5.12.1/debian/patches/series	2025-12-31 10:20:54.000000000 +0100
@@ -15,3 +15,5 @@
 upstream_password_regex.patch
 upstream_fix_evaluation_freebusy.patch
 upstream_use_openid_libcurl.patch
+CVE-2025-63499.patch
+CVE-2025-63498.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org\nVersion: 13.3\n\nThis update has been released as part of Debian 13.3.

--- End Message ---
Reply to: