roundcube: CVE-2012-3508

Debian Bug report logs - #685475
roundcube: CVE-2012-3508

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: roundcube: CVE-2012-3508

Date: Tue, 21 Aug 2012 07:51:42 +0200

Package: roundcube
Severity: grave
Tags: security
Justification: user security hole

This was reported on the oss-sec mailing list:

Cheers,
        Moritz
--

> 2, Issue 2a: Description: Stored XSS in e-mail body. Ticket:
> http://trac.roundcube.net/ticket/1488613 Upstream patch:
>
https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee
>
> Upon code review doesn't seem to affect rcmail we ship in Fedora /
> EPEL -> haven't filed RH bug for it. Could you double-check and
> confirm that?,
>
> Issue 2b: Self XSS in e-mail body (Signature). Ticket:
> http://trac.roundcube.net/ticket/1488613 Upstream patch:
>
https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
>
> The 'program/js/app.js' rcube_webmail() upstream change from the
> patch above seems to be applicable to Fedora / EPEL rcmail
> versions. Thus I have filed:
> https://bugzilla.redhat.com/show_bug.cgi?id=849615
>
> to track this. But not sure whole 'Self XSS in e-mail body
> (Signature).' upstream patch would apply with its logic to 0.7.x
> versions: https://bugzilla.redhat.com/show_bug.cgi?id=849615#c3
>
> Therefore this needs review by someone more familiar with
> rcube_webmail() routine code to decide if apply that patch or not.
> Could you do that?

Please use CVE-2012-3508 for these two issues (same version, same type
of vuln so cve merge).

--

Message #10 received at 685475@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 685475@bugs.debian.org

Subject: Re: Bug#685475: roundcube: CVE-2012-3508

Date: Sun, 26 Aug 2012 14:34:30 +0200

[Message part 1 (text/plain, inline)]

 ❦ 21 août 2012 07:51 CEST, Moritz Muehlenhoff <jmm@inutil.org> :

> Package: roundcube
> Severity: grave
> Tags: security
> Justification: user security hole
>
> This was reported on the oss-sec mailing list:
>
> Cheers,
>         Moritz
> --
>
>> 2, Issue 2a: Description: Stored XSS in e-mail body. Ticket:
>> http://trac.roundcube.net/ticket/1488613 Upstream patch:
>>
> https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee
>>
>> Upon code review doesn't seem to affect rcmail we ship in Fedora /
>> EPEL -> haven't filed RH bug for it. Could you double-check and
>> confirm that?,
>>
>> Issue 2b: Self XSS in e-mail body (Signature). Ticket:
>> http://trac.roundcube.net/ticket/1488613 Upstream patch:
>>
> https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
>>
>> The 'program/js/app.js' rcube_webmail() upstream change from the
>> patch above seems to be applicable to Fedora / EPEL rcmail
>> versions. Thus I have filed:
>> https://bugzilla.redhat.com/show_bug.cgi?id=849615
>>
>> to track this. But not sure whole 'Self XSS in e-mail body
>> (Signature).' upstream patch would apply with its logic to 0.7.x
>> versions: https://bugzilla.redhat.com/show_bug.cgi?id=849615#c3
>>
>> Therefore this needs review by someone more familiar with
>> rcube_webmail() routine code to decide if apply that patch or not.
>> Could you do that?
>
> Please use CVE-2012-3508 for these two issues (same version, same type
> of vuln so cve merge).

Hi Moritz!

The version currently in stable (0.3) is not affected by either of the
bugs (I was unable to reproduce them). The version in testing is
affected by the later bug but not by the first. I am doing an upload
about it shortly.
-- 
panic("bad_user_access_length executed (not cool, dude)");
        2.0.38 /usr/src/linux/kernel/panic.c

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 685475-close@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: 685475-close@bugs.debian.org

Subject: Bug#685475: fixed in roundcube 0.7.2-4

Date: Sun, 26 Aug 2012 12:48:26 +0000

Source: roundcube
Source-Version: 0.7.2-4

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 685475@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 26 Aug 2012 14:20:24 +0200
Source: roundcube
Binary: roundcube-core roundcube roundcube-sqlite roundcube-mysql roundcube-pgsql roundcube-plugins
Architecture: source all
Version: 0.7.2-4
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description: 
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins
 roundcube-sqlite - transitional dummy package
Closes: 685475
Changes: 
 roundcube (0.7.2-4) unstable; urgency=high
 .
   * Fix self XSS with plain signatures. CVE-2012-3508. Closes: #685475.
Checksums-Sha1: 
 18bd2fcfc71c76cbcc137e794f27d1eea752ed16 1633 roundcube_0.7.2-4.dsc
 f6332a51e065c14291307838e7d8ab857abc97ba 51853 roundcube_0.7.2-4.debian.tar.gz
 8c0f1c50f60574a5a30ceb877680be3b57063f11 1026066 roundcube-core_0.7.2-4_all.deb
 9590a8e18957536d1dec0d4e0011c16523a0cdae 27764 roundcube_0.7.2-4_all.deb
 b70a909cd2af194c53958f32791ce146f61aae60 27378 roundcube-sqlite_0.7.2-4_all.deb
 0112905aa72ee2f82134e90c6d6e8795487ef720 27090 roundcube-mysql_0.7.2-4_all.deb
 dee7cae0ae8b698dbbd8ec124d2c20eabc96a681 27092 roundcube-pgsql_0.7.2-4_all.deb
 949c009061cd9a4c7dbf76d42041d77970b7a6c0 321756 roundcube-plugins_0.7.2-4_all.deb
Checksums-Sha256: 
 2fe378edeb95e2f81505fbe5965a99949cf5cde2f58744258241bee1d05201d9 1633 roundcube_0.7.2-4.dsc
 8babaf395d6652f05d16b98ba1398302612790659209559583ab73c375545a9e 51853 roundcube_0.7.2-4.debian.tar.gz
 90f935f2b1562034c2f5f87e27ed99371a0a395a178be2dbd38d56a170909b1d 1026066 roundcube-core_0.7.2-4_all.deb
 3703b9bcad8712148b4ac5712e45f19ff19755d5ddb8c5f3cee2d0ce773cf5a9 27764 roundcube_0.7.2-4_all.deb
 2c9956900978af8147340b030789ce645801f1fa64abe0ff86a21fd941c6f453 27378 roundcube-sqlite_0.7.2-4_all.deb
 9475dbddb63d381d16a4da5b678dc921eb477d5a9a76b6bfb4f5a9281cc6b58a 27090 roundcube-mysql_0.7.2-4_all.deb
 a82e1e50a23cd4de7be13bc97a7e6ced7b75562f558bfad882234be6ed39bfef 27092 roundcube-pgsql_0.7.2-4_all.deb
 73fd5ac4af700e0086c4359e965f41010c502688bb16ae2fc11bcbc6cc05d13a 321756 roundcube-plugins_0.7.2-4_all.deb
Files: 
 7d1b35cf4c4de62382cef0d6b43a6031 1633 web extra roundcube_0.7.2-4.dsc
 518978d5094a6de830a9d55a815f054c 51853 web extra roundcube_0.7.2-4.debian.tar.gz
 52d3366fe02710b3e24f48cb4342316d 1026066 web extra roundcube-core_0.7.2-4_all.deb
 38d3b957bde5604b56497ac04b1fd9a0 27764 web extra roundcube_0.7.2-4_all.deb
 237458be85f7ed83bb392f3f89c42d1d 27378 oldlibs extra roundcube-sqlite_0.7.2-4_all.deb
 790eda22df969688b60fef172f8544ed 27090 web extra roundcube-mysql_0.7.2-4_all.deb
 238c97b10c543636e26e6d215d66c470 27092 web extra roundcube-pgsql_0.7.2-4_all.deb
 07fc0ccc6090f1c7bdf5bcbfb3e51f78 321756 web extra roundcube-plugins_0.7.2-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlA6F/kACgkQKFvXofIqeU5l1ACfSrGyhTUFpz+hekBiMZt7Jvbl
yJEAoJ2Dgl19I+UlaPXgUNkZb0pIrAeN
=WV7E
-----END PGP SIGNATURE-----

Message #20 received at 685475@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Vincent Bernat <bernat@debian.org>

Cc: 685475@bugs.debian.org

Subject: Re: Bug#685475: roundcube: CVE-2012-3508

Date: Mon, 27 Aug 2012 08:34:52 +0200

On Sun, Aug 26, 2012 at 02:34:30PM +0200, Vincent Bernat wrote:
>  ❦ 21 août 2012 07:51 CEST, Moritz Muehlenhoff <jmm@inutil.org> :
> Hi Moritz!
> 
> The version currently in stable (0.3) is not affected by either of the
> bugs (I was unable to reproduce them). The version in testing is
> affected by the later bug but not by the first. I am doing an upload
> about it shortly.

Thanks, I've updated the Security Tracker.

Cheers,
        Moritz

Send a report that this bug log contains spam.