Debian Bug report logs -
#685475
roundcube: CVE-2012-3508
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 21 Aug 2012 05:57:05 UTC
Severity: grave
Tags: security
Fixed in version roundcube/0.7.2-4
Done: Vincent Bernat <bernat@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#685475
; Package roundcube
.
(Tue, 21 Aug 2012 05:57:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Tue, 21 Aug 2012 05:57:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: roundcube
Severity: grave
Tags: security
Justification: user security hole
This was reported on the oss-sec mailing list:
Cheers,
Moritz
--
> 2, Issue 2a: Description: Stored XSS in e-mail body. Ticket:
> http://trac.roundcube.net/ticket/1488613 Upstream patch:
>
https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee
>
> Upon code review doesn't seem to affect rcmail we ship in Fedora /
> EPEL -> haven't filed RH bug for it. Could you double-check and
> confirm that?,
>
> Issue 2b: Self XSS in e-mail body (Signature). Ticket:
> http://trac.roundcube.net/ticket/1488613 Upstream patch:
>
https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
>
> The 'program/js/app.js' rcube_webmail() upstream change from the
> patch above seems to be applicable to Fedora / EPEL rcmail
> versions. Thus I have filed:
> https://bugzilla.redhat.com/show_bug.cgi?id=849615
>
> to track this. But not sure whole 'Self XSS in e-mail body
> (Signature).' upstream patch would apply with its logic to 0.7.x
> versions: https://bugzilla.redhat.com/show_bug.cgi?id=849615#c3
>
> Therefore this needs review by someone more familiar with
> rcube_webmail() routine code to decide if apply that patch or not.
> Could you do that?
Please use CVE-2012-3508 for these two issues (same version, same type
of vuln so cve merge).
--
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#685475
; Package roundcube
.
(Sun, 26 Aug 2012 12:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Sun, 26 Aug 2012 12:45:03 GMT) (full text, mbox, link).
Message #10 received at 685475@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
❦ 21 août 2012 07:51 CEST, Moritz Muehlenhoff <jmm@inutil.org> :
> Package: roundcube
> Severity: grave
> Tags: security
> Justification: user security hole
>
> This was reported on the oss-sec mailing list:
>
> Cheers,
> Moritz
> --
>
>> 2, Issue 2a: Description: Stored XSS in e-mail body. Ticket:
>> http://trac.roundcube.net/ticket/1488613 Upstream patch:
>>
> https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee
>>
>> Upon code review doesn't seem to affect rcmail we ship in Fedora /
>> EPEL -> haven't filed RH bug for it. Could you double-check and
>> confirm that?,
>>
>> Issue 2b: Self XSS in e-mail body (Signature). Ticket:
>> http://trac.roundcube.net/ticket/1488613 Upstream patch:
>>
> https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
>>
>> The 'program/js/app.js' rcube_webmail() upstream change from the
>> patch above seems to be applicable to Fedora / EPEL rcmail
>> versions. Thus I have filed:
>> https://bugzilla.redhat.com/show_bug.cgi?id=849615
>>
>> to track this. But not sure whole 'Self XSS in e-mail body
>> (Signature).' upstream patch would apply with its logic to 0.7.x
>> versions: https://bugzilla.redhat.com/show_bug.cgi?id=849615#c3
>>
>> Therefore this needs review by someone more familiar with
>> rcube_webmail() routine code to decide if apply that patch or not.
>> Could you do that?
>
> Please use CVE-2012-3508 for these two issues (same version, same type
> of vuln so cve merge).
Hi Moritz!
The version currently in stable (0.3) is not affected by either of the
bugs (I was unable to reproduce them). The version in testing is
affected by the later bug but not by the first. I am doing an upload
about it shortly.
--
panic("bad_user_access_length executed (not cool, dude)");
2.0.38 /usr/src/linux/kernel/panic.c
[Message part 2 (application/pgp-signature, inline)]
Reply sent
to Vincent Bernat <bernat@debian.org>
:
You have taken responsibility.
(Sun, 26 Aug 2012 12:51:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Sun, 26 Aug 2012 12:51:03 GMT) (full text, mbox, link).
Message #15 received at 685475-close@bugs.debian.org (full text, mbox, reply):
Source: roundcube
Source-Version: 0.7.2-4
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 685475@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 26 Aug 2012 14:20:24 +0200
Source: roundcube
Binary: roundcube-core roundcube roundcube-sqlite roundcube-mysql roundcube-pgsql roundcube-plugins
Architecture: source all
Version: 0.7.2-4
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description:
roundcube - skinnable AJAX based webmail solution for IMAP servers - metapack
roundcube-core - skinnable AJAX based webmail solution for IMAP servers
roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins
roundcube-sqlite - transitional dummy package
Closes: 685475
Changes:
roundcube (0.7.2-4) unstable; urgency=high
.
* Fix self XSS with plain signatures. CVE-2012-3508. Closes: #685475.
Checksums-Sha1:
18bd2fcfc71c76cbcc137e794f27d1eea752ed16 1633 roundcube_0.7.2-4.dsc
f6332a51e065c14291307838e7d8ab857abc97ba 51853 roundcube_0.7.2-4.debian.tar.gz
8c0f1c50f60574a5a30ceb877680be3b57063f11 1026066 roundcube-core_0.7.2-4_all.deb
9590a8e18957536d1dec0d4e0011c16523a0cdae 27764 roundcube_0.7.2-4_all.deb
b70a909cd2af194c53958f32791ce146f61aae60 27378 roundcube-sqlite_0.7.2-4_all.deb
0112905aa72ee2f82134e90c6d6e8795487ef720 27090 roundcube-mysql_0.7.2-4_all.deb
dee7cae0ae8b698dbbd8ec124d2c20eabc96a681 27092 roundcube-pgsql_0.7.2-4_all.deb
949c009061cd9a4c7dbf76d42041d77970b7a6c0 321756 roundcube-plugins_0.7.2-4_all.deb
Checksums-Sha256:
2fe378edeb95e2f81505fbe5965a99949cf5cde2f58744258241bee1d05201d9 1633 roundcube_0.7.2-4.dsc
8babaf395d6652f05d16b98ba1398302612790659209559583ab73c375545a9e 51853 roundcube_0.7.2-4.debian.tar.gz
90f935f2b1562034c2f5f87e27ed99371a0a395a178be2dbd38d56a170909b1d 1026066 roundcube-core_0.7.2-4_all.deb
3703b9bcad8712148b4ac5712e45f19ff19755d5ddb8c5f3cee2d0ce773cf5a9 27764 roundcube_0.7.2-4_all.deb
2c9956900978af8147340b030789ce645801f1fa64abe0ff86a21fd941c6f453 27378 roundcube-sqlite_0.7.2-4_all.deb
9475dbddb63d381d16a4da5b678dc921eb477d5a9a76b6bfb4f5a9281cc6b58a 27090 roundcube-mysql_0.7.2-4_all.deb
a82e1e50a23cd4de7be13bc97a7e6ced7b75562f558bfad882234be6ed39bfef 27092 roundcube-pgsql_0.7.2-4_all.deb
73fd5ac4af700e0086c4359e965f41010c502688bb16ae2fc11bcbc6cc05d13a 321756 roundcube-plugins_0.7.2-4_all.deb
Files:
7d1b35cf4c4de62382cef0d6b43a6031 1633 web extra roundcube_0.7.2-4.dsc
518978d5094a6de830a9d55a815f054c 51853 web extra roundcube_0.7.2-4.debian.tar.gz
52d3366fe02710b3e24f48cb4342316d 1026066 web extra roundcube-core_0.7.2-4_all.deb
38d3b957bde5604b56497ac04b1fd9a0 27764 web extra roundcube_0.7.2-4_all.deb
237458be85f7ed83bb392f3f89c42d1d 27378 oldlibs extra roundcube-sqlite_0.7.2-4_all.deb
790eda22df969688b60fef172f8544ed 27090 web extra roundcube-mysql_0.7.2-4_all.deb
238c97b10c543636e26e6d215d66c470 27092 web extra roundcube-pgsql_0.7.2-4_all.deb
07fc0ccc6090f1c7bdf5bcbfb3e51f78 321756 web extra roundcube-plugins_0.7.2-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlA6F/kACgkQKFvXofIqeU5l1ACfSrGyhTUFpz+hekBiMZt7Jvbl
yJEAoJ2Dgl19I+UlaPXgUNkZb0pIrAeN
=WV7E
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
:
Bug#685475
; Package roundcube
.
(Mon, 27 Aug 2012 06:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
.
(Mon, 27 Aug 2012 06:39:03 GMT) (full text, mbox, link).
Message #20 received at 685475@bugs.debian.org (full text, mbox, reply):
On Sun, Aug 26, 2012 at 02:34:30PM +0200, Vincent Bernat wrote:
> ❦ 21 août 2012 07:51 CEST, Moritz Muehlenhoff <jmm@inutil.org> :
> Hi Moritz!
>
> The version currently in stable (0.3) is not affected by either of the
> bugs (I was unable to reproduce them). The version in testing is
> affected by the later bug but not by the first. I am doing an upload
> about it shortly.
Thanks, I've updated the Security Tracker.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 02 Jun 2013 08:16:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:11:15 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.