Debian Bug report logs -
#721592
roundcube: CVE-2013-5645
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 2 Sep 2013 06:33:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Fixed in version roundcube/0.9.4-1
Done: Vincent Bernat <bernat@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#721592; Package roundcube.
(Mon, 02 Sep 2013 06:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>.
(Mon, 02 Sep 2013 06:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: roundcube
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for roundcube.
CVE-2013-5645[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in Roundcube
| webmail before 0.9.3 allow user-assisted remote attackers to inject
| arbitrary web script or HTML via the body of a message visited in (1)
| new or (2) draft mode, related to compose.inc; and (3) might allow
| remote authenticated users to inject arbitrary web script or HTML via
| an HTML signature, related to save_identity.inc.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5645
http://security-tracker.debian.org/tracker/CVE-2013-5645
[1] http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
[2] http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
[3] http://trac.roundcube.net/ticket/1489251
[4] http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
Please adjust the affected versions in the BTS as needed. At least
0.9.2 looks affected.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#721592; Package roundcube.
(Mon, 02 Sep 2013 06:45:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>.
(Mon, 02 Sep 2013 06:45:09 GMT) (full text, mbox, link).
Message #10 received at 721592@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
❦ 2 septembre 2013 08:31 CEST, Salvatore Bonaccorso <carnil@debian.org> :
> the following vulnerability was published for roundcube.
>
> CVE-2013-5645[0]:
> | Multiple cross-site scripting (XSS) vulnerabilities in Roundcube
> | webmail before 0.9.3 allow user-assisted remote attackers to inject
> | arbitrary web script or HTML via the body of a message visited in (1)
> | new or (2) draft mode, related to compose.inc; and (3) might allow
> | remote authenticated users to inject arbitrary web script or HTML via
> | an HTML signature, related to save_identity.inc.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5645
> http://security-tracker.debian.org/tracker/CVE-2013-5645
> [1] http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
> [2] http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
> [3] http://trac.roundcube.net/ticket/1489251
> [4] http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
>
> Please adjust the affected versions in the BTS as needed. At least
> 0.9.2 looks affected.
Hi Salvatore!
Previous versions are likely to be affected too. I will try to backport
the patches. For version in Jessie and unstable, I will just upload
0.9.3.
--
Document your data layouts.
- The Elements of Programming Style (Kernighan & Plauger)
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#721592; Package roundcube.
(Tue, 03 Sep 2013 06:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>.
(Tue, 03 Sep 2013 06:54:04 GMT) (full text, mbox, link).
Message #15 received at 721592@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Vincent!
On Mon, Sep 02, 2013 at 08:42:14AM +0200, Vincent Bernat wrote:
> ❦ 2 septembre 2013 08:31 CEST, Salvatore Bonaccorso <carnil@debian.org> :
>
> > the following vulnerability was published for roundcube.
> >
> > CVE-2013-5645[0]:
> > | Multiple cross-site scripting (XSS) vulnerabilities in Roundcube
> > | webmail before 0.9.3 allow user-assisted remote attackers to inject
> > | arbitrary web script or HTML via the body of a message visited in (1)
> > | new or (2) draft mode, related to compose.inc; and (3) might allow
> > | remote authenticated users to inject arbitrary web script or HTML via
> > | an HTML signature, related to save_identity.inc.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5645
> > http://security-tracker.debian.org/tracker/CVE-2013-5645
> > [1] http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
> > [2] http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
> > [3] http://trac.roundcube.net/ticket/1489251
> > [4] http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
> >
> > Please adjust the affected versions in the BTS as needed. At least
> > 0.9.2 looks affected.
>
> Hi Salvatore!
>
> Previous versions are likely to be affected too. I will try to backport
> the patches. For version in Jessie and unstable, I will just upload
> 0.9.3.
Thanks for your quick reply! From what I see about the vulnerability,
I would say this does not warrant a DSA, as the exploitability seems
to be limited to a user-assisted remote attacker.
Do you agree on that conclusion? If yes I will mark this in the
security-tracker appropriately. Could you address in that case the
updates trough a proposed-update instead?
Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#721592; Package roundcube.
(Tue, 03 Sep 2013 07:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>.
(Tue, 03 Sep 2013 07:03:04 GMT) (full text, mbox, link).
Message #20 received at 721592@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
❦ 3 septembre 2013 08:51 CEST, Salvatore Bonaccorso <carnil@debian.org> :
>> > Please adjust the affected versions in the BTS as needed. At least
>> > 0.9.2 looks affected.
>>
>> Hi Salvatore!
>>
>> Previous versions are likely to be affected too. I will try to backport
>> the patches. For version in Jessie and unstable, I will just upload
>> 0.9.3.
>
> Thanks for your quick reply! From what I see about the vulnerability,
> I would say this does not warrant a DSA, as the exploitability seems
> to be limited to a user-assisted remote attacker.
The exploit can be triggered by a user using a message as a template for
a new message. This seems far-fetched, so I agree.
> Do you agree on that conclusion? If yes I will mark this in the
> security-tracker appropriately. Could you address in that case the
> updates trough a proposed-update instead?
OK.
--
Identify bad input; recover if possible.
- The Elements of Programming Style (Kernighan & Plauger)
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#721592; Package roundcube.
(Tue, 03 Sep 2013 07:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>.
(Tue, 03 Sep 2013 07:21:05 GMT) (full text, mbox, link).
Message #25 received at 721592@bugs.debian.org (full text, mbox, reply):
Hi Vincent,
On Tue, Sep 03, 2013 at 09:01:03AM +0200, Vincent Bernat wrote:
> ❦ 3 septembre 2013 08:51 CEST, Salvatore Bonaccorso <carnil@debian.org> :
>
> >> > Please adjust the affected versions in the BTS as needed. At least
> >> > 0.9.2 looks affected.
> >>
> >> Hi Salvatore!
> >>
> >> Previous versions are likely to be affected too. I will try to backport
> >> the patches. For version in Jessie and unstable, I will just upload
> >> 0.9.3.
> >
> > Thanks for your quick reply! From what I see about the vulnerability,
> > I would say this does not warrant a DSA, as the exploitability seems
> > to be limited to a user-assisted remote attacker.
>
> The exploit can be triggered by a user using a message as a template for
> a new message. This seems far-fetched, so I agree.
>
> > Do you agree on that conclusion? If yes I will mark this in the
> > security-tracker appropriately. Could you address in that case the
> > updates trough a proposed-update instead?
>
> OK.
Thanks for confirming. I have marked it accordingly.
Regards,
Salvatore
Reply sent
to Vincent Bernat <bernat@debian.org>:
You have taken responsibility.
(Sun, 08 Sep 2013 12:06:58 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 08 Sep 2013 12:06:58 GMT) (full text, mbox, link).
Message #30 received at 721592-close@bugs.debian.org (full text, mbox, reply):
Source: roundcube
Source-Version: 0.9.4-1
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 721592@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 08 Sep 2013 13:52:46 +0200
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-sqlite3 roundcube-plugins
Architecture: source all
Version: 0.9.4-1
Distribution: unstable
Urgency: low
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description:
roundcube - skinnable AJAX based webmail solution for IMAP servers - metapack
roundcube-core - skinnable AJAX based webmail solution for IMAP servers
roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins
roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube
Closes: 721592
Changes:
roundcube (0.9.4-1) unstable; urgency=low
.
* New upstream version.
+ Fix CVE-2013-5645 (Closes: #721592)
+ "Enigma" plugin has been removed.
Checksums-Sha1:
04afd09fe86b6612cb8c674e2a070f7855974ec4 2271 roundcube_0.9.4-1.dsc
66acb337b422940d7d79ed942a866d238d628960 3410013 roundcube_0.9.4.orig.tar.gz
8e91f7dd2ea42a1fcdb29e4aea0e8ec77f609db6 54031 roundcube_0.9.4-1.debian.tar.gz
552231dd2bb27ffa8fcc8f28521f63d86033ad26 1101196 roundcube-core_0.9.4-1_all.deb
220b64afae111f732b71726264f21177d996b0e0 28734 roundcube_0.9.4-1_all.deb
724a2e9f2bdef21fd302a16d92948a7b66e494a2 28648 roundcube-mysql_0.9.4-1_all.deb
87bfefaf965621f6d432744369b0c520218bf9d1 28658 roundcube-pgsql_0.9.4-1_all.deb
d34dbc37802233a6bb6bc7bbd2b5a8bc5e4e3667 28612 roundcube-sqlite3_0.9.4-1_all.deb
59da24fd6115be3fe21c253f006416e3cdf95708 483518 roundcube-plugins_0.9.4-1_all.deb
Checksums-Sha256:
71881151fe3e618992e52c4756e557daec5ec4a8066e077bd671ce9cc956ae42 2271 roundcube_0.9.4-1.dsc
2803458dc38758c40a546a0aac173b7458178f27c65612f570dd50561a3183e4 3410013 roundcube_0.9.4.orig.tar.gz
7e1905c7edbb3e39aa5ed8d5ed6e7710f4919f0b520bca55de90c9c8514eb668 54031 roundcube_0.9.4-1.debian.tar.gz
e8ddc41cda6c77df061b94c6751b9207067ee9cda16ba71396d954bd309035ac 1101196 roundcube-core_0.9.4-1_all.deb
8feeb2e2de7874c0f83bf1a603edd5492dd39ca2bdad1c8b1a57741a27092ea1 28734 roundcube_0.9.4-1_all.deb
1f1c7ef93c4a0975594b965a2817e1a85788e5b28303f63da0cbd017248ccd63 28648 roundcube-mysql_0.9.4-1_all.deb
7ed65fd6026a969590cf68cf3253b62f14002a391c29941e14e1fc46baaeb794 28658 roundcube-pgsql_0.9.4-1_all.deb
34a0aa3206e9ac359d95d0b2623a98a91dfe1b438e36f56256df93fd323295ff 28612 roundcube-sqlite3_0.9.4-1_all.deb
a2e95a4e4e871d8527ff35b5b52c2e302018db8da9780c050c7f9a6b4a4e8a0f 483518 roundcube-plugins_0.9.4-1_all.deb
Files:
d8394e0b6c0d923f02a261e1865e726d 2271 web extra roundcube_0.9.4-1.dsc
8ec32e093983128ef1a87c561bb48c99 3410013 web extra roundcube_0.9.4.orig.tar.gz
655205a17936ecf197a8b5c71b6b0ece 54031 web extra roundcube_0.9.4-1.debian.tar.gz
b47e2c5383b584dd572cfe0845db324d 1101196 web extra roundcube-core_0.9.4-1_all.deb
769e3e67bd6db8000c929b58e199bbef 28734 web extra roundcube_0.9.4-1_all.deb
286632a711a13563bb749da3c4c1b7ff 28648 web extra roundcube-mysql_0.9.4-1_all.deb
16864acc12f7c669812375a4a456f4cb 28658 web extra roundcube-pgsql_0.9.4-1_all.deb
4ef7745072934f10acb20992a02dcd2f 28612 web extra roundcube-sqlite3_0.9.4-1_all.deb
3854789182a5c4d2db75e08dd49cfb95 483518 web extra roundcube-plugins_0.9.4-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBCAAGBQJSLGa+AAoJEJWkL+g1NSX5l/EP/R7u4wVh/bTiNUX5vNjUbyNZ
Ld2PjNzoqtDVI+g4IRvSGqTsGLCkJcjBSskg13udl3WPqU6gPSWc826EdXXp0kG/
SS64DC+jqjIN7k1Ms8TwuYf11OZL5gOwXTx7vGxgqFcWf+cM3xfTT6CRCZupUJpK
xTgKft3DzB2yOr2NJoSkq8AMRJHpcRF+K5aPSY/n0snkd3j00FXCpoc+eFTuuXl7
alEvHiX4pfqrzNbTuLLIf8q3jQfaA0kzOapHKkhTs+UKRVLEW7IaWpcPRKhwjFkE
ArC/eF6ClD86iGdOC5i1QxJugKgvoaDjCTgFFl38gFWl+YqIf3f0SUHF3cHt3On/
ArmvkTE703OirrU6ziyB5m7vJP2U0EesOFrXQ5or7g7knUWMiE/6uhsbALOoDRIm
APUbfa2YMlhOavH4BD42sDswGPzi0i0il3WyPIA1bo11dTL30wNaONSUSbjvbjfG
dVEWA+qY2Eswb8yc8yGl3rpSBlJdElTivRmHpcOMOiQJAEd21MGvr2eEqfDh0gi7
1Amw3pIh44OX3ETKLcmbzvC/VhBzE62EvjelbjdTIzeFwOxhqlvS+GNf5D8UVJIO
nHgKhjingL5vua9DTXlwghnEpIS73XpKavN8MDrkJiYhKF3kMqgawwD1DntvMpeC
jsBQ3+zcUqQlYHIhKi2k
=2z2a
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 17 Oct 2013 07:46:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:30:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon