CVE-2009-0413: possible XSS issue

Debian Bug report logs - #514179
CVE-2009-0413: possible XSS issue

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-0413: possible XSS issue

Date: Wed, 04 Feb 2009 18:13:05 -0500

Package: roundcube
Version: 0.2~alpha-4
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for roundcube.

CVE-2009-0413[0]:
| Cross-site scripting (XSS) vulnerability in RoundCube Webmail
| (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
| web script or HTML via the background attribute embedded in an HTML
| e-mail message.

This bugreport concerns the experimental version. The other versions
don't seem to be affected after a quick glance. The published upstream
patch is here[1].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0413
    http://security-tracker.debian.net/tracker/CVE-2009-0413
[1] http://trac.roundcube.net/changeset/2245

Message #10 received at 514179@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>

Cc: 514179@bugs.debian.org

Subject: Re: Bug#514179: CVE-2009-0413: possible XSS issue

Date: Fri, 06 Feb 2009 07:38:06 +0100

[Message part 1 (text/plain, inline)]

OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen
Joeris <steffen.joeris@skolelinux.de> disait :

> Package: roundcube
> Version: 0.2~alpha-4
> Severity: important
> Tags: security

> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for roundcube.

> CVE-2009-0413[0]:
> | Cross-site scripting (XSS) vulnerability in RoundCube Webmail
> | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
> | web script or HTML via the background attribute embedded in an HTML
> | e-mail message.

> This bugreport concerns the experimental version. The other versions
> don't seem to be affected after a quick glance. The published upstream
> patch is here[1].

> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

Hi Steffen!

From  my knowledge,  0.1.1 and  0.2alpha  are not  affected because  the
background attribute is not accepted at all.

The patch also fixes  a regexp and I don't know if  this is related to a
security issue. I will ask upstream about this.

Until  I get  a confirmation,  I leave  the report  as is.  I  hope that
roundcube won't be removed from lenny. ;-)

Thanks for the report.
-- 
BOFH excuse #328:
Fiber optics caused gas main leak

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 514179@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>

Cc: 514179@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#514179: CVE-2009-0413: possible XSS issue

Date: Mon, 09 Feb 2009 19:00:46 +0100

[Message part 1 (text/plain, inline)]

OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen
Joeris <steffen.joeris@skolelinux.de> disait :

> | Cross-site scripting (XSS) vulnerability in RoundCube Webmail
> | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
> | web script or HTML via the background attribute embedded in an HTML
> | e-mail message.

> This bugreport concerns the experimental version. The other versions
> don't seem to be affected after a quick glance. The published upstream
> patch is here[1].

> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

After  some  investigations,  we  discovered  that  roundcube  0.1.1  is
vulnerable to  this XSS  attack but is  also vulnerable to  many others,
even trivial ones.

We  believe  that  we  cannot  fix those  security  issues  with  simple
patches. The best way to handle them would be to upgrade to 0.2 which is
not ready for  unstable yet (and cannot run in  Lenny because of missing
dependencies).

Therefore, it seems to be safer to just remove roundcube from Lenny.
-- 
Avoid unnecessary branches.
            - The Elements of Programming Style (Kernighan & Plauger)

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 514179@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 514179@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#514179: CVE-2009-0413: possible XSS issue

Date: Mon, 09 Feb 2009 23:41:37 +0100

Vincent Bernat wrote:
> OoO En cette nuit nuageuse du jeudi 05 février 2009, vers 00:13, Steffen
> Joeris <steffen.joeris@skolelinux.de> disait :
> 
>> | Cross-site scripting (XSS) vulnerability in RoundCube Webmail
>> | (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
>> | web script or HTML via the background attribute embedded in an HTML
>> | e-mail message.
> 
>> This bugreport concerns the experimental version. The other versions
>> don't seem to be affected after a quick glance. The published upstream
>> patch is here[1].
> 
>> If you fix the vulnerability please also make sure to include the
>> CVE id in your changelog entry.
> 
> After  some  investigations,  we  discovered  that  roundcube  0.1.1  is
> vulnerable to  this XSS  attack but is  also vulnerable to  many others,
> even trivial ones.
> 
> We  believe  that  we  cannot  fix those  security  issues  with  simple
> patches. The best way to handle them would be to upgrade to 0.2 which is
> not ready for  unstable yet (and cannot run in  Lenny because of missing
> dependencies).
> 
> Therefore, it seems to be safer to just remove roundcube from Lenny.

removal hint added

Cheers

Luk

Message #25 received at 514179@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: backports-users@lists.backports.org, pkg-roundcube-maintainers@lists.alioth.debian.org

Cc: 514179@bugs.debian.org

Subject: Re: Bug#514179: CVE-2009-0413: possible XSS issue

Date: Tue, 10 Feb 2009 11:30:00 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Montag, 9. Februar 2009, Luk Claes wrote:
> > After  some  investigations,  we  discovered  that  roundcube  0.1.1  is
> > vulnerable to  this XSS  attack but is  also vulnerable to  many others,
> > even trivial ones.
> >
> > We  believe  that  we  cannot  fix those  security  issues  with  simple
> > patches. The best way to handle them would be to upgrade to 0.2 which is
> > not ready for  unstable yet (and cannot run in  Lenny because of missing
> > dependencies).
> >
> > Therefore, it seems to be safer to just remove roundcube from Lenny.
> removal hint added

And what about the version in etch-backports now?


regards,	
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 514179@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Holger Levsen <holger@layer-acht.org>

Cc: 514179@bugs.debian.org, backports-users@lists.backports.org, pkg-roundcube-maintainers@lists.alioth.debian.org

Subject: Re: Bug#514179: CVE-2009-0413: possible XSS issue

Date: Wed, 11 Feb 2009 19:25:38 +0100

[Message part 1 (text/plain, inline)]

OoO En  cette fin  de matinée  radieuse du mardi  10 février  2009, vers
11:30, Holger Levsen <holger@layer-acht.org> disait :

>> > After  some  investigations,  we  discovered  that  roundcube  0.1.1  is
>> > vulnerable to  this XSS  attack but is  also vulnerable to  many others,
>> > even trivial ones.
>> >
>> > We  believe  that  we  cannot  fix those  security  issues  with  simple
>> > patches. The best way to handle them would be to upgrade to 0.2 which is
>> > not ready for  unstable yet (and cannot run in  Lenny because of missing
>> > dependencies).
>> >
>> > Therefore, it seems to be safer to just remove roundcube from Lenny.
>> removal hint added

> And what about the version in etch-backports now?

It should be vulnerable too. Would it be possible to upgrade to 0.2-alpha?
-- 
printk("Illegal format on cdrom.  Pester manufacturer.\n"); 
	2.2.16 /usr/src/linux/fs/isofs/inode.c

[Message part 2 (application/pgp-signature, inline)]

Message #35 received at 514179@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Vincent Bernat <bernat@debian.org>

Cc: 514179@bugs.debian.org, backports-users@lists.backports.org, pkg-roundcube-maintainers@lists.alioth.debian.org

Subject: Re: Bug#514179: CVE-2009-0413: possible XSS issue

Date: Wed, 11 Feb 2009 19:52:11 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Mittwoch, 11. Februar 2009, Vincent Bernat wrote:
> It should be vulnerable too. Would it be possible to upgrade to 0.2-alpha?

Besides that it's in experimental atm, do you have a way to reduce it's 
depends to something which is in etch/bpo or at least lenny?

(And I'm not sure Alexander will like it. But then the question how to proceed 
is still open. Remove it and send a mail to bpo-announce and inform people?)

Do you have 0.2 running on etch somewhere?


regards,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 514179@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Holger Levsen <holger@layer-acht.org>

Cc: 514179@bugs.debian.org, backports-users@lists.backports.org, pkg-roundcube-maintainers@lists.alioth.debian.org

Subject: Re: Bug#514179: CVE-2009-0413: possible XSS issue

Date: Wed, 11 Feb 2009 19:58:48 +0100

[Message part 1 (text/plain, inline)]

OoO Pendant  le repas  du mercredi 11  février 2009, vers  19:52, Holger
Levsen <holger@layer-acht.org> disait :

> On Mittwoch, 11. Februar 2009, Vincent Bernat wrote:
>> It should be vulnerable too. Would it be possible to upgrade to 0.2-alpha?

> Besides that it's in experimental atm, do you have a way to reduce it's 
> depends to something which is in etch/bpo or at least lenny?

0.2alpha should run fine in Etch if you reenable the following patch:
 fix-too-old-php-mail-mime.patch

The future 0.2stable will need more  work (even for lenny) since it uses
mdb.
-- 
printk("??? No FDIV bug? Lucky you...\n");
	2.2.16 /usr/src/linux/include/asm-i386/bugs.h

[Message part 2 (application/pgp-signature, inline)]

Message #45 received at 514179@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Vincent Bernat <bernat@debian.org>

Cc: 514179@bugs.debian.org, backports-users@lists.backports.org, pkg-roundcube-maintainers@lists.alioth.debian.org

Subject: Re: Bug#514179: CVE-2009-0413: possible XSS issue

Date: Wed, 11 Feb 2009 20:20:13 +0100

[Message part 1 (text/plain, inline)]

Hi Vincent,

On Mittwoch, 11. Februar 2009, Vincent Bernat wrote:
> 0.2alpha should run fine in Etch if you reenable the following patch:
>  fix-too-old-php-mail-mime.patch

ok, just like on bpo now :)

> The future 0.2stable will need more  work (even for lenny) since it uses
> mdb.

hmpf. 0.2 stable is not really future (as you'll know), but current. So I 
expect 0.2alpha to also have important issues which are fixed in 0.2.x in the 
short or long run, so no real gain IMHO...


regards,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #50 received at 514179@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Holger Levsen <holger@layer-acht.org>

Cc: 514179@bugs.debian.org, backports-users@lists.backports.org, pkg-roundcube-maintainers@lists.alioth.debian.org

Subject: Re: Bug#514179: CVE-2009-0413: possible XSS issue

Date: Thu, 12 Feb 2009 03:05:17 +0100

[Message part 1 (text/plain, inline)]

OoO Pendant le journal télévisé du mercredi 11 février 2009, vers 20:20,
Holger Levsen <holger@layer-acht.org> disait :

>> The future 0.2stable will need more  work (even for lenny) since it uses
>> mdb.

> hmpf. 0.2 stable is not really future (as you'll know), but current. So I 
> expect 0.2alpha to also have important issues which are fixed in 0.2.x in the 
> short or long run, so no real gain IMHO...

Well, it does not have this XSS issue, so it is an improvement over 0.1.1.
-- 
die_if_kernel("Kernel gets FloatingPenguinUnit disabled trap", regs);
	2.2.16 /usr/src/linux/arch/sparc/kernel/traps.c

[Message part 2 (application/pgp-signature, inline)]

Message #55 received at 514179-close@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: 514179-close@bugs.debian.org

Subject: Bug#514179: fixed in roundcube 0.2~stable-1

Date: Sun, 15 Feb 2009 17:17:09 +0000

Source: roundcube
Source-Version: 0.2~stable-1

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive:

roundcube-core_0.2~stable-1_all.deb
  to pool/main/r/roundcube/roundcube-core_0.2~stable-1_all.deb
roundcube-mysql_0.2~stable-1_all.deb
  to pool/main/r/roundcube/roundcube-mysql_0.2~stable-1_all.deb
roundcube-pgsql_0.2~stable-1_all.deb
  to pool/main/r/roundcube/roundcube-pgsql_0.2~stable-1_all.deb
roundcube-sqlite_0.2~stable-1_all.deb
  to pool/main/r/roundcube/roundcube-sqlite_0.2~stable-1_all.deb
roundcube_0.2~stable-1.diff.gz
  to pool/main/r/roundcube/roundcube_0.2~stable-1.diff.gz
roundcube_0.2~stable-1.dsc
  to pool/main/r/roundcube/roundcube_0.2~stable-1.dsc
roundcube_0.2~stable-1_all.deb
  to pool/main/r/roundcube/roundcube_0.2~stable-1_all.deb
roundcube_0.2~stable.orig.tar.gz
  to pool/main/r/roundcube/roundcube_0.2~stable.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 514179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 15 Feb 2009 16:18:58 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-sqlite
Architecture: source all
Version: 0.2~stable-1
Distribution: unstable
Urgency: low
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description: 
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-sqlite - metapackage providing sqlite dependencies for RoundCube
Closes: 473794 503573 504570 508752 514179
Changes: 
 roundcube (0.2~stable-1) unstable; urgency=low
 .
   * New upstream version. Closes: #503573, #504570.
       + Add SQL update scripts for this new release and for
         0.2~alpha. Remove copy of SQL upgrade script from debian/rules.
       + Remove patch for CVE-2008-5620 which is now fixed upstream.
       + Remove patch correcting a vulnerability in html2text.php.
       + Remove patch fixing login issue. This is fixed upstream.
       + Remove patch setting the default backend to db instead of mdb2:
         this is not possible any more. We depend on php-mdb2 now.
       + Update patch to use packaged tinymce.
   * Upload to unstable since Lenny is out.
   * Apply fix for XSS issue (CVE-2009-0413). Closes: #514179.
   * Remove hack to update a SQLite table for an upgrade from a quite old
     version of roundcube.
   * Fix pending l10n issues:
       + Update English debconf template. Closes: #473794.
       + Add Swedish translation thanks to Martin Bagge. Closes: #508752.
   * Fix debian/copyright to make lintian happy.
Checksums-Sha1: 
 a9602a087edd88631c35d43bf38c2b10b57dcf4b 1417 roundcube_0.2~stable-1.dsc
 23bedb1baa91a67ca14a05aa4acae413c8bf7fc6 1186285 roundcube_0.2~stable.orig.tar.gz
 03a75af4ecb98a37af5715f7ec057113d53f0c4e 26700 roundcube_0.2~stable-1.diff.gz
 65fe00e00afc48431bc86924c06c367c0ae1aec8 696628 roundcube-core_0.2~stable-1_all.deb
 886183bf33ab7dc4d296698a0ac04ff6489169b0 14672 roundcube_0.2~stable-1_all.deb
 195cd341378bddc3c281e71a0f509604eeae2d68 13992 roundcube-mysql_0.2~stable-1_all.deb
 3575afcc2e5a5ee39cb4b555ff1cbcbce447acd7 13996 roundcube-pgsql_0.2~stable-1_all.deb
 af057aa7f209f68dc82f76e6d48fb35fefb3c23b 13962 roundcube-sqlite_0.2~stable-1_all.deb
Checksums-Sha256: 
 9b8f42a3d3d3dde6f7ad03937841f8c0ebefd5649eb369560ef1b008488afb86 1417 roundcube_0.2~stable-1.dsc
 63757d57bcb4f0fab306bcf9517e9714b32df249af72f7f93b9faf77c081fd07 1186285 roundcube_0.2~stable.orig.tar.gz
 3a0cc90ece88e6d79dd0231bc13af73cd6e49ec095105a8ef034f2b8bfbbd216 26700 roundcube_0.2~stable-1.diff.gz
 5bb7a49b358607848fe6a1aae42ced06890a00a4c95db53cbb56aa3786b2eb67 696628 roundcube-core_0.2~stable-1_all.deb
 f5174dd71f64a702e30a6afbe6920ea7d193b376f1e7d693a641bd8dab2633ca 14672 roundcube_0.2~stable-1_all.deb
 51543b7bdb98a3ffa6b0fcfd61fb0a59ce6598df7a84ac8cd3ff049feb3fcba9 13992 roundcube-mysql_0.2~stable-1_all.deb
 77c8cef82bbb664b296b1594e83cf305b3cb21020e535f962f22f08b913c9998 13996 roundcube-pgsql_0.2~stable-1_all.deb
 df0c23a8464d57420f0b20eea3e4700c1b1d612e416e3a5bfd18666299f7af4e 13962 roundcube-sqlite_0.2~stable-1_all.deb
Files: 
 ff50ac63e97f8ccf476919960efba356 1417 web extra roundcube_0.2~stable-1.dsc
 dac7776b063bf2314f7d7730af2b1b0f 1186285 web extra roundcube_0.2~stable.orig.tar.gz
 24aeb23dfc6ed6cf293e4639708df91d 26700 web extra roundcube_0.2~stable-1.diff.gz
 3e9559c144ef87b50aee302976085435 696628 web extra roundcube-core_0.2~stable-1_all.deb
 ddb189f5a92bd62ad936124fbae5c876 14672 web extra roundcube_0.2~stable-1_all.deb
 388a796f9ad8565442b9dee909309c9c 13992 web extra roundcube-mysql_0.2~stable-1_all.deb
 556575a66a9244b31e5d033e2e99bd34 13996 web extra roundcube-pgsql_0.2~stable-1_all.deb
 3d0795167d24c522162ab57306fc1f47 13962 web extra roundcube-sqlite_0.2~stable-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmYTTkACgkQKFvXofIqeU4r4ACfW12giHgsLzimGX1JtgWqFLEy
XoAAn24tnvOW9/aTKSa7ETR1ztRNgR5j
=55EP
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.