Bug 27957

Summary: roundcubemail new XSS security issue CVE-2020-35730
Product: Mageia Reporter: Marc Krämer <mageia>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: roundcubemail-1.3.15-1.mga7.src.rpm CVE: CVE-2020-35730
Status comment:

Description Marc Krämer 2020-12-28 11:13:55 CET 
Fix stored cross-site scripting (XSS)
vulnerability via HTML or plain text messages with malicious content [CVE-2020-35730].
Comment 1 Marc Krämer 2020-12-28 11:45:48 CET 
Updated roundcubemail fixes a security vulnerability:
Fixes stored cross-site scripting (XSS)
vulnerability via HTML or plain text messages with malicious content [1]


[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35730
[2] https://github.com/roundcube/roundcubemail/releases/tag/1.3.16


SRPM:
roundcubemail-1.3.16-1.mga7.src.rpm

RPMS in core/updates_testing:
roundcubemail-1.3.16-1.mga7.noarch.rpm

Assignee: mageia => qa-bugs

Comment 2 PC LX 2020-12-28 12:51:37 CET 
Installed and tested without issues.

Tested on setup with apache, php-fpm, mariadb and dovecot. 
Tested with multiple email accounts with GiB of emails.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q roundcubemail
roundcubemail-1.3.16-1.mga7
$ rpm -qa | egrep '(mariadb|apache|php-fpm|dovecot)' | sort
apache-2.4.46-1.mga7
apache-commons-io-2.6-3.mga7
apache-commons-logging-1.2-9.mga7
apache-mod_http2-2.4.46-1.mga7
apache-mod_php-7.3.23-1.mga7
apache-mod_proxy-2.4.46-1.mga7
apache-mod_ssl-2.4.46-1.mga7
dovecot-2.3.11.3-1.mga7
dovecot-pigeonhole-2.3.11.3-1.mga7
lib64mariadb3-10.3.27-1.mga7
mariadb-10.3.27-1.mga7
mariadb-client-10.3.27-1.mga7
mariadb-common-10.3.27-1.mga7
mariadb-common-core-10.3.27-1.mga7
mariadb-core-10.3.27-1.mga7
mariadb-extra-10.3.27-1.mga7
php-fpm-7.3.23-1.mga7
$ systemctl status httpd.service php-fpm.service dovecot.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-12-28 10:43:41 WET; 1h 5min ago
 Main PID: 3207 (httpd)
   Status: "Total requests: 279; Idle/Busy workers 100/0;Requests/sec: 0.0708; Bytes served/sec: 852 B/sec"
    Tasks: 66 (limit: 4684)
   Memory: 34.3M
   CGroup: /system.slice/httpd.service
           ├─3207 /usr/sbin/httpd -DFOREGROUND
           ├─3208 /usr/sbin/httpd -DFOREGROUND
           └─3209 /usr/sbin/httpd -DFOREGROUND

dez 28 10:43:41 marte systemd[1]: Starting The Apache HTTP Server...
dez 28 10:43:41 marte systemd[1]: Started The Apache HTTP Server.

● php-fpm.service - The PHP FastCGI Process Manager
   Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-12-28 11:40:35 WET; 8min ago
 Main PID: 523 (php-fpm)
   Status: "Processes active: 0, idle: 2, Requests: 110, slow: 0, Traffic: 0req/sec"
    Tasks: 3 (limit: 4684)
   Memory: 26.8M
   CGroup: /system.slice/php-fpm.service
           ├─523 php-fpm: master process (/etc/php-fpm.conf)
           ├─628 php-fpm: pool www
           └─660 php-fpm: pool www

dez 28 11:40:35 marte systemd[1]: Starting The PHP FastCGI Process Manager...
dez 28 11:40:35 marte php-fpm[523]: [NOTICE] fpm is running, pid 523
dez 28 11:40:35 marte php-fpm[523]: [NOTICE] ready to handle connections
dez 28 11:40:35 marte systemd[1]: Started The PHP FastCGI Process Manager.
dez 28 11:40:35 marte php-fpm[523]: [NOTICE] systemd monitor interval set to 10000ms

● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-12-28 11:28:47 WET; 20min ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 6325 (dovecot)
    Tasks: 5 (limit: 4684)
   Memory: 43.3M
   CGroup: /system.slice/dovecot.service
           ├─6325 /usr/sbin/dovecot -F
           ├─6327 dovecot/anvil
           ├─6328 dovecot/log
           ├─6330 dovecot/config
           └─6332 dovecot/stats

dez 28 11:47:12 marte dovecot[6328]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=957, secured, session=<QJe11YS3vIn9AAAAAAEAAQAAAAAAAAAB>
dez 28 11:47:12 marte dovecot[6328]: imap(pclx)<957><QJe11YS3vIn9AAAAAAEAAQAAAAAAAAAB>: Logged out in=402 out=3231 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=435 body_count=1 body_bytes=1197
dez 28 11:47:14 marte dovecot[6328]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=961, secured, session=<N3nT1YS3won9AAAAAAEAAQAAAAAAAAAB>
dez 28 11:47:14 marte dovecot[6328]: imap(pclx)<961><N3nT1YS3won9AAAAAAEAAQAAAAAAAAAB>: Logged out in=444 out=8309 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=444 body_count=2 body_bytes=6012
dez 28 11:47:17 marte dovecot[6328]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=964, secured, session=<AM/61YS3xIn9AAAAAAEAAQAAAAAAAAAB>
dez 28 11:47:17 marte dovecot[6328]: imap(pclx)<964><AM/61YS3xIn9AAAAAAEAAQAAAAAAAAAB>: Logged out in=444 out=8309 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=444 body_count=2 body_bytes=6012
dez 28 11:47:24 marte dovecot[6328]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=986, secured, session=<eTZo1oS34on9AAAAAAEAAQAAAAAAAAAB>
dez 28 11:47:24 marte dovecot[6328]: imap(pclx)<986><eTZo1oS34on9AAAAAAEAAQAAAAAAAAAB>: Logged out in=444 out=42408 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=444 body_count=2 body_bytes=40102
dez 28 11:47:33 marte dovecot[6328]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00:0:1:1::1, lip=fd00:0:1:1::1, mpid=1023, secured, session=<7W3y1oS36on9AAAAAAEAAQAAAAAAAAAB>
dez 28 11:47:33 marte dovecot[6328]: imap(pclx)<1023><7W3y1oS36on9AAAAAAEAAQAAAAAAAAAB>: Logged out in=2541 out=14397 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0

Whiteboard: (none) => MGA7-64-OK
CC: (none) => mageia

David Walser 2020-12-28 19:32:51 CET

Summary: XSS issue in roundcubemail => roundcubemail new XSS security issue CVE-2020-35730

Comment 3 Thomas Andrews 2020-12-28 23:11:10 CET 
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 Aurelien Oudelet 2020-12-29 11:34:19 CET 
Advisory pushed to SVN.

Keywords: (none) => advisory
Component: RPM Packages => Security
CC: (none) => ouaurelien
Source RPM: roundcubemail => roundcubemail-1.3.15-1.mga7.src.rpm
QA Contact: (none) => security
CVE: (none) => CVE-2020-35730

Comment 5 Mageia Robot 2020-12-29 12:58:55 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0481.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2020-12-29 18:09:24 CET 
Debian has issued an advisory for this on December 28:
https://www.debian.org/security/2020/dsa-4821