Bug 11069 - roundcubemail new security issues fixed in 0.9.3 (CVE-2013-5645)
: roundcubemail new security issues fixed in 0.9.3 (CVE-2013-5645)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/565276/
: has_procedure mga2too MGA3-64-OK MGA3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-23 18:54 CEST by David Walser
Modified: 2013-09-03 21:58 CEST (History)
5 users (show)

See Also:
Source RPM: roundcubemail
CVE:


Attachments

Description David Walser 2013-08-23 18:54:51 CEST
Upstream has released version 0.9.3:
http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3

which fixes two XSS issues.  CVEs have been requested:
http://openwall.com/lists/oss-security/2013/08/23/13

I don't know if 0.7.x (Mageia 2) is affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-08-23 18:55:36 CEST
Oden fixed this in Cauldron this morning in roundcubemail-0.9.3-1.mga4.
Comment 2 David Walser 2013-08-23 18:56:17 CEST
Also note that there are two outstanding bug reports on this package:
Bug 9915 and Bug 9916
Comment 3 David Walser 2013-08-28 19:26:39 CEST
A CVE has been assigned for this (CVE-2013-5645):
http://openwall.com/lists/oss-security/2013/08/28/4
Comment 4 Oden Eriksson 2013-08-29 09:31:22 CEST
roundcubemail-0.7.4-1.2.mga2 and roundcubemail-0.9.3-1.mga3 has been submitted.
Comment 5 David Walser 2013-08-29 14:15:48 CEST
Has anything been done abut Bug 9915 or Bug 9916?
Comment 6 David Walser 2013-08-29 15:00:35 CEST
(In reply to David Walser from comment #5)
> Has anything been done abut Bug 9915 or Bug 9916?

Looking at the SVN commits, I see that nothing has been done on those.  Hopefully we can get those addressed at some point.

Advisory for this update to come.
Comment 7 David Walser 2013-08-29 15:04:22 CEST
Advisory:
========================

Updated roundcubemail package fixes security vulnerability:

XSS vulnerabilities when saving HTML signatures and when editing a message "as
new" or draft in roundcubemail before 0.9.3 (CVE-2013-5645).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5645
http://trac.roundcube.net/ticket/1489251
http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
========================

Updated packages in core/updates_testing:
========================
roundcubemail-0.7.4-1.2.mga2
roundcubemail-0.9.3-1.mga3

from SRPMS:
roundcubemail-0.7.4-1.2.mga2.src.rpm
roundcubemail-0.9.3-1.mga3.src.rpm
Comment 8 claire robinson 2013-08-29 19:49:52 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=9640#c5
Comment 9 David Walser 2013-08-29 21:07:00 CEST
Fedora has issued an advisory for this on August 23:
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114854.html
Comment 10 Dave Hodgins 2013-09-01 13:14:57 CEST
Advisory 11069.adv uploaded to svn.

I'll test this shortly.
Comment 11 Dave Hodgins 2013-09-01 16:38:30 CEST
I can't recreate the poc in Mageia 2.
Any point in pushing the update for it?

In Mageia 3, running the installer fails, when it's trying to generate
the config files with ...
main.inc.php:  NOT OK(Unable to read file. Did you create the config files?)
db.inc.php:  NOT OK(Unable to read file. Did you create the config files?)

To fix the problem, I had to run ...
ln -s /etc/roundcubemail/ /usr/share/roundcubemail/config

In Mageia 3, the poc works.

To create it, Select the Settings/Identities, and select the user, then paste
test<b onmouseover="alert(document.cookie)">asd</b>

into the signature field. Once it's saved, hovering the mouse over the asd part
shows the problem.

I'll test the update on Mageia 3 shortly.
Comment 12 Dave Hodgins 2013-09-02 01:21:43 CEST
Testing complete on Mageia 3 x86_64

I've also added a comment to bug 9915 about the symlink problem.
Comment 13 Dave Hodgins 2013-09-02 02:04:16 CEST
Testing complete on Mageia 2 i586 and x86_64.

Although no change noticed, as the poc doesn't work on Mageia 2, no
regressions found.

Someone from the sysadmin team please push 11069.adv to updates.
Comment 14 Thomas Backlund 2013-09-03 21:58:32 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0270.html

Note You need to log in before you can comment on or make changes to this bug.