Bug 11069 - roundcubemail new security issues fixed in 0.9.3 (CVE-2013-5645)
Summary: roundcubemail new security issues fixed in 0.9.3 (CVE-2013-5645)
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/565276/
Whiteboard: has_procedure mga2too MGA3-64-OK MGA3...
Keywords: validated_update
Depends on:
Reported: 2013-08-23 18:54 CEST by David Walser
Modified: 2013-09-03 21:58 CEST (History)
5 users (show)

See Also:
Source RPM: roundcubemail
Status comment:


Description David Walser 2013-08-23 18:54:51 CEST
Upstream has released version 0.9.3:

which fixes two XSS issues.  CVEs have been requested:

I don't know if 0.7.x (Mageia 2) is affected.


Steps to Reproduce:
Comment 1 David Walser 2013-08-23 18:55:36 CEST
Oden fixed this in Cauldron this morning in roundcubemail-0.9.3-1.mga4.
Comment 2 David Walser 2013-08-23 18:56:17 CEST
Also note that there are two outstanding bug reports on this package:
Bug 9915 and Bug 9916
Comment 3 David Walser 2013-08-28 19:26:39 CEST
A CVE has been assigned for this (CVE-2013-5645):

Summary: roundcubemail new security issues fixed in 0.9.3 => roundcubemail new security issues fixed in 0.9.3 (CVE-2013-5645)

Comment 4 Oden Eriksson 2013-08-29 09:31:22 CEST
roundcubemail-0.7.4-1.2.mga2 and roundcubemail-0.9.3-1.mga3 has been submitted.

CC: (none) => oe

Comment 5 David Walser 2013-08-29 14:15:48 CEST
Has anything been done abut Bug 9915 or Bug 9916?
Comment 6 David Walser 2013-08-29 15:00:35 CEST
(In reply to David Walser from comment #5)
> Has anything been done abut Bug 9915 or Bug 9916?

Looking at the SVN commits, I see that nothing has been done on those.  Hopefully we can get those addressed at some point.

Advisory for this update to come.
Comment 7 David Walser 2013-08-29 15:04:22 CEST

Updated roundcubemail package fixes security vulnerability:

XSS vulnerabilities when saving HTML signatures and when editing a message "as
new" or draft in roundcubemail before 0.9.3 (CVE-2013-5645).


Updated packages in core/updates_testing:

from SRPMS:

CC: (none) => mageia
Assignee: mageia => qa-bugs

Comment 8 claire robinson 2013-08-29 19:49:52 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=9640#c5

Whiteboard: (none) => has_procedure

Comment 9 David Walser 2013-08-29 21:07:00 CEST
Fedora has issued an advisory for this on August 23:

URL: (none) => http://lwn.net/Vulnerabilities/565276/

Dave Hodgins 2013-08-30 01:50:52 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure => has_procedure mga2too

Comment 10 Dave Hodgins 2013-09-01 13:14:57 CEST
Advisory 11069.adv uploaded to svn.

I'll test this shortly.
Comment 11 Dave Hodgins 2013-09-01 16:38:30 CEST
I can't recreate the poc in Mageia 2.
Any point in pushing the update for it?

In Mageia 3, running the installer fails, when it's trying to generate
the config files with ...
main.inc.php:  NOT OK(Unable to read file. Did you create the config files?)
db.inc.php:  NOT OK(Unable to read file. Did you create the config files?)

To fix the problem, I had to run ...
ln -s /etc/roundcubemail/ /usr/share/roundcubemail/config

In Mageia 3, the poc works.

To create it, Select the Settings/Identities, and select the user, then paste
test<b onmouseover="alert(document.cookie)">asd</b>

into the signature field. Once it's saved, hovering the mouse over the asd part
shows the problem.

I'll test the update on Mageia 3 shortly.
Comment 12 Dave Hodgins 2013-09-02 01:21:43 CEST
Testing complete on Mageia 3 x86_64

I've also added a comment to bug 9915 about the symlink problem.

Whiteboard: has_procedure mga2too => has_procedure mga2too MGA3-64-OK MGA3-32-OK

Comment 13 Dave Hodgins 2013-09-02 02:04:16 CEST
Testing complete on Mageia 2 i586 and x86_64.

Although no change noticed, as the poc doesn't work on Mageia 2, no
regressions found.

Someone from the sysadmin team please push 11069.adv to updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga2too MGA3-64-OK MGA3-32-OK => has_procedure mga2too MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 14 Thomas Backlund 2013-09-03 21:58:32 CEST
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.