Bug 28387 - roundcubemail security issue CVE-2021-26925
Summary: roundcubemail security issue CVE-2021-26925
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-02-20 10:14 CET by Zombie Ryushu
Modified: 2021-03-12 02:27 CET (History)
5 users (show)

See Also:
Source RPM: roundcubemail-1.4.10-1.mga8.src.rpm
CVE: CVE-2021-26925
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2021-02-20 10:14:35 CET 
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
Zombie Ryushu 2021-02-20 10:14:47 CET

CVE: (none) => CVE-2021-26925

Comment 1 Aurelien Oudelet 2021-02-20 13:16:31 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)


Fedora has issued an advisory for this on February 17th 2021:
for fedora 32
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5QPAMYM2DQODSCQIAVNFJR2ETG7WMJOD/

for fedora 33
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q752JPOHTR6H72FK3EIPJZ5O24Z7RGLM/

Upstream security advisory here:
https://roundcube.net/news/2021/02/08/security-update-1.4.11

Status comment: (none) => Fix here: https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596
Whiteboard: (none) => MGA7TOO MGA8TOO
CC: (none) => ouaurelien
Assignee: bugsquad => mageia

David Walser 2021-02-20 18:45:26 CET

Severity: normal => major
Status comment: Fix here: https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596 => Fixed upstream in 1.4.11

Comment 2 Marc Krämer 2021-02-21 11:16:22 CET 
currently there is no new release for 1.3 branch. I don't see why we should still support the old 1.3 branch and not switching to the 1.4 branch in mga7.

An Update for mga8 is currently building and located in updates_testing.
Comment 3 Marc Krämer 2021-02-22 20:51:38 CET 
Updated roundcube packages fix security vulnerabilities:

This update fixes cross-site scripting (XSS) via HTML messages with malicious CSS content.


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26925
https://roundcube.net/news/2021/02/08/security-update-1.4.11
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.4.11-1.mga7.noarch.rpm
roundcubemail-1.4.11-1.mga8.noarch.rpm

SRPM:
roundcubemail-1.4.11-1.mga7.src.rpm
roundcubemail-1.4.11-1.mga8.src.rpm

Assignee: mageia => qa-bugs

Aurelien Oudelet 2021-02-24 10:45:37 CET

Version: Cauldron => 8

Comment 4 PC LX 2021-02-25 16:27:56 CET 
Installed and tested without issues.

This update has been in use for a few days.
Tested on a system with apache, php-fpm, mariadb and dovecot. 
Tested with several accounts with many thousands of emails and hundreds of folders.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.10.14-desktop-1.mga7 #1 SMP Sun Feb 7 19:36:25 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q roundcubemail
roundcubemail-1.4.11-1.mga7
$ systemctl status httpd.service php-fpm.service dovecot.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-02-25 09:44:34 WET; 5h 40min ago
 Main PID: 2608 (httpd)
   Status: "Total requests: 569; Idle/Busy workers 100/0;Requests/sec: 0.0278; Bytes served/sec: 294 B/sec"
    Tasks: 66 (limit: 4668)
   Memory: 34.8M
   CGroup: /system.slice/httpd.service
           ├─2608 /usr/sbin/httpd -DFOREGROUND
           ├─2609 /usr/sbin/httpd -DFOREGROUND
           └─2610 /usr/sbin/httpd -DFOREGROUND

fev 25 09:44:34 marte systemd[1]: Starting The Apache HTTP Server...
fev 25 09:44:34 marte systemd[1]: Started The Apache HTTP Server.

● php-fpm.service - The PHP FastCGI Process Manager
   Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-02-25 14:50:21 WET; 35min ago
 Main PID: 28603 (php-fpm)
   Status: "Processes active: 0, idle: 2, Requests: 115, slow: 0, Traffic: 0req/sec"
    Tasks: 3 (limit: 4668)
   Memory: 46.8M
   CGroup: /system.slice/php-fpm.service
           ├─28603 php-fpm: master process (/etc/php-fpm.conf)
           ├─28839 php-fpm: pool www
           └─28903 php-fpm: pool www

fev 25 14:50:21 marte systemd[1]: Starting The PHP FastCGI Process Manager...
fev 25 14:50:21 marte php-fpm[28603]: [NOTICE] fpm is running, pid 28603
fev 25 14:50:21 marte php-fpm[28603]: [NOTICE] ready to handle connections
fev 25 14:50:21 marte systemd[1]: Started The PHP FastCGI Process Manager.
fev 25 14:50:21 marte php-fpm[28603]: [NOTICE] systemd monitor interval set to 10000ms
fev 25 14:50:26 marte phpMyAdmin[28635]: user denied: root (mysql-denied) from ::1

● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-02-25 09:41:20 WET; 5h 44min ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 2464 (dovecot)
    Tasks: 9 (limit: 4668)
   Memory: 21.4M
   CGroup: /system.slice/dovecot.service
           ├─ 2464 /usr/sbin/dovecot -F
           ├─ 2466 dovecot/anvil
           ├─ 2467 dovecot/log
           ├─ 2469 dovecot/config
           ├─ 2470 dovecot/stats
           ├─23408 dovecot/imap-login
           ├─23410 dovecot/imap
           ├─29670 dovecot/auth
           └─29671 dovecot/auth -w

fev 25 15:20:53 marte dovecot[2467]: imap-login: Login: user=<pclx>, method=PLAIN, rip=fd00::1, lip=fd00::1, mpid=29821, secured, session=<sQuJsiq8loX9AAAAAAAAAAAAAAAAAAAB>

CC: (none) => mageia
Whiteboard: MGA7TOO MGA8TOO => MGA7TOO MGA8TOO MGA7-64-OK

Comment 5 David Walser 2021-02-25 16:36:50 CET 
The Mageia 8 update probably needs to be re-pushed if updates_testing was wiped as usual.

Status comment: Fixed upstream in 1.4.11 => (none)
Whiteboard: MGA7TOO MGA8TOO MGA7-64-OK => MGA7TOO MGA7-64-OK

Comment 6 Thomas Andrews 2021-03-06 19:59:15 CET 
I was going to pass this along for mga8 on the basis of a clean install, but according to qarepo roundcubemail 1.4.11-1 is no longer in mga8 updates_testing. It has been replaced by a 1.5 beta version. 

No doubt there is another mga8 bug, not yet ready for QA, but in the meantime what do we do with this one and mga7?

CC: (none) => andrewsfarm

Comment 7 Morgan Leijström 2021-03-06 20:14:50 CET 
I read upstream that only beta support PHP8, so beta is needed for Mga8

CC: (none) => fri

David Walser 2021-03-06 20:36:07 CET

Whiteboard: MGA7TOO MGA7-64-OK => MGA7-64-OK
Version: 8 => 7

Comment 8 Thomas Andrews 2021-03-06 21:12:09 CET 
Validating. Advisory information in Comment 3.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Morgan Leijström 2021-03-06 21:23:06 CET 
For mga8: Bug 28533 - Roundcubemail: PHP 8 issues

@Thomas A, is this something you can test?
Comment 10 Thomas Andrews 2021-03-06 22:51:42 CET 
(In reply to Morgan Leijström from comment #9)
> For mga8: Bug 28533 - Roundcubemail: PHP 8 issues
> 
> @Thomas A, is this something you can test?

No. I'm not competent with roundcubemail at all, beyond checking for a clean install. That's all I was going to do here.
Comment 11 Aurelien Oudelet 2021-03-07 17:32:37 CET 
Advisory commited to SVN.

Keywords: (none) => advisory

Comment 12 Mageia Robot 2021-03-12 02:27:51 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0130.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.