32493 – Roundcubemail fix xss

Bug 32493 - Roundcubemail fix xss

Summary: Roundcubemail fix xss

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Duplicates (1):	32450 (view as bug list)
Depends on:
Blocks:

Reported:	2023-11-05 11:31 CET by Marc Krämer
Modified:	2023-12-01 13:56 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	roundcubemail
CVE:	CVE-2023-5631, CVE-2023-47272
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2023-11-05 11:31:09 CET

https://github.com/roundcube/roundcubemail/releases/tag/1.6.5

Comment 1 Marc Krämer 2023-11-05 11:35:54 CET

Updated roundcubemail packages fix security vulnerabilitiy:

- Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download

Some other errors have been fixed:
- Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE
- Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder with all capital letters
- Fix PHP warnings
- Fix UI issue when dealing with an invalid managesieve_default_headers value
- Fix bug where images attached to application/smil messages weren't displayed
- Fix PHP string replacement error in utils/error.php
- Fix regression where smtp_user did not allow pre/post strings before/after %u placeholder

References:
https://github.com/roundcube/roundcubemail/releases/tag/1.6.5
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.6.5-1.mga10.noarch.rpm

SRPM:
roundcubemail-1.6.5-1.mga10.src.rpm

Assignee: mageia => qa-bugs

Comment 2 Marja Van Waes 2023-11-05 13:27:37 CET

(In reply to Marc Krämer from comment #1)

> ========================
> 
> Updated packages in core/updates_testing:
> ========================
> roundcubemail-1.6.5-1.mga10.noarch.rpm
> 
> SRPM:
> roundcubemail-1.6.5-1.mga10.src.rpm

s/mga10/mga9/

I think the advisory needs to be merged with the one from roundcubemail-1.6.4-1.mga9 in bug 32450, because that is still waiting for testers and the packages are no longer available in updates_testing.


I didn't find a CVE for 

- Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download

CC: (none) => marja11

Marja Van Waes 2023-11-05 13:27:51 CET

Blocks: (none) => 32450

Comment 3 Marc Krämer 2023-11-05 19:07:52 CET

@Marja
- XSS: me neither - but it was mentioned on the release notes. Maybe it comes later.
- mga10: bad mistake, but the package in mga9 is the same, hit the wrong built for copying.

Comment 4 Marja Van Waes 2023-11-05 22:50:41 CET

Merged the advisories from this and the previous roundcubemail update request (bug 32450) and closing that old request:


Updated roundcubemail package fixes security vulnerabilities:

- Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download
- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages. (CVE-2023-5631)


Some other errors have been fixed:
- Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE
- Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder with all capital letters
- Fix PHP warnings
- Fix UI issue when dealing with an invalid managesieve_default_headers value
- Fix bug where images attached to application/smil messages weren't displayed
- Fix PHP string replacement error in utils/error.php
- Fix regression where smtp_user did not allow pre/post strings before/after %u placeholder

References:
https://roundcube.net/news/2023/10/16/security-update-1.6.4-released
https://github.com/roundcube/roundcubemail/releases/tag/1.6.5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5631
========================

Updated packages in core/updates_testing:
========================
roundcubemail-1.6.5-1.mga9.noarch.rpm

SRPM:
roundcubemail-1.6.5-1.mga9.src.rpm

CVE: (none) => CVE-2023-5631
Blocks: 32450 => (none)

Comment 5 David Walser 2023-11-05 23:54:51 CET

*** Bug 32450 has been marked as a duplicate of this bug. ***

Comment 6 Marja Van Waes 2023-11-06 22:54:02 CET

Advisory from comment 4 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Comment 7 Marja Van Waes 2023-11-06 23:19:35 CET

Advisory updated with CVE-2023-47272

CVE: CVE-2023-5631 => CVE-2023-5631, CVE-2023-47272

Comment 8 Marja Van Waes 2023-11-29 21:55:17 CET

Should we ask for testers on mailing lists or in the forums?

Comment 9 Mike Rambo 2023-11-30 05:05:01 CET

I'm not a member of QA but I've set up roundcubemail in the past. I installed the old roundcubemail-1.6.1-1.mga9.noarch and jumped through the hoops to get it mostly working (everything except actually sending mails as I had no smtp set up). After it was working I installed roundcubemail-1.6.5-1.mga9.noarch.rpm from updates_testing. Everything worked exactly the same under both versions with no regressions noted. Worked pretty smoothly.

Acer Travelmate laptop x86_64 Mageia 9 with all tests done via localhost.

CC: (none) => mhrambo3501

Comment 10 Thomas Andrews 2023-11-30 20:20:45 CET

Good enough for me. Giving this an OK, and validating.

Thanks, Mike.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 11 Mageia Robot 2023-12-01 13:56:55 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0332.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.