Bug 7246 - [Update Request] roundcubemail - Bugfix and Security issues fixed in 0.7.3 + patch
Summary: [Update Request] roundcubemail - Bugfix and Security issues fixed in 0.7.3 + ...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/514104/
Whiteboard: MGA2-32-OK, MGA2-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-08-29 20:57 CEST by David Walser
Modified: 2013-04-23 17:04 CEST (History)
5 users (show)

See Also:
Source RPM: roundcubemail-0.7.3-2.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-08-29 20:57:27 CEST
Fedora has issued an advisory on August 21:
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085777.html

It looks like an issue is fixed upstream in 0.7.3, and they patched another one.

More info is on the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=849615
David Walser 2012-08-29 20:57:45 CEST

CC: (none) => mageia
Whiteboard: (none) => MGA2TOO

Comment 1 David Walser 2012-09-10 00:28:31 CEST
Fixed in Cauldron by Damien.  Mageia 2 pending.

Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

David Walser 2012-09-10 22:23:25 CEST

Assignee: bugsquad => mageia

Comment 2 David Walser 2012-10-08 17:54:23 CEST
Mageia 2 update in progress.

Damien updated it to 0.7.3, now it just needs the patch:
http://pkgs.fedoraproject.org/cgit/roundcubemail.git/plain/roundcubemail-0.7.3-xss-sig.patch?h=f17&id=ac0541ca40878a5daf0fcae3457c41239b308462
Comment 3 Damien Lallement 2012-10-08 18:00:02 CEST
Advisory:
-------------
This update of roundcubemail is a bugfix and security (XSS signature) update.

Packages:
-------------
roundcubemail-0.7.3-1.mga2.src.rpm

How to test:
-------------
- Install roundcube in Mageia 2.
- Configure it.
- Install the update package and check it's still working as expected.
FYI: 
- here is the ChangeLog: http://trac.roundcube.net/wiki/Changelog#Release0.7.3
- here is the XSS patch: https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32

Status: NEW => ASSIGNED
Assignee: mageia => qa-bugs
Summary: roundcubemail new security issues fixed in 0.8.1 => [Update Request] roundcubemail - Bugfix and Security issues fixed in 0.7.3 + patch
Source RPM: roundcubemail-0.7.2-1.mga2.src.rpm => roundcubemail-0.7.3-2.mga2.src.rpm

Comment 4 David Walser 2012-10-08 18:10:52 CEST
Thanks Damien!

Just to flesh out the advisory, this fixes two CVEs:

Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in
Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web
script or HTML by using "javascript:" in an href attribute in the body of
an HTML-formatted email (CVE-2012-3508).

Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and
earlier allows remote attackers to inject arbitrary web script or HTML via
the signature in an email (CVE-2012-4668).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4668
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085777.html
http://trac.roundcube.net/wiki/Changelog#Release0.7.3

Status: ASSIGNED => NEW

Comment 5 Marc Lattemann 2012-10-10 01:30:51 CEST
tested on i586 and x86_64. Could not reproduce XSS vulnerability neither in previous version of Core-Updates nor in Updates_testing.

No regression detected.

Updates validated.


Advisory
========
Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in
Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web
script or HTML by using "javascript:" in an href attribute in the body of
an HTML-formatted email (CVE-2012-3508).

Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and
earlier allows remote attackers to inject arbitrary web script or HTML via
the signature in an email (CVE-2012-4668).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4668
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085777.html
http://trac.roundcube.net/wiki/Changelog#Release0.7.3

src rpm: roundcubemail-0.7.3-1.mga2.src.rpm


Could someone of sysadmin team push to Core_Updates. Thanks!

Keywords: (none) => validated_update
CC: (none) => marc.lattemann, sysadmin-bugs
Whiteboard: (none) => MGA2-32-OK, MGA2-64-OK

Comment 6 Thomas Backlund 2012-10-11 11:56:07 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0292

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 7 Oden Eriksson 2013-04-21 11:07:12 CEST
I'm confused here since CVE-2012-3508 and CVE-2012-4668 has not been fixed yet.

https://bugzilla.redhat.com/show_bug.cgi?id=849615#c7

However after researching this today, all issues has been fixed in 0.8.6.

CC: (none) => oe

Comment 8 David Walser 2013-04-23 17:04:49 CEST
That comment doesn't say it's not fixed.  I don't know why that particular bug is still open, but this bug is the Fedora tracker for those issues:
https://bugzilla.redhat.com/show_bug.cgi?id=849616

It was closed when they issued the same update that we did.

Note You need to log in before you can comment on or make changes to this bug.