Bug 7246 - [Update Request] roundcubemail - Bugfix and Security issues fixed in 0.7.3 + patch
: [Update Request] roundcubemail - Bugfix and Security issues fixed in 0.7.3 + ...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/514104/
: MGA2-32-OK, MGA2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-29 20:57 CEST by David Walser
Modified: 2013-04-23 17:04 CEST (History)
5 users (show)

See Also:
Source RPM: roundcubemail-0.7.3-2.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-08-29 20:57:27 CEST
Fedora has issued an advisory on August 21:
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085777.html

It looks like an issue is fixed upstream in 0.7.3, and they patched another one.

More info is on the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=849615
Comment 1 David Walser 2012-09-10 00:28:31 CEST
Fixed in Cauldron by Damien.  Mageia 2 pending.
Comment 2 David Walser 2012-10-08 17:54:23 CEST
Mageia 2 update in progress.

Damien updated it to 0.7.3, now it just needs the patch:
http://pkgs.fedoraproject.org/cgit/roundcubemail.git/plain/roundcubemail-0.7.3-xss-sig.patch?h=f17&id=ac0541ca40878a5daf0fcae3457c41239b308462
Comment 3 Damien Lallement 2012-10-08 18:00:02 CEST
Advisory:
-------------
This update of roundcubemail is a bugfix and security (XSS signature) update.

Packages:
-------------
roundcubemail-0.7.3-1.mga2.src.rpm

How to test:
-------------
- Install roundcube in Mageia 2.
- Configure it.
- Install the update package and check it's still working as expected.
FYI: 
- here is the ChangeLog: http://trac.roundcube.net/wiki/Changelog#Release0.7.3
- here is the XSS patch: https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
Comment 4 David Walser 2012-10-08 18:10:52 CEST
Thanks Damien!

Just to flesh out the advisory, this fixes two CVEs:

Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in
Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web
script or HTML by using "javascript:" in an href attribute in the body of
an HTML-formatted email (CVE-2012-3508).

Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and
earlier allows remote attackers to inject arbitrary web script or HTML via
the signature in an email (CVE-2012-4668).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4668
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085777.html
http://trac.roundcube.net/wiki/Changelog#Release0.7.3
Comment 5 Marc Lattemann 2012-10-10 01:30:51 CEST
tested on i586 and x86_64. Could not reproduce XSS vulnerability neither in previous version of Core-Updates nor in Updates_testing.

No regression detected.

Updates validated.


Advisory
========
Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in
Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web
script or HTML by using "javascript:" in an href attribute in the body of
an HTML-formatted email (CVE-2012-3508).

Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and
earlier allows remote attackers to inject arbitrary web script or HTML via
the signature in an email (CVE-2012-4668).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4668
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085777.html
http://trac.roundcube.net/wiki/Changelog#Release0.7.3

src rpm: roundcubemail-0.7.3-1.mga2.src.rpm


Could someone of sysadmin team push to Core_Updates. Thanks!
Comment 6 Thomas Backlund 2012-10-11 11:56:07 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0292
Comment 7 Oden Eriksson 2013-04-21 11:07:12 CEST
I'm confused here since CVE-2012-3508 and CVE-2012-4668 has not been fixed yet.

https://bugzilla.redhat.com/show_bug.cgi?id=849615#c7

However after researching this today, all issues has been fixed in 0.8.6.
Comment 8 David Walser 2013-04-23 17:04:49 CEST
That comment doesn't say it's not fixed.  I don't know why that particular bug is still open, but this bug is the Fedora tracker for those issues:
https://bugzilla.redhat.com/show_bug.cgi?id=849616

It was closed when they issued the same update that we did.

Note You need to log in before you can comment on or make changes to this bug.