[Pkg-roundcube-maintainers] Bug#685475: roundcube: CVE-2012-3508
Moritz Muehlenhoff
jmm at inutil.org
Tue Aug 21 05:51:42 UTC 2012
Package: roundcube
Severity: grave
Tags: security
Justification: user security hole
This was reported on the oss-sec mailing list:
Cheers,
Moritz
--
> 2, Issue 2a: Description: Stored XSS in e-mail body. Ticket:
> http://trac.roundcube.net/ticket/1488613 Upstream patch:
>
https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee
>
> Upon code review doesn't seem to affect rcmail we ship in Fedora /
> EPEL -> haven't filed RH bug for it. Could you double-check and
> confirm that?,
>
> Issue 2b: Self XSS in e-mail body (Signature). Ticket:
> http://trac.roundcube.net/ticket/1488613 Upstream patch:
>
https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
>
> The 'program/js/app.js' rcube_webmail() upstream change from the
> patch above seems to be applicable to Fedora / EPEL rcmail
> versions. Thus I have filed:
> https://bugzilla.redhat.com/show_bug.cgi?id=849615
>
> to track this. But not sure whole 'Self XSS in e-mail body
> (Signature).' upstream patch would apply with its logic to 0.7.x
> versions: https://bugzilla.redhat.com/show_bug.cgi?id=849615#c3
>
> Therefore this needs review by someone more familiar with
> rcube_webmail() routine code to decide if apply that patch or not.
> Could you do that?
Please use CVE-2012-3508 for these two issues (same version, same type
of vuln so cve merge).
--
More information about the Pkg-roundcube-maintainers
mailing list