[Pkg-roundcube-maintainers] Bug#685475: roundcube: CVE-2012-3508

Moritz Muehlenhoff jmm at inutil.org
Tue Aug 21 05:51:42 UTC 2012

Package: roundcube
Severity: grave
Tags: security
Justification: user security hole

This was reported on the oss-sec mailing list:


> 2, Issue 2a: Description: Stored XSS in e-mail body. Ticket:
> http://trac.roundcube.net/ticket/1488613 Upstream patch:
> Upon code review doesn't seem to affect rcmail we ship in Fedora /
> EPEL -> haven't filed RH bug for it. Could you double-check and
> confirm that?,
> Issue 2b: Self XSS in e-mail body (Signature). Ticket:
> http://trac.roundcube.net/ticket/1488613 Upstream patch:
> The 'program/js/app.js' rcube_webmail() upstream change from the
> patch above seems to be applicable to Fedora / EPEL rcmail
> versions. Thus I have filed:
> https://bugzilla.redhat.com/show_bug.cgi?id=849615
> to track this. But not sure whole 'Self XSS in e-mail body
> (Signature).' upstream patch would apply with its logic to 0.7.x
> versions: https://bugzilla.redhat.com/show_bug.cgi?id=849615#c3
> Therefore this needs review by someone more familiar with
> rcube_webmail() routine code to decide if apply that patch or not.
> Could you do that?

Please use CVE-2012-3508 for these two issues (same version, same type
of vuln so cve merge).


More information about the Pkg-roundcube-maintainers mailing list