[Pkg-roundcube-maintainers] Bug#685475: roundcube: CVE-2012-3508

Vincent Bernat bernat at debian.org
Sun Aug 26 12:34:30 UTC 2012 

 ❦ 21 août 2012 07:51 CEST, Moritz Muehlenhoff <jmm at inutil.org> :

> Package: roundcube
> Severity: grave
> Tags: security
> Justification: user security hole
>
> This was reported on the oss-sec mailing list:
>
> Cheers,
>         Moritz
> --
>
>> 2, Issue 2a: Description: Stored XSS in e-mail body. Ticket:
>> http://trac.roundcube.net/ticket/1488613 Upstream patch:
>>
> https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee
>>
>> Upon code review doesn't seem to affect rcmail we ship in Fedora /
>> EPEL -> haven't filed RH bug for it. Could you double-check and
>> confirm that?,
>>
>> Issue 2b: Self XSS in e-mail body (Signature). Ticket:
>> http://trac.roundcube.net/ticket/1488613 Upstream patch:
>>
> https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
>>
>> The 'program/js/app.js' rcube_webmail() upstream change from the
>> patch above seems to be applicable to Fedora / EPEL rcmail
>> versions. Thus I have filed:
>> https://bugzilla.redhat.com/show_bug.cgi?id=849615
>>
>> to track this. But not sure whole 'Self XSS in e-mail body
>> (Signature).' upstream patch would apply with its logic to 0.7.x
>> versions: https://bugzilla.redhat.com/show_bug.cgi?id=849615#c3
>>
>> Therefore this needs review by someone more familiar with
>> rcube_webmail() routine code to decide if apply that patch or not.
>> Could you do that?
>
> Please use CVE-2012-3508 for these two issues (same version, same type
> of vuln so cve merge).

Hi Moritz!

The version currently in stable (0.3) is not affected by either of the
bugs (I was unable to reproduce them). The version in testing is
affected by the later bug but not by the first. I am doing an upload
about it shortly.
-- 
panic("bad_user_access_length executed (not cool, dude)");
        2.0.38 /usr/src/linux/kernel/panic.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20120826/1e94d872/attachment.pgp>

More information about the Pkg-roundcube-maintainers mailing list