[Pkg-roundcube-maintainers] Security issues in roundcube 1.2.3+dfsg.1-4+deb9u3 and 1.3.10+dfsg.1-1~deb10u1

Guilhem Moulin guilhem at debian.org
Wed Apr 29 23:36:11 BST 2020


Dear security team,

In a recent mail roundcube webmail upstream has announced the following
security fixes:

    - Cross-Site Scripting (XSS) via malicious HTML content
    - CSRF attack can cause an authenticated user to be logged out
      https://github.com/roundcube/roundcubemail/pull/7302

(Plus two more that are are irrelevant for Debian.)
http://lists.roundcube.net/pipermail/announce/2020-April/thread.html

Unfortunately upstream didn't assign CVEs (yet?), however the issues are
respectively tracked in our BTS as #959140 and #959142.

For stretch-security I prepared 1.2.3+dfsg.1-4+deb9u4 with the attached
debdiff.

The package in buster is currently following the 1.3 branch so I guess
it'd make sense to upload 1.3.11+dfsg.1-1~deb10u1 to the upcoming Debian
10.4 and skip buster-security.  I suppose the second debdiff is beyond
the scope of buster-security, but if you disagree I'd be happy to change
the target and upload there instead of buster-pu.

Both version have been tested.

Cheers,
-- 
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1

 changelog               |   10 ++++++++++
 patches/bug959140.patch |   22 ++++++++++++++++++++++
 patches/bug959142.patch |   41 +++++++++++++++++++++++++++++++++++++++++
 patches/series          |    2 ++
 4 files changed, 75 insertions(+)

diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog	2018-11-24 04:36:11.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/changelog	2020-04-29 23:42:35.000000000 +0200
@@ -1,3 +1,13 @@
+roundcube (1.2.3+dfsg.1-4+deb9u4) stretch-security; urgency=high
+
+  * Backport security fixes from 1.2.10:
+    - Cross-Site Scripting (XSS) vulnerability via malicious HTML messages
+      (Closes: #959140)
+    - CSRF attack can cause an authenticated user to be logged out
+      (Closes: #959142)
+
+ -- Guilhem Moulin <guilhem at debian.org>  Wed, 29 Apr 2020 23:42:35 +0200
+
 roundcube (1.2.3+dfsg.1-4+deb9u3) stretch-security; urgency=high
 
   * Backport fix for CVE-2018-19206: XSS vulnerability via crafted use of
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/bug959140.patch roundcube-1.2.3+dfsg.1/debian/patches/bug959140.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/bug959140.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/bug959140.patch	2020-04-29 23:42:35.000000000 +0200
@@ -0,0 +1,22 @@
+commit 4312dc4efecb9553fcacfab0ab9d9ee6e88477e7
+Author: Aleksander Machniak <alec at alec.pl>
+Date:   Sun Apr 26 07:59:47 2020 +0200
+
+    Fix XSS issue in handling of CDATA in HTML messages
+
+---
+ program/lib/Roundcube/rcube_washtml.php |    3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -469,9 +469,6 @@ class rcube_washtml
+                 break;
+ 
+             case XML_CDATA_SECTION_NODE:
+-                $dump .= $node->nodeValue;
+-                break;
+-
+             case XML_TEXT_NODE:
+                 $dump .= htmlspecialchars($node->nodeValue);
+                 break;
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/bug959142.patch roundcube-1.2.3+dfsg.1/debian/patches/bug959142.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/bug959142.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/bug959142.patch	2020-04-29 23:42:35.000000000 +0200
@@ -0,0 +1,41 @@
+commit cceeff2472c00acb2c6b96c9df7a289f1db77713
+Author: Aleksander Machniak <alec at alec.pl>
+Date:   Sun Apr 26 08:03:59 2020 +0200
+
+    Fix CSRF bypass that could be used to log out an authenticated user (#7302)
+
+---
+ index.php |   10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/index.php
++++ b/index.php
+@@ -93,7 +93,9 @@ if ($RCMAIL->task == 'login' && $RCMAIL-
+     $request_valid = $_SESSION['temp'] && $RCMAIL->check_request();
+ 
+     // purge the session in case of new login when a session already exists
+-    $RCMAIL->kill_session();
++    if ($request_valid) {
++        $RCMAIL->kill_session();
++    }
+ 
+     $auth = $RCMAIL->plugins->exec_hook('authenticate', array(
+         'host' => $RCMAIL->autoselect_host(),
+@@ -168,13 +170,15 @@ if ($RCMAIL->task == 'login' && $RCMAIL-
+         $RCMAIL->plugins->exec_hook('login_failed', array(
+             'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
+ 
+-        $RCMAIL->kill_session();
++        if (!isset($_SESSION['user_id'])) {
++            $RCMAIL->kill_session();
++        }
+     }
+ }
+ 
+ // end session
+ else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
+-    $RCMAIL->request_security_check($mode = rcube_utils::INPUT_GET);
++    $RCMAIL->request_security_check(rcube_utils::INPUT_GET | rcube_utils::INPUT_POST);
+ 
+     $userdata = array(
+         'user' => $_SESSION['username'],
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series	2018-11-24 04:36:11.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/series	2020-04-29 23:42:35.000000000 +0200
@@ -16,3 +16,5 @@
 CVE-2018-9846.patch
 CVE-2018-1000071.patch
 CVE-2018-19206.patch
+bug959140.patch
+bug959142.patch
-------------- next part --------------
diffstat for roundcube-1.3.10+dfsg.1 roundcube-1.3.11+dfsg.1

 .travis.yml                                                                        |    4 ++
 CHANGELOG                                                                          |   12 +++++++
 bin/install-jsdeps.sh                                                              |    2 -
 debian/changelog                                                                   |   10 ++++++
 debian/patches/correct_install_path.patch                                          |    2 -
 debian/patches/upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch |    2 -
 index.php                                                                          |   12 +++++--
 installer/index.php                                                                |    2 -
 plugins/enigma/lib/enigma_mime_message.php                                         |   11 +++++-
 program/include/iniset.php                                                         |    2 -
 program/include/rcmail_install.php                                                 |    2 -
 program/lib/Roundcube/bootstrap.php                                                |    2 -
 program/lib/Roundcube/html.php                                                     |    4 ++
 program/lib/Roundcube/rcube_image.php                                              |    8 +++--
 program/lib/Roundcube/rcube_imap.php                                               |    3 -
 program/lib/Roundcube/rcube_ldap_generic.php                                       |    2 -
 program/lib/Roundcube/rcube_plugin_api.php                                         |   16 ++++++++++
 program/lib/Roundcube/rcube_session_redis.php                                      |    4 +-
 program/lib/Roundcube/rcube_washtml.php                                            |    3 -
 program/steps/mail/sendmail.inc                                                    |    2 -
 public_html/index.php                                                              |    2 -
 public_html/plugins/enigma/lib/enigma_mime_message.php                             |   11 +++++-
 22 files changed, 88 insertions(+), 30 deletions(-)

diff -Nru roundcube-1.3.10+dfsg.1/bin/install-jsdeps.sh roundcube-1.3.11+dfsg.1/bin/install-jsdeps.sh
--- roundcube-1.3.10+dfsg.1/bin/install-jsdeps.sh	2019-08-28 13:24:49.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/bin/install-jsdeps.sh	2020-04-26 22:20:25.000000000 +0200
@@ -195,7 +195,7 @@
 
   $destdir = INSTALL_PATH . $package['dest'];
   if (!is_dir($destdir)) {
-    mkdir($destdir, 0774, true);
+    mkdir($destdir, 0775, true);
   }
 
   if (!is_writeable($destdir)) {
diff -Nru roundcube-1.3.10+dfsg.1/CHANGELOG roundcube-1.3.11+dfsg.1/CHANGELOG
--- roundcube-1.3.10+dfsg.1/CHANGELOG	2019-08-28 13:24:49.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/CHANGELOG	2020-04-26 22:20:25.000000000 +0200
@@ -1,6 +1,18 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+RELEASE 1.3.11
+--------------
+- Enigma: Fix compatibility with Mail_Mime >= 1.10.5
+- Fix permissions on some folders created by bin/install-jsdeps.sh script (#6930)
+- Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980)
+- Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991)
+- Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003)
+- Security: Fix XSS issue in handling of CDATA in HTML messages
+- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
+- Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
+- Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
+
 RELEASE 1.3.10
 --------------
 - Managesieve: Fix so "Create filter" option does not show up when Filters menu is disabled (#6723)
diff -Nru roundcube-1.3.10+dfsg.1/debian/changelog roundcube-1.3.11+dfsg.1/debian/changelog
--- roundcube-1.3.10+dfsg.1/debian/changelog	2019-12-24 20:45:55.000000000 +0100
+++ roundcube-1.3.11+dfsg.1/debian/changelog	2020-04-29 23:08:38.000000000 +0200
@@ -1,3 +1,13 @@
+roundcube (1.3.11+dfsg.1-1~deb10u1) buster; urgency=high
+
+  * New security upstream release, with fixes for:
+    - Cross-Site Scripting (XSS) vulnerability via malicious HTML messages
+      (Closes: #959140)
+    - CSRF attack can cause an authenticated user to be logged out
+      (Closes: #959142)
+
+ -- Guilhem Moulin <guilhem at debian.org>  Wed, 29 Apr 2020 23:08:38 +0200
+
 roundcube (1.3.10+dfsg.1-1~deb10u1) buster; urgency=medium
 
   * d/control: revert bump of Standards-Version, as we want to release to
diff -Nru roundcube-1.3.10+dfsg.1/debian/patches/correct_install_path.patch roundcube-1.3.11+dfsg.1/debian/patches/correct_install_path.patch
--- roundcube-1.3.10+dfsg.1/debian/patches/correct_install_path.patch	2019-12-18 01:11:49.000000000 +0100
+++ roundcube-1.3.11+dfsg.1/debian/patches/correct_install_path.patch	2020-04-29 23:08:38.000000000 +0200
@@ -6,7 +6,7 @@
 
 --- a/program/include/iniset.php
 +++ b/program/include/iniset.php
-@@ -25,7 +25,7 @@ define('RCMAIL_VERSION', '1.3.9');
+@@ -25,7 +25,7 @@ define('RCMAIL_VERSION', '1.3.11');
  define('RCMAIL_START', microtime(true));
  
  if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.10+dfsg.1/debian/patches/upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch roundcube-1.3.11+dfsg.1/debian/patches/upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch
--- roundcube-1.3.10+dfsg.1/debian/patches/upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch	2019-12-18 01:11:49.000000000 +0100
+++ roundcube-1.3.11+dfsg.1/debian/patches/upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch	2020-04-29 23:08:38.000000000 +0200
@@ -102,7 +102,7 @@
 +
    $destdir = INSTALL_PATH . $package['dest'];
    if (!is_dir($destdir)) {
-     mkdir($destdir, 0774, true);
+     mkdir($destdir, 0775, true);
 @@ -295,9 +309,14 @@ function delete_destfile($package)
  
  //////////////// Execution
diff -Nru roundcube-1.3.10+dfsg.1/index.php roundcube-1.3.11+dfsg.1/index.php
--- roundcube-1.3.10+dfsg.1/index.php	2019-08-28 13:24:49.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/index.php	2020-04-26 22:20:25.000000000 +0200
@@ -2,7 +2,7 @@
 /**
  +-------------------------------------------------------------------------+
  | Roundcube Webmail IMAP Client                                           |
- | Version 1.3.10                                                          |
+ | Version 1.3.11                                                          |
  |                                                                         |
  | Copyright (C) 2005-2019, The Roundcube Dev Team                         |
  |                                                                         |
@@ -106,7 +106,9 @@
     $pass_charset  = $RCMAIL->config->get('password_charset', 'ISO-8859-1');
 
     // purge the session in case of new login when a session already exists
-    $RCMAIL->kill_session();
+    if ($request_valid) {
+        $RCMAIL->kill_session();
+    }
 
     $auth = $RCMAIL->plugins->exec_hook('authenticate', array(
             'host'  => $RCMAIL->autoselect_host(),
@@ -180,13 +182,15 @@
         $RCMAIL->plugins->exec_hook('login_failed', array(
             'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
 
-        $RCMAIL->kill_session();
+        if (!isset($_SESSION['user_id'])) {
+            $RCMAIL->kill_session();
+        }
     }
 }
 
 // end session
 else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
-    $RCMAIL->request_security_check($mode = rcube_utils::INPUT_GET);
+    $RCMAIL->request_security_check(rcube_utils::INPUT_GET | rcube_utils::INPUT_POST);
 
     $userdata = array(
         'user' => $_SESSION['username'],
diff -Nru roundcube-1.3.10+dfsg.1/installer/index.php roundcube-1.3.11+dfsg.1/installer/index.php
--- roundcube-1.3.10+dfsg.1/installer/index.php	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/installer/index.php	2020-04-26 22:20:26.000000000 +0200
@@ -3,7 +3,7 @@
 /**
  +-------------------------------------------------------------------------+
  | Roundcube Webmail setup tool                                            |
- | Version 1.3.10                                                          |
+ | Version 1.3.11                                                          |
  |                                                                         |
  | Copyright (C) 2009-2019, The Roundcube Dev Team                         |
  |                                                                         |
diff -Nru roundcube-1.3.10+dfsg.1/plugins/enigma/lib/enigma_mime_message.php roundcube-1.3.11+dfsg.1/plugins/enigma/lib/enigma_mime_message.php
--- roundcube-1.3.10+dfsg.1/plugins/enigma/lib/enigma_mime_message.php	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/plugins/enigma/lib/enigma_mime_message.php	2020-04-26 22:20:25.000000000 +0200
@@ -243,8 +243,6 @@
             }
 
             $this->headers = array_merge($this->headers, $headers);
-
-            return;
         }
         else {
             $output = $message->encode($boundary, $skip_head);
@@ -254,9 +252,16 @@
             }
 
             $this->headers = array_merge($this->headers, $output['headers']);
+        }
 
-            return $output['body'];
+        // remember the boundary used, in case we'd handle headers() call later
+        if (empty($boundary) && !empty($this->headers['Content-Type'])) {
+            if (preg_match('/boundary="([^"]+)/', $this->headers['Content-Type'], $m)) {
+                $this->build_params['boundary'] = $m[1];
+            }
         }
+
+        return $filename ? null : $output['body'];
     }
 
     /**
diff -Nru roundcube-1.3.10+dfsg.1/program/include/iniset.php roundcube-1.3.11+dfsg.1/program/include/iniset.php
--- roundcube-1.3.10+dfsg.1/program/include/iniset.php	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/include/iniset.php	2020-04-26 22:20:26.000000000 +0200
@@ -21,7 +21,7 @@
 */
 
 // application constants
-define('RCMAIL_VERSION', '1.3.10');
+define('RCMAIL_VERSION', '1.3.11');
 define('RCMAIL_START', microtime(true));
 
 if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.10+dfsg.1/program/include/rcmail_install.php roundcube-1.3.11+dfsg.1/program/include/rcmail_install.php
--- roundcube-1.3.10+dfsg.1/program/include/rcmail_install.php	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/include/rcmail_install.php	2020-04-26 22:20:26.000000000 +0200
@@ -218,7 +218,7 @@
             else if ($prop == 'db_dsnw' && !empty($_POST['_dbtype'])) {
                 if ($_POST['_dbtype'] == 'sqlite') {
                     $value = sprintf('%s://%s?mode=0646', $_POST['_dbtype'],
-                        $_POST['_dbname']{0} == '/' ? '/' . $_POST['_dbname'] : $_POST['_dbname']);
+                        $_POST['_dbname'][0] == '/' ? '/' . $_POST['_dbname'] : $_POST['_dbname']);
                 }
                 else if ($_POST['_dbtype']) {
                     $value = sprintf('%s://%s:%s@%s/%s', $_POST['_dbtype'],
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/bootstrap.php	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/bootstrap.php	2020-04-26 22:20:26.000000000 +0200
@@ -53,7 +53,7 @@
 }
 
 // framework constants
-define('RCUBE_VERSION', '1.3.10');
+define('RCUBE_VERSION', '1.3.11');
 define('RCUBE_CHARSET', 'UTF-8');
 
 if (!defined('RCUBE_LIB_DIR')) {
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/html.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/html.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/html.php	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/html.php	2020-04-26 22:20:26.000000000 +0200
@@ -751,6 +751,10 @@
         $cell->attrib  = $attr;
         $cell->content = $cont;
 
+        if (!isset($this->rows[$this->rowindex])) {
+            $this->rows[$this->rowindex] = new stdClass;
+        }
+
         $this->rows[$this->rowindex]->cells[$this->colindex] = $cell;
         $this->colindex += max(1, intval($attr['colspan']));
 
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_image.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_image.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_image.php	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_image.php	2020-04-26 22:20:26.000000000 +0200
@@ -159,7 +159,8 @@
                             'size'    => $width . 'x' . $height,
                         );
 
-                        $result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip'
+                        $result = rcube::exec(escapeshellcmd($convert)
+                            . ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip'
                             . ' -quality {quality} -resize {size} {intype}:{in} {type}:{out}', $p);
                     }
                     // use PHP's Imagick class
@@ -324,7 +325,8 @@
             $p['out']  = $filename;
             $p['type'] = self::$extensions[$type];
 
-            $result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p);
+            $result = rcube::exec(escapeshellcmd($convert)
+                . ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p);
 
             if ($result === '') {
                 chmod($filename, 0600);
@@ -418,7 +420,7 @@
         // use ImageMagick in command line
         if ($cmd = $rcube->config->get('im_identify_path')) {
             $args = array('in' => $this->image_file, 'format' => "%m %[fx:w] %[fx:h]");
-            $id   = rcube::exec($cmd. ' 2>/dev/null -format {format} {in}', $args);
+            $id   = rcube::exec(escapeshellcmd($cmd) . ' 2>/dev/null -format {format} {in}', $args);
 
             if ($id) {
                 return explode(' ', strtolower($id));
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_imap.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_imap.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_imap.php	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_imap.php	2020-04-26 22:20:26.000000000 +0200
@@ -2135,8 +2135,7 @@
 
         // get part ID
         if (!empty($part[3])) {
-            $struct->content_id = $part[3];
-            $struct->headers['content-id'] = $part[3];
+            $struct->content_id = $struct->headers['content-id'] = trim($part[3]);
 
             if (empty($struct->disposition)) {
                 $struct->disposition = 'inline';
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_ldap_generic.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_ldap_generic.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_ldap_generic.php	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_ldap_generic.php	2020-04-26 22:20:26.000000000 +0200
@@ -70,7 +70,7 @@
             }
             break;
 
-        case LOG_EMERGE:
+        case LOG_EMERG:
         case LOG_ALERT:
         case LOG_CRIT:
             rcube::raise_error($msg, true, true);
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_plugin_api.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_plugin_api.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_plugin_api.php	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_plugin_api.php	2020-04-26 22:20:26.000000000 +0200
@@ -163,6 +163,14 @@
             $plugins_dir = unslashify($dir->path);
         }
 
+        // Validate the plugin name to prevent from path traversal
+        if (preg_match('/[^a-zA-Z0-9_-]/', $plugin_name)) {
+            rcube::raise_error(array('code' => 520,
+                    'file' => __FILE__, 'line' => __LINE__,
+                    'message' => "Invalid plugin name: $plugin_name"), true, false);
+            return false;
+        }
+
         // plugin already loaded?
         if (!$this->plugins[$plugin_name]) {
             $fn = "$plugins_dir/$plugin_name/$plugin_name.php";
@@ -282,6 +290,14 @@
         $fn   = unslashify($dir->path) . "/$plugin_name/$plugin_name.php";
         $info = false;
 
+        // Validate the plugin name to prevent from path traversal
+        if (preg_match('/[^a-zA-Z0-9_-]/', $plugin_name)) {
+            rcube::raise_error(array('code' => 520,
+                    'file' => __FILE__, 'line' => __LINE__,
+                    'message' => "Invalid plugin name: $plugin_name"), true, false);
+            return false;
+        }
+
         if (!class_exists($plugin_name, false)) {
             if (is_readable($fn)) {
                 include($fn);
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_session_redis.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_session_redis.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_session_redis.php	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_session_redis.php	2020-04-26 22:20:26.000000000 +0200
@@ -72,7 +72,7 @@
             $port = ($port !== null) ? $port : 6379;
             $database = ($database !== null) ? $database : 0;
 
-            if ($this->redis->connect($host, $port) === false) {
+            if ($this->redis->connect($host, (int) $port) === false) {
                 rcube::raise_error(
                     array(
                         'code' => 604,
@@ -100,7 +100,7 @@
                 );
             }
 
-            if ($database != 0 && $this->redis->select($database) === false) {
+            if ($database && $this->redis->select($database) === false) {
                 rcube::raise_error(
                     array(
                         'code' => 604,
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_washtml.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_washtml.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_washtml.php	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_washtml.php	2020-04-26 22:20:26.000000000 +0200
@@ -497,9 +497,6 @@
                 break;
 
             case XML_CDATA_SECTION_NODE:
-                $dump .= $node->nodeValue;
-                break;
-
             case XML_TEXT_NODE:
                 $dump .= htmlspecialchars($node->nodeValue);
                 break;
diff -Nru roundcube-1.3.10+dfsg.1/program/steps/mail/sendmail.inc roundcube-1.3.11+dfsg.1/program/steps/mail/sendmail.inc
--- roundcube-1.3.10+dfsg.1/program/steps/mail/sendmail.inc	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/steps/mail/sendmail.inc	2020-04-26 22:20:26.000000000 +0200
@@ -354,7 +354,7 @@
         unset($COMPOSE['attachments'][$idx]);
     }
 
-    $COMPOSE['attachments'] = array_merge(array_filter($files), $COMPOSE['attachments']);
+    $COMPOSE['attachments'] = array_merge(array_filter($files), (array) $COMPOSE['attachments']);
 }
 
 // set line length for body wrapping
diff -Nru roundcube-1.3.10+dfsg.1/public_html/index.php roundcube-1.3.11+dfsg.1/public_html/index.php
--- roundcube-1.3.10+dfsg.1/public_html/index.php	2019-08-28 13:24:49.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/public_html/index.php	2020-04-26 22:20:25.000000000 +0200
@@ -3,7 +3,7 @@
 /*
  +-----------------------------------------------------------------------+
  | Roundcube Webmail IMAP Client                                         |
- | Version 1.3.10                                                        |
+ | Version 1.3.11                                                        |
  |                                                                       |
  | Copyright (C) 2005-2017, The Roundcube Dev Team                       |
  |                                                                       |
diff -Nru roundcube-1.3.10+dfsg.1/public_html/plugins/enigma/lib/enigma_mime_message.php roundcube-1.3.11+dfsg.1/public_html/plugins/enigma/lib/enigma_mime_message.php
--- roundcube-1.3.10+dfsg.1/public_html/plugins/enigma/lib/enigma_mime_message.php	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/public_html/plugins/enigma/lib/enigma_mime_message.php	2020-04-26 22:20:25.000000000 +0200
@@ -243,8 +243,6 @@
             }
 
             $this->headers = array_merge($this->headers, $headers);
-
-            return;
         }
         else {
             $output = $message->encode($boundary, $skip_head);
@@ -254,9 +252,16 @@
             }
 
             $this->headers = array_merge($this->headers, $output['headers']);
+        }
 
-            return $output['body'];
+        // remember the boundary used, in case we'd handle headers() call later
+        if (empty($boundary) && !empty($this->headers['Content-Type'])) {
+            if (preg_match('/boundary="([^"]+)/', $this->headers['Content-Type'], $m)) {
+                $this->build_params['boundary'] = $m[1];
+            }
         }
+
+        return $filename ? null : $output['body'];
     }
 
     /**
diff -Nru roundcube-1.3.10+dfsg.1/.travis.yml roundcube-1.3.11+dfsg.1/.travis.yml
--- roundcube-1.3.10+dfsg.1/.travis.yml	2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/.travis.yml	2020-04-26 22:20:26.000000000 +0200
@@ -2,6 +2,8 @@
 
 sudo: false
 
+dist: trusty
+
 matrix:
   fast_finish: true
   include:
@@ -10,6 +12,8 @@
     - php: 5.6
     - php: 7.0
     - php: 7.1
+    - php: 7.2
+    - php: 7.3
       env: CODE_COVERAGE=1
 
 cache:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20200430/b74838da/attachment-0001.sig>


More information about the Pkg-roundcube-maintainers mailing list