[Pkg-roundcube-maintainers] roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content

Guilhem Moulin guilhem at debian.org
Tue Aug 11 17:29:58 BST 2020


Dear security team,

In a recent post roundcube webmail upstream has announced the following
security fix for #968216:

    Cross-site scripting (XSS) via HTML messages with malicious SVG
    or math content (CVE-2020-16145)

AFAICT CVE-2020-16145 is only about SVG not math, but the upstream
commit addresses both so I opened a single bug:
https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b

The package in buster is currently following the 1.3 branch (1.3.15
contains only only the targeted fix).  Debdiff tested and attached, but
I'd appreciate if you could take care of the DSA :-)

Thanks!
Cheers,
-- 
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.3.14+dfsg.1 roundcube-1.3.15+dfsg.1

 CHANGELOG                               |    5 ++
 debian/changelog                        |    8 ++++
 index.php                               |    2 -
 installer/index.php                     |    2 -
 program/include/iniset.php              |    2 -
 program/lib/Roundcube/bootstrap.php     |    2 -
 program/lib/Roundcube/rcube_washtml.php |   62 ++++++++++++++++++++++++++++++--
 public_html/index.php                   |    2 -
 8 files changed, 78 insertions(+), 7 deletions(-)

diff -Nru roundcube-1.3.14+dfsg.1/CHANGELOG roundcube-1.3.15+dfsg.1/CHANGELOG
--- roundcube-1.3.14+dfsg.1/CHANGELOG	2020-07-04 12:55:51.000000000 +0200
+++ roundcube-1.3.15+dfsg.1/CHANGELOG	2020-08-10 20:58:49.000000000 +0200
@@ -1,6 +1,11 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+RELEASE 1.3.15
+--------------
+- Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
+- Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content
+
 RELEASE 1.3.14
 --------------
 - Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
diff -Nru roundcube-1.3.14+dfsg.1/debian/changelog roundcube-1.3.15+dfsg.1/debian/changelog
--- roundcube-1.3.14+dfsg.1/debian/changelog	2020-07-06 16:30:57.000000000 +0200
+++ roundcube-1.3.15+dfsg.1/debian/changelog	2020-08-11 17:44:16.000000000 +0200
@@ -1,3 +1,11 @@
+roundcube (1.3.15+dfsg.1-1~deb10u1) buster-security; urgency=high
+
+  * New upstream release, with security fix for CVE-2020-16145: Cross-site
+    scripting (XSS) vulnerability via HTML messages with malicious svg or math
+    content. (Closes: #968216)
+
+ -- Guilhem Moulin <guilhem at debian.org>  Tue, 11 Aug 2020 17:44:16 +0200
+
 roundcube (1.3.14+dfsg.1-1~deb10u1) buster-security; urgency=high
 
   * New upstream release, with security fix for CVE-2020-15562: Cross-Site
diff -Nru roundcube-1.3.14+dfsg.1/index.php roundcube-1.3.15+dfsg.1/index.php
--- roundcube-1.3.14+dfsg.1/index.php	2020-07-04 12:55:51.000000000 +0200
+++ roundcube-1.3.15+dfsg.1/index.php	2020-08-10 20:58:49.000000000 +0200
@@ -2,7 +2,7 @@
 /**
  +-------------------------------------------------------------------------+
  | Roundcube Webmail IMAP Client                                           |
- | Version 1.3.14                                                          |
+ | Version 1.3.15                                                          |
  |                                                                         |
  | Copyright (C) 2005-2019, The Roundcube Dev Team                         |
  |                                                                         |
diff -Nru roundcube-1.3.14+dfsg.1/installer/index.php roundcube-1.3.15+dfsg.1/installer/index.php
--- roundcube-1.3.14+dfsg.1/installer/index.php	2020-07-04 12:55:52.000000000 +0200
+++ roundcube-1.3.15+dfsg.1/installer/index.php	2020-08-10 20:58:50.000000000 +0200
@@ -3,7 +3,7 @@
 /**
  +-------------------------------------------------------------------------+
  | Roundcube Webmail setup tool                                            |
- | Version 1.3.14                                                          |
+ | Version 1.3.15                                                          |
  |                                                                         |
  | Copyright (C) 2009-2019, The Roundcube Dev Team                         |
  |                                                                         |
diff -Nru roundcube-1.3.14+dfsg.1/program/include/iniset.php roundcube-1.3.15+dfsg.1/program/include/iniset.php
--- roundcube-1.3.14+dfsg.1/program/include/iniset.php	2020-07-04 12:55:51.000000000 +0200
+++ roundcube-1.3.15+dfsg.1/program/include/iniset.php	2020-08-10 20:58:50.000000000 +0200
@@ -21,7 +21,7 @@
 */
 
 // application constants
-define('RCMAIL_VERSION', '1.3.14');
+define('RCMAIL_VERSION', '1.3.15');
 define('RCMAIL_START', microtime(true));
 
 if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.14+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.3.15+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.3.14+dfsg.1/program/lib/Roundcube/bootstrap.php	2020-07-04 12:55:52.000000000 +0200
+++ roundcube-1.3.15+dfsg.1/program/lib/Roundcube/bootstrap.php	2020-08-10 20:58:50.000000000 +0200
@@ -53,7 +53,7 @@
 }
 
 // framework constants
-define('RCUBE_VERSION', '1.3.14');
+define('RCUBE_VERSION', '1.3.15');
 define('RCUBE_CHARSET', 'UTF-8');
 
 if (!defined('RCUBE_LIB_DIR')) {
diff -Nru roundcube-1.3.14+dfsg.1/program/lib/Roundcube/rcube_washtml.php roundcube-1.3.15+dfsg.1/program/lib/Roundcube/rcube_washtml.php
--- roundcube-1.3.14+dfsg.1/program/lib/Roundcube/rcube_washtml.php	2020-07-04 12:55:52.000000000 +0200
+++ roundcube-1.3.15+dfsg.1/program/lib/Roundcube/rcube_washtml.php	2020-08-10 20:58:50.000000000 +0200
@@ -390,7 +390,30 @@
                 return $this->config['blocked_src'];
             }
         }
-        else if (preg_match('/^data:image.+/i', $uri)) { // RFC2397
+        else if (preg_match('/^data:image\/([^,]+),(.+)$/i', $uri, $matches)) { // RFC2397
+            // svg images can be insecure, we'll sanitize them
+            if (stripos($matches[1], 'svg') !== false) {
+                $svg = $matches[2];
+
+                if (stripos($matches[1], ';base64') !== false) {
+                    $svg  = base64_decode($svg);
+                    $type = $matches[1];
+                }
+                else {
+                    $type = $matches[1] . ';base64';
+                }
+
+                $washer = new self($this->config);
+                $svg    = $washer->wash($svg);
+
+                // Invalid svg content
+                if (empty($svg)) {
+                    return null;
+                }
+
+                return 'data:image/' . $type . ',' . base64_encode($svg);
+            }
+
             return $uri;
         }
     }
@@ -400,7 +423,7 @@
      */
     private function is_link_attribute($tag, $attr)
     {
-        return ($tag == 'a' || $tag == 'area') && $attr == 'href';
+        return $attr === 'href';
     }
 
     /**
@@ -412,6 +435,7 @@
             || $attr == 'color-profile' // SVG
             || ($attr == 'poster' && $tag == 'video')
             || ($attr == 'src' && preg_match('/^(img|image|source|input|video|audio)$/i', $tag))
+            || ($tag == 'use' && $attr == 'href') // SVG
             || ($tag == 'image' && $attr == 'href'); // SVG
     }
 
@@ -425,6 +449,31 @@
     }
 
     /**
+     * Check if a specified element has an attribute with specified value.
+     * Do it in case-insensitive manner.
+     *
+     * @param DOMElement $node       The element
+     * @param string     $attr_name  The attribute name
+     * @param string     $attr_value The attribute value to find
+     *
+     * @return bool True if the specified attribute exists and has the expected value
+     */
+    private static function attribute_value($node, $attr_name, $attr_value)
+    {
+        $attr_name = strtolower($attr_name);
+
+        foreach ($node->attributes as $name => $attr) {
+            if (strtolower($name) === $attr_name) {
+                if (strtolower($attr_value) === strtolower($attr->nodeValue)) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
+    /**
      * The main loop that recurse on a node tree.
      * It output only allowed tags with allowed attributes and allowed inline styles
      *
@@ -458,6 +507,15 @@
             switch ($node->nodeType) {
             case XML_ELEMENT_NODE: //Check element
                 $tagName = strtolower($node->nodeName);
+
+                if (in_array($tagName, array('animate', 'animatecolor', 'set', 'animatetransform'))
+                    && self::attribute_value($node, 'attributename', 'href')
+                ) {
+                    // Insecure svg tags
+                    $dump .= "<!-- $tagName blocked -->";
+                    break;
+                }
+
                 if ($callback = $this->handlers[$tagName]) {
                     $dump .= call_user_func($callback, $tagName,
                         $this->wash_attribs($node), $this->dumpHtml($node, $level), $this);
diff -Nru roundcube-1.3.14+dfsg.1/public_html/index.php roundcube-1.3.15+dfsg.1/public_html/index.php
--- roundcube-1.3.14+dfsg.1/public_html/index.php	2020-07-04 12:55:51.000000000 +0200
+++ roundcube-1.3.15+dfsg.1/public_html/index.php	2020-08-10 20:58:49.000000000 +0200
@@ -3,7 +3,7 @@
 /*
  +-----------------------------------------------------------------------+
  | Roundcube Webmail IMAP Client                                         |
- | Version 1.3.14                                                        |
+ | Version 1.3.15                                                        |
  |                                                                       |
  | Copyright (C) 2005-2017, The Roundcube Dev Team                       |
  |                                                                       |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20200811/ff11ec29/attachment-0001.sig>


More information about the Pkg-roundcube-maintainers mailing list