[Pkg-roundcube-maintainers] roundcube: CVE-2020-35730: XSS vulnerability via malious HTML or plaintext messages
Guilhem Moulin
guilhem at debian.org
Mon Dec 28 02:16:51 GMT 2020
Dear security team,
In a recent post roundcube webmail upstream has announced the following
security fix for #978491:
Cross-site scripting (XSS) via HTML or Plain text messages with
malicious content (CVE-2020-35730)
— responsible disclosure from Alex Birnberg
The package in buster is currently following the 1.3 branch and I
propose to keep that trend; upstream changes are minimal but also
contain two irrelevant changes, one of which (the jstz version bump) I
reverted in debian/patches. Debdiff enclosed, as well as the diff in
patch-applied trees. I tested this but would appreciate if you could
take care of the DSA :-)
Cheers,
--
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.3.15+dfsg.1 roundcube-1.3.16+dfsg.1
CHANGELOG | 4 ++
composer.json-dist | 2 -
debian/changelog | 9 ++++
debian/patches/Revert-Fix-jstz.min.js-dependency.patch | 32 +++++++++++++++++
debian/patches/series | 1
debian/patches/update_composer.patch | 4 +-
index.php | 2 -
installer/index.php | 2 -
jsdeps.json | 9 ++--
program/include/iniset.php | 2 -
program/lib/Roundcube/bootstrap.php | 2 -
program/lib/Roundcube/rcube_string_replacer.php | 16 +++++---
program/lib/Roundcube/rcube_utils.php | 10 ++---
public_html/index.php | 2 -
14 files changed, 73 insertions(+), 24 deletions(-)
diff -Nru roundcube-1.3.15+dfsg.1/CHANGELOG roundcube-1.3.16+dfsg.1/CHANGELOG
--- roundcube-1.3.15+dfsg.1/CHANGELOG 2020-08-10 20:58:49.000000000 +0200
+++ roundcube-1.3.16+dfsg.1/CHANGELOG 2020-12-28 02:13:08.000000000 +0100
@@ -1,6 +1,10 @@
CHANGELOG Roundcube Webmail
===========================
+RELEASE 1.3.16
+--------------
+- Security: Fix cross-site scripting (XSS) via HTML or Plain text messages with malicious content [CVE-2020-35730]
+
RELEASE 1.3.15
--------------
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
diff -Nru roundcube-1.3.15+dfsg.1/composer.json-dist roundcube-1.3.16+dfsg.1/composer.json-dist
--- roundcube-1.3.15+dfsg.1/composer.json-dist 2020-08-10 20:58:50.000000000 +0200
+++ roundcube-1.3.16+dfsg.1/composer.json-dist 2020-12-28 02:13:08.000000000 +0100
@@ -22,7 +22,7 @@
"pear/net_smtp": "~1.7.1",
"pear/crypt_gpg": "~1.6.3",
"pear/net_sieve": "~1.4.0",
- "roundcube/plugin-installer": "~0.1.6",
+ "roundcube/plugin-installer": "~0.2.0",
"endroid/qr-code": "~1.6.5"
},
"require-dev": {
diff -Nru roundcube-1.3.15+dfsg.1/debian/changelog roundcube-1.3.16+dfsg.1/debian/changelog
--- roundcube-1.3.15+dfsg.1/debian/changelog 2020-08-11 17:44:16.000000000 +0200
+++ roundcube-1.3.16+dfsg.1/debian/changelog 2020-12-28 02:49:49.000000000 +0100
@@ -1,3 +1,12 @@
+roundcube (1.3.16+dfsg.1-1~deb10u1) buster-security; urgency=high
+
+ * New upstream bugfix release, with security fix for CVE-2020-35730:
+ Cross-site scripting (XSS) vulnerability via HTML or Plain text messages
+ with malicious content svg/namespace. (Closes: #978491)
+ * Revert upstream commit 435cfa116 to avoid irrelevant jstz update.
+
+ -- Guilhem Moulin <guilhem at debian.org> Mon, 28 Dec 2020 02:49:49 +0100
+
roundcube (1.3.15+dfsg.1-1~deb10u1) buster-security; urgency=high
* New upstream release, with security fix for CVE-2020-16145: Cross-site
diff -Nru roundcube-1.3.15+dfsg.1/debian/patches/Revert-Fix-jstz.min.js-dependency.patch roundcube-1.3.16+dfsg.1/debian/patches/Revert-Fix-jstz.min.js-dependency.patch
--- roundcube-1.3.15+dfsg.1/debian/patches/Revert-Fix-jstz.min.js-dependency.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.3.16+dfsg.1/debian/patches/Revert-Fix-jstz.min.js-dependency.patch 2020-12-28 02:49:49.000000000 +0100
@@ -0,0 +1,32 @@
+From: Guilhem Moulin <guilhem at debian.org>
+Date: Mon, 28 Dec 2020 02:45:53 +0100
+Subject: Revert "Fix jstz.min.js dependency"
+
+This reverts upstream commit 435cfa116964e03a28499d5a4331dd76a7c07451.
+---
+ jsdeps.json | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/jsdeps.json b/jsdeps.json
+index 16192e20d..8276d9e4e 100644
+--- a/jsdeps.json
++++ b/jsdeps.json
+@@ -14,13 +14,14 @@
+ {
+ "lib": "jstz",
+ "name": "jsTimezoneDetect",
+- "version": "1.0.7",
+- "url": "https://cdnjs.cloudflare.com/ajax/libs/jstimezonedetect/1.0.7/jstz.min.js",
++ "version": "1.0.6",
++ "url": "https://bitbucket.org/pellepim/jstimezonedetect/raw/6c427658686c664da52c6a87cd62ec910baab276/dist/jstz.min.js",
+ "dest": "program/js/jstz.min.js",
+- "sha1": "a858ff12014b232fcc7c4c2e9f014ff852ddb917",
++ "sha1": "4291cd3b259d2060460c2a6ab99f428d3c0c9537",
+ "license": "MIT",
+ "copyright": "Copyright (c) Jon Nylander",
+- "source": "https://cdnjs.cloudflare.com/ajax/libs/jstimezonedetect/1.0.7/jstz.min.js" },
++ "source": "https://bitbucket.org/pellepim/jstimezonedetect/raw/6c427658686c664da52c6a87cd62ec910baab276/dist/jstz.js"
++ },
+ {
+ "lib": "publickey",
+ "name": "PublicKey.js",
diff -Nru roundcube-1.3.15+dfsg.1/debian/patches/series roundcube-1.3.16+dfsg.1/debian/patches/series
--- roundcube-1.3.15+dfsg.1/debian/patches/series 2020-08-11 17:44:16.000000000 +0200
+++ roundcube-1.3.16+dfsg.1/debian/patches/series 2020-12-28 02:49:49.000000000 +0100
@@ -11,6 +11,7 @@
update_composer.patch
Set-INSTALL_PATH-to-var-lib-roundcube-in-bin-cleandb.patch
upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch
+Revert-Fix-jstz.min.js-dependency.patch
update_jsdeps.json
htaccess-assume-php7.patch
CVE-2018-1000071.patch
diff -Nru roundcube-1.3.15+dfsg.1/debian/patches/update_composer.patch roundcube-1.3.16+dfsg.1/debian/patches/update_composer.patch
--- roundcube-1.3.15+dfsg.1/debian/patches/update_composer.patch 2020-08-11 17:44:16.000000000 +0200
+++ roundcube-1.3.16+dfsg.1/debian/patches/update_composer.patch 2020-12-28 02:49:49.000000000 +0100
@@ -29,14 +29,14 @@
- "pear/net_smtp": "~1.7.1",
- "pear/crypt_gpg": "~1.6.3",
- "pear/net_sieve": "~1.4.0",
-- "roundcube/plugin-installer": "~0.1.6",
+- "roundcube/plugin-installer": "~0.2.0",
- "endroid/qr-code": "~1.6.5"
+ "pear-pear.php.net/net-socket": ">=1.0.14",
+ "pear-pear.php.net/auth_sasl": ">=1.0.6",
+ "pear-pear.php.net/mail_mime": ">=1.10.0",
+ "pear-pear.php.net/net_smtp": ">=1.7.1",
+ "pear-pear.php.net/net_sieve": ">=1.3.4",
-+ "roundcube/plugin-installer": ">=0.1.6"
++ "roundcube/plugin-installer": ">=0.2.0"
},
"require-dev": {
"phpunit/phpunit": "^4.8.36 || ^5.7.15"
diff -Nru roundcube-1.3.15+dfsg.1/index.php roundcube-1.3.16+dfsg.1/index.php
--- roundcube-1.3.15+dfsg.1/index.php 2020-08-10 20:58:49.000000000 +0200
+++ roundcube-1.3.16+dfsg.1/index.php 2020-12-28 02:13:08.000000000 +0100
@@ -2,7 +2,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.15 |
+ | Version 1.3.16 |
| |
| Copyright (C) 2005-2019, The Roundcube Dev Team |
| |
diff -Nru roundcube-1.3.15+dfsg.1/installer/index.php roundcube-1.3.16+dfsg.1/installer/index.php
--- roundcube-1.3.15+dfsg.1/installer/index.php 2020-08-10 20:58:50.000000000 +0200
+++ roundcube-1.3.16+dfsg.1/installer/index.php 2020-12-28 02:13:08.000000000 +0100
@@ -3,7 +3,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail setup tool |
- | Version 1.3.15 |
+ | Version 1.3.16 |
| |
| Copyright (C) 2009-2019, The Roundcube Dev Team |
| |
diff -Nru roundcube-1.3.15+dfsg.1/jsdeps.json roundcube-1.3.16+dfsg.1/jsdeps.json
--- roundcube-1.3.15+dfsg.1/jsdeps.json 2020-08-10 20:58:50.000000000 +0200
+++ roundcube-1.3.16+dfsg.1/jsdeps.json 2020-12-28 02:13:08.000000000 +0100
@@ -14,14 +14,13 @@
{
"lib": "jstz",
"name": "jsTimezoneDetect",
- "version": "1.0.6",
- "url": "https://bitbucket.org/pellepim/jstimezonedetect/raw/6c427658686c664da52c6a87cd62ec910baab276/dist/jstz.min.js",
+ "version": "1.0.7",
+ "url": "https://cdnjs.cloudflare.com/ajax/libs/jstimezonedetect/1.0.7/jstz.min.js",
"dest": "program/js/jstz.min.js",
- "sha1": "4291cd3b259d2060460c2a6ab99f428d3c0c9537",
+ "sha1": "a858ff12014b232fcc7c4c2e9f014ff852ddb917",
"license": "MIT",
"copyright": "Copyright (c) Jon Nylander",
- "source": "https://bitbucket.org/pellepim/jstimezonedetect/raw/6c427658686c664da52c6a87cd62ec910baab276/dist/jstz.js"
- },
+ "source": "https://cdnjs.cloudflare.com/ajax/libs/jstimezonedetect/1.0.7/jstz.min.js" },
{
"lib": "publickey",
"name": "PublicKey.js",
diff -Nru roundcube-1.3.15+dfsg.1/program/include/iniset.php roundcube-1.3.16+dfsg.1/program/include/iniset.php
--- roundcube-1.3.15+dfsg.1/program/include/iniset.php 2020-08-10 20:58:50.000000000 +0200
+++ roundcube-1.3.16+dfsg.1/program/include/iniset.php 2020-12-28 02:13:08.000000000 +0100
@@ -21,7 +21,7 @@
*/
// application constants
-define('RCMAIL_VERSION', '1.3.15');
+define('RCMAIL_VERSION', '1.3.16');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.15+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.3.16+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.3.15+dfsg.1/program/lib/Roundcube/bootstrap.php 2020-08-10 20:58:50.000000000 +0200
+++ roundcube-1.3.16+dfsg.1/program/lib/Roundcube/bootstrap.php 2020-12-28 02:13:08.000000000 +0100
@@ -53,7 +53,7 @@
}
// framework constants
-define('RCUBE_VERSION', '1.3.15');
+define('RCUBE_VERSION', '1.3.16');
define('RCUBE_CHARSET', 'UTF-8');
if (!defined('RCUBE_LIB_DIR')) {
diff -Nru roundcube-1.3.15+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php roundcube-1.3.16+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php
--- roundcube-1.3.15+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php 2020-08-10 20:58:50.000000000 +0200
+++ roundcube-1.3.16+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php 2020-12-28 02:13:08.000000000 +0100
@@ -24,7 +24,7 @@
*/
class rcube_string_replacer
{
- public static $pattern = '/##str_replacement_(\d+)##/';
+ public $pattern;
public $mailto_pattern;
public $link_pattern;
public $linkref_index;
@@ -39,6 +39,10 @@
function __construct($options = array())
{
+ // Create hard-to-guess replacement string
+ $uniq_ident = sprintf('%010d%010d', mt_rand(), mt_rand());
+ $this->pattern = '/##' . $uniq_ident . '##(\d+)##/';
+
// Simplified domain expression for UTF8 characters handling
// Support unicode/punycode in top-level domain part
$utf_domain = '[^?&@"\'\\/()<>\s\r\t\n]+\\.?([^\\x00-\\x2f\\x3b-\\x40\\x5b-\\x60\\x7b-\\x7f]{2,}|xn--[a-zA-Z0-9]{2,})';
@@ -49,7 +53,7 @@
$link_prefix = "([\w]+:\/\/|{$this->noword}[Ww][Ww][Ww]\.|^[Ww][Ww][Ww]\.)";
$this->options = $options;
- $this->linkref_index = '/\[([^\]#]+)\](:?\s*##str_replacement_(\d+)##)/';
+ $this->linkref_index = '/\[([^\]#]+)\](:?\s*' . substr($this->pattern, 1, -1) . ')/';
$this->linkref_pattern = '/\[([^\]#]+)\]/';
$this->link_pattern = "/$link_prefix($utf_domain([$url1]*[$url2]+)*)/";
$this->mailto_pattern = "/("
@@ -78,7 +82,7 @@
*/
public function get_replacement($i)
{
- return '##str_replacement_' . $i . '##';
+ return str_replace('(\d+)', $i, substr($this->pattern, 1, -1));
}
/**
@@ -121,7 +125,7 @@
public function linkref_addindex($matches)
{
$key = $matches[1];
- $this->linkrefs[$key] = $this->urls[$matches[3]];
+ $this->linkrefs[$key] = isset($this->urls[$matches[3]]) ? $this->urls[$matches[3]] : null;
return $this->get_replacement($this->add('['.$key.']')) . $matches[2];
}
@@ -166,7 +170,7 @@
*/
public function replace_callback($matches)
{
- return $this->values[$matches[1]];
+ return isset($this->values[$matches[1]]) ? $this->values[$matches[1]] : null;
}
/**
@@ -193,7 +197,7 @@
*/
public function resolve($str)
{
- return preg_replace_callback(self::$pattern, array($this, 'replace_callback'), $str);
+ return preg_replace_callback($this->pattern, array($this, 'replace_callback'), $str);
}
/**
diff -Nru roundcube-1.3.15+dfsg.1/program/lib/Roundcube/rcube_utils.php roundcube-1.3.16+dfsg.1/program/lib/Roundcube/rcube_utils.php
--- roundcube-1.3.15+dfsg.1/program/lib/Roundcube/rcube_utils.php 2020-08-10 20:58:50.000000000 +0200
+++ roundcube-1.3.16+dfsg.1/program/lib/Roundcube/rcube_utils.php 2020-12-28 02:13:08.000000000 +0100
@@ -451,12 +451,12 @@
// remove html comments
$source = preg_replace('/(^\s*<\!--)|(-->\s*$)/m', '', $source);
- // add #container to each tag selector
+ // add #container to each tag selector and prefix to id/class identifiers
if ($container_id) {
- // (?!##str) below is to not match with ##str_replacement_0##
- // from rcube_string_replacer used above, this is needed for
- // cases like @media { body { position: fixed; } } (#5811)
- $regexp = '/(^\s*|,\s*|\}\s*|\{\s*)((?!##str):?[a-z0-9\._#\*\[][a-z0-9\._:\(\)#=~ \[\]"\|\>\+\$\^-]*)/im';
+ // Exclude rcube_string_replacer pattern matches, this is needed
+ // for cases like @media { body { position: fixed; } } (#5811)
+ $excl = '(?!' . substr($replacements->pattern, 1, -1) . ')';
+ $regexp = '/(^\s*|,\s*|\}\s*|\{\s*)(' . $excl . ':?[a-z0-9\._#\*\[][a-z0-9\._:\(\)#=~ \[\]"\|\>\+\$\^-]*)/im';
$callback = function($matches) use ($container_id, $prefix) {
$replace = $matches[2];
diff -Nru roundcube-1.3.15+dfsg.1/public_html/index.php roundcube-1.3.16+dfsg.1/public_html/index.php
--- roundcube-1.3.15+dfsg.1/public_html/index.php 2020-08-10 20:58:49.000000000 +0200
+++ roundcube-1.3.16+dfsg.1/public_html/index.php 2020-12-28 02:13:08.000000000 +0100
@@ -3,7 +3,7 @@
/*
+-----------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.15 |
+ | Version 1.3.16 |
| |
| Copyright (C) 2005-2017, The Roundcube Dev Team |
| |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: roundcube.diff
Type: text/x-diff
Size: 13849 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20201228/3d7ba41a/attachment-0001.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20201228/3d7ba41a/attachment-0001.sig>
More information about the Pkg-roundcube-maintainers
mailing list