[Pkg-roundcube-maintainers] roundcube: CVE-2020-15562: XSS vulnerability via HTML messages with malicious svg/namespace
Guilhem Moulin
guilhem at debian.org
Mon Jul 6 15:43:33 BST 2020
Dear security team,
In a recent post roundcube webmail upstream has announced the following
security fixes:
Prevent cross-site scripting (XSS) via HTML messages with malicious
svg/namespace.
This was assigned CVE-2020-15562 today.
For stretch-security I prepared 1.2.3+dfsg.1-4+deb9u6 with the attached
debdiff.
The package in buster is currently following the 1.3 branch, but
1.3.14+dfsg.1-1~deb10u1 contains only the targeted fix. Debdiff
attached.
Both version have been tested.
Cheers,
--
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1
changelog | 8 ++++++++
patches/CVE-2020-15562.patch | 33 +++++++++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 42 insertions(+)
diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog 2020-06-09 13:46:01.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/changelog 2020-07-06 16:14:59.000000000 +0200
@@ -1,3 +1,11 @@
+roundcube (1.2.3+dfsg.1-4+deb9u6) stretch-security; urgency=high
+
+ * Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS)
+ vulnerability via HTML messages with malicious svg/namespace
+ (Closes: #964355)
+
+ -- Guilhem Moulin <guilhem at debian.org> Mon, 06 Jul 2020 16:14:59 +0200
+
roundcube (1.2.3+dfsg.1-4+deb9u5) stretch-security; urgency=high
* Backport security fixes from 1.3.12:
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch 2020-07-06 16:14:59.000000000 +0200
@@ -0,0 +1,33 @@
+From f3d1566cf223eb04f47b6dfffcd88753f66c36ee Mon Sep 17 00:00:00 2001
+From: Aleksander Machniak <alec at alec.pl>
+Date: Fri, 3 Jul 2020 11:29:50 +0200
+Subject: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
+
+Credits to SSD Secure Disclosure (https://ssd-disclosure.com/)
+---
+ program/lib/Roundcube/rcube_washtml.php | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -445,7 +445,10 @@ class rcube_washtml
+ $xpath = new DOMXPath($node->ownerDocument);
+ foreach ($xpath->query('namespace::*') as $ns) {
+ if ($ns->nodeName != 'xmlns:xml') {
+- $dump .= ' ' . $ns->nodeName . '="' . $ns->nodeValue . '"';
++ $dump .= sprintf(' %s="%s"',
++ $ns->nodeName,
++ htmlspecialchars($ns->nodeValue, ENT_QUOTES, $this->config['charset'])
++ );
+ }
+ }
+ }
+@@ -507,7 +510,7 @@ class rcube_washtml
+ $this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level');
+
+ // SVG need to be parsed as XML
+- $this->is_xml = stripos($html, '<html') === false && stripos($html, '<svg') !== false;
++ $this->is_xml = !preg_match('/<(html|head|body)/i', $html) && stripos($html, '<svg') !== false;
+ $method = $this->is_xml ? 'loadXML' : 'loadHTML';
+ $options = 0;
+
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series 2020-06-09 13:46:01.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/patches/series 2020-07-06 16:14:59.000000000 +0200
@@ -20,3 +20,4 @@
CVE-2020-12626.patch
CVE-2020-13964.patch
CVE-2020-13965.patch
+CVE-2020-15562.patch
-------------- next part --------------
diffstat for roundcube-1.3.13+dfsg.1 roundcube-1.3.14+dfsg.1
CHANGELOG | 4 ++++
debian/changelog | 8 ++++++++
index.php | 2 +-
installer/index.php | 2 +-
program/include/iniset.php | 2 +-
program/lib/Roundcube/bootstrap.php | 2 +-
program/lib/Roundcube/rcube_washtml.php | 7 +++++--
public_html/index.php | 2 +-
8 files changed, 22 insertions(+), 7 deletions(-)
diff -Nru roundcube-1.3.13+dfsg.1/CHANGELOG roundcube-1.3.14+dfsg.1/CHANGELOG
--- roundcube-1.3.13+dfsg.1/CHANGELOG 2020-06-07 13:23:24.000000000 +0200
+++ roundcube-1.3.14+dfsg.1/CHANGELOG 2020-07-04 12:55:51.000000000 +0200
@@ -1,6 +1,10 @@
CHANGELOG Roundcube Webmail
===========================
+RELEASE 1.3.14
+--------------
+- Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
+
RELEASE 1.3.13
--------------
- Installer: Fix regression in SMTP test section (#7417)
diff -Nru roundcube-1.3.13+dfsg.1/debian/changelog roundcube-1.3.14+dfsg.1/debian/changelog
--- roundcube-1.3.13+dfsg.1/debian/changelog 2020-06-09 13:29:14.000000000 +0200
+++ roundcube-1.3.14+dfsg.1/debian/changelog 2020-07-06 16:30:57.000000000 +0200
@@ -1,3 +1,11 @@
+roundcube (1.3.14+dfsg.1-1~deb10u1) buster-security; urgency=high
+
+ * New upstream release, with security fix for CVE-2020-15562: Cross-Site
+ Scripting (XSS) vulnerability via HTML messages with malicious
+ svg/namespace (Closes: #964355)
+
+ -- Guilhem Moulin <guilhem at debian.org> Mon, 06 Jul 2020 16:30:57 +0200
+
roundcube (1.3.13+dfsg.1-1~deb10u1) buster-security; urgency=high
* New security upstream release, with fixes for:
diff -Nru roundcube-1.3.13+dfsg.1/index.php roundcube-1.3.14+dfsg.1/index.php
--- roundcube-1.3.13+dfsg.1/index.php 2020-06-07 13:23:24.000000000 +0200
+++ roundcube-1.3.14+dfsg.1/index.php 2020-07-04 12:55:51.000000000 +0200
@@ -2,7 +2,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.13 |
+ | Version 1.3.14 |
| |
| Copyright (C) 2005-2019, The Roundcube Dev Team |
| |
diff -Nru roundcube-1.3.13+dfsg.1/installer/index.php roundcube-1.3.14+dfsg.1/installer/index.php
--- roundcube-1.3.13+dfsg.1/installer/index.php 2020-06-07 13:23:25.000000000 +0200
+++ roundcube-1.3.14+dfsg.1/installer/index.php 2020-07-04 12:55:52.000000000 +0200
@@ -3,7 +3,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail setup tool |
- | Version 1.3.13 |
+ | Version 1.3.14 |
| |
| Copyright (C) 2009-2019, The Roundcube Dev Team |
| |
diff -Nru roundcube-1.3.13+dfsg.1/program/include/iniset.php roundcube-1.3.14+dfsg.1/program/include/iniset.php
--- roundcube-1.3.13+dfsg.1/program/include/iniset.php 2020-06-07 13:23:25.000000000 +0200
+++ roundcube-1.3.14+dfsg.1/program/include/iniset.php 2020-07-04 12:55:51.000000000 +0200
@@ -21,7 +21,7 @@
*/
// application constants
-define('RCMAIL_VERSION', '1.3.13');
+define('RCMAIL_VERSION', '1.3.14');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.13+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.3.14+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.3.13+dfsg.1/program/lib/Roundcube/bootstrap.php 2020-06-07 13:23:25.000000000 +0200
+++ roundcube-1.3.14+dfsg.1/program/lib/Roundcube/bootstrap.php 2020-07-04 12:55:52.000000000 +0200
@@ -53,7 +53,7 @@
}
// framework constants
-define('RCUBE_VERSION', '1.3.13');
+define('RCUBE_VERSION', '1.3.14');
define('RCUBE_CHARSET', 'UTF-8');
if (!defined('RCUBE_LIB_DIR')) {
diff -Nru roundcube-1.3.13+dfsg.1/program/lib/Roundcube/rcube_washtml.php roundcube-1.3.14+dfsg.1/program/lib/Roundcube/rcube_washtml.php
--- roundcube-1.3.13+dfsg.1/program/lib/Roundcube/rcube_washtml.php 2020-06-07 13:23:25.000000000 +0200
+++ roundcube-1.3.14+dfsg.1/program/lib/Roundcube/rcube_washtml.php 2020-07-04 12:55:52.000000000 +0200
@@ -470,7 +470,10 @@
$xpath = new DOMXPath($node->ownerDocument);
foreach ($xpath->query('namespace::*') as $ns) {
if ($ns->nodeName != 'xmlns:xml') {
- $dump .= ' ' . $ns->nodeName . '="' . $ns->nodeValue . '"';
+ $dump .= sprintf(' %s="%s"',
+ $ns->nodeName,
+ htmlspecialchars($ns->nodeValue, ENT_QUOTES, $this->config['charset'])
+ );
}
}
}
@@ -535,7 +538,7 @@
$this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level');
// SVG need to be parsed as XML
- $this->is_xml = stripos($html, '<html') === false && stripos($html, '<svg') !== false;
+ $this->is_xml = !preg_match('/<(html|head|body)/i', $html) && stripos($html, '<svg') !== false;
$method = $this->is_xml ? 'loadXML' : 'loadHTML';
$options = 0;
diff -Nru roundcube-1.3.13+dfsg.1/public_html/index.php roundcube-1.3.14+dfsg.1/public_html/index.php
--- roundcube-1.3.13+dfsg.1/public_html/index.php 2020-06-07 13:23:24.000000000 +0200
+++ roundcube-1.3.14+dfsg.1/public_html/index.php 2020-07-04 12:55:51.000000000 +0200
@@ -3,7 +3,7 @@
/*
+-----------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.13 |
+ | Version 1.3.14 |
| |
| Copyright (C) 2005-2017, The Roundcube Dev Team |
| |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20200706/a6f9a246/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list