[Pkg-roundcube-maintainers] Security issue (CVE-2021-46144) in roundcube 1.3.17+dfsg.1-1~deb10u1 and 1.4.12+dfsg.1-1~deb11u1
Guilhem Moulin
guilhem at debian.org
Thu Jan 6 10:51:20 GMT 2022
Dear security team,
In a recent post roundcube webmail upstream has announced a fix for a
cross-site scripting (XSS) vulnerability via HTML messages with
malicious CSS content. This was assigned CVE-2021-46144 (thanks to
carnil for the assignment)!
Upstream fix for the 1.4 LTS branch:
https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8
There was no new 1.3 LTS release but AFAICT buster's
1.3.17+dfsg.1-1~deb10u1 is affected as well and the same fix applies.
debdiffs attached for oldstable- and stable-security. (The fix itself
comes from upstream's 1.4.13, but I had to tweak the test vector to make
the test suite pass on bullseye.) Both version have been tested.
Cheers,
--
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.3.17+dfsg.1 roundcube-1.3.17+dfsg.1
changelog | 7 +++++++
patches/CVE-2021-46144.patch | 21 +++++++++++++++++++++
patches/series | 1 +
3 files changed, 29 insertions(+)
diff -Nru roundcube-1.3.17+dfsg.1/debian/changelog roundcube-1.3.17+dfsg.1/debian/changelog
--- roundcube-1.3.17+dfsg.1/debian/changelog 2021-11-18 19:52:34.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/changelog 2022-01-06 09:04:44.000000000 +0100
@@ -1,3 +1,10 @@
+roundcube (1.3.17+dfsg.1-1~deb10u2) buster-security; urgency=high
+
+ * Backport fix for CVE-2021-46144: Fix cross-site scripting (XSS) via HTML
+ messages with malicious CSS content. (Closes: #1003027)
+
+ -- Guilhem Moulin <guilhem at debian.org> Thu, 06 Jan 2022 09:04:44 +0100
+
roundcube (1.3.17+dfsg.1-1~deb10u1) buster-security; urgency=high
* New bugfix/security upstream release (closes: #1000156), with fixes for:
diff -Nru roundcube-1.3.17+dfsg.1/debian/patches/CVE-2021-46144.patch roundcube-1.3.17+dfsg.1/debian/patches/CVE-2021-46144.patch
--- roundcube-1.3.17+dfsg.1/debian/patches/CVE-2021-46144.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/patches/CVE-2021-46144.patch 2022-01-06 09:04:44.000000000 +0100
@@ -0,0 +1,21 @@
+commit b2400a4b592e3094b6c84e6000d512f99ae0eed8
+Author: Aleksander Machniak <alec at alec.pl>
+Date: Wed Dec 29 19:02:43 2021 +0100
+
+ Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
+
+---
+ program/lib/Roundcube/rcube_washtml.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -329,7 +329,7 @@ class rcube_washtml
+ if (preg_match('/^([a-z:]*url)\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)/iu', $value, $match)) {
+ if ($url = $this->wash_uri($match[2])) {
+ $result .= ' ' . $attr->nodeName . '="' . $match[1] . '(' . htmlspecialchars($url, ENT_QUOTES) . ')'
+- . substr($val, strlen($match[0])) . '"';
++ . htmlspecialchars(substr($val, strlen($match[0])), ENT_QUOTES) . '"';
+ continue;
+ }
+ }
diff -Nru roundcube-1.3.17+dfsg.1/debian/patches/series roundcube-1.3.17+dfsg.1/debian/patches/series
--- roundcube-1.3.17+dfsg.1/debian/patches/series 2021-11-18 19:52:34.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/patches/series 2022-01-06 09:04:44.000000000 +0100
@@ -16,3 +16,4 @@
htaccess-assume-php7.patch
CVE-2018-1000071.patch
retry_to_reach_imap_server.patch
+CVE-2021-46144.patch
-------------- next part --------------
diffstat for roundcube-1.4.12+dfsg.1 roundcube-1.4.13+dfsg.1
CHANGELOG | 4 +
debian/changelog | 10 ++++
debian/patches/fix-FTBFS-with-phpunit-10.patch | 2
debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch | 2
debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch | 12 ++---
debian/patches/fix-Framework_Washtml-test_wash_xss_tests.patch | 23 ++++++++++
debian/patches/fix-install-path.patch | 4 -
debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch | 2
debian/patches/series | 1
debian/patches/update-script.patch | 2
index.php | 2
installer/index.php | 2
program/include/iniset.php | 2
program/lib/Roundcube/bootstrap.php | 2
program/lib/Roundcube/rcube_washtml.php | 2
public_html/index.php | 2
tests/Framework/Washtml.php | 4 +
17 files changed, 60 insertions(+), 18 deletions(-)
diff -Nru roundcube-1.4.12+dfsg.1/CHANGELOG roundcube-1.4.13+dfsg.1/CHANGELOG
--- roundcube-1.4.12+dfsg.1/CHANGELOG 2021-11-12 22:35:37.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/CHANGELOG 2021-12-29 23:45:05.000000000 +0100
@@ -1,6 +1,10 @@
CHANGELOG Roundcube Webmail
===========================
+RELEASE 1.4.13
+--------------
+- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
+
RELEASE 1.4.12
--------------
- Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
diff -Nru roundcube-1.4.12+dfsg.1/debian/changelog roundcube-1.4.13+dfsg.1/debian/changelog
--- roundcube-1.4.12+dfsg.1/debian/changelog 2021-11-18 20:07:03.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/debian/changelog 2022-01-06 08:51:41.000000000 +0100
@@ -1,3 +1,13 @@
+roundcube (1.4.13+dfsg.1-1~deb11u1) bullseye-security; urgency=high
+
+ * New security upstream release, with fix for CVE-2021-46144: XSS
+ vulnerability via HTML messages with malicious CSS content
+ (closes: #1003027).
+ * Prepend '<!-- html ignored -->' to the test vector of the above.
+ * Refresh d/patches.
+
+ -- Guilhem Moulin <guilhem at debian.org> Thu, 06 Jan 2022 08:51:41 +0100
+
roundcube (1.4.12+dfsg.1-1~deb11u1) bullseye-security; urgency=high
* New bugfix/security upstream release (closes: #1000156), with fixes for:
diff -Nru roundcube-1.4.12+dfsg.1/debian/patches/fix-Framework_Washtml-test_wash_xss_tests.patch roundcube-1.4.13+dfsg.1/debian/patches/fix-Framework_Washtml-test_wash_xss_tests.patch
--- roundcube-1.4.12+dfsg.1/debian/patches/fix-Framework_Washtml-test_wash_xss_tests.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/debian/patches/fix-Framework_Washtml-test_wash_xss_tests.patch 2022-01-06 08:51:41.000000000 +0100
@@ -0,0 +1,23 @@
+From: Guilhem Moulin <guilhem at debian.org>
+Date: Mon, 3 Jan 2022 09:40:34 +0100
+Subject: Fix Framework_Washtml::test_wash_xss_tests().
+
+This merely prepends a comment to the expected HTML (in line with the other test vectors).
+Regression from b2400a4b592e3094b6c84e6000d512f99ae0eed8.
+---
+ tests/Framework/Washtml.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
+index 767273e..264a5ad 100644
+--- a/tests/Framework/Washtml.php
++++ b/tests/Framework/Washtml.php
+@@ -449,7 +449,7 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase
+ ],
+ [
+ '<html><body><img fill=\'asd:url(#asd)" src="x" onerror="alert(1)\' />',
+- '<body><img fill="asd:url(#asd)" src="x" onerror="alert(1)" /></body>'
++ '<!-- html ignored --><body><img fill="asd:url(#asd)" src="x" onerror="alert(1)" /></body>'
+ ],
+ [
+ '<html><math href="javascript:alert(location);"><mi>clickme</mi></math>',
diff -Nru roundcube-1.4.12+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-10.patch roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-10.patch
--- roundcube-1.4.12+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-10.patch 2021-11-18 20:07:03.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-10.patch 2022-01-06 08:51:41.000000000 +0100
@@ -112,7 +112,7 @@
/**
diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
-index 230941c..318e092 100644
+index a643f4c..767273e 100644
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@@ -31,9 +31,9 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase
diff -Nru roundcube-1.4.12+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch
--- roundcube-1.4.12+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch 2021-11-18 20:07:03.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch 2022-01-06 08:51:41.000000000 +0100
@@ -1400,7 +1400,7 @@
function _srcpath($fn)
diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
-index 5d62890..1ab0554 100644
+index ec4f4a3..1831b14 100644
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@@ -5,7 +5,7 @@
diff -Nru roundcube-1.4.12+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch
--- roundcube-1.4.12+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch 2021-11-18 20:07:03.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch 2022-01-06 08:51:41.000000000 +0100
@@ -153,10 +153,10 @@
/**
diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
-index 1ab0554..230941c 100644
+index 1831b14..a643f4c 100644
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
-@@ -552,7 +552,7 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase
+@@ -556,7 +556,7 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase
$washed = $washer->wash($html);
$this->assertTrue($washer->extlinks);
@@ -165,7 +165,7 @@
$html = "<video src=\"http://TRACKING_URL/\">";
-@@ -560,7 +560,7 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase
+@@ -564,7 +564,7 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase
$washed = $washer->wash($html);
$this->assertTrue($washer->extlinks);
@@ -174,7 +174,7 @@
}
/**
-@@ -598,8 +598,8 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase
+@@ -602,8 +602,8 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase
$washer = new rcube_washtml;
$washed = $washer->wash($html);
@@ -185,7 +185,7 @@
}
/**
-@@ -615,10 +615,10 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase
+@@ -619,10 +619,10 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase
. '</p>';
$washed = $washer->wash($html);
@@ -200,7 +200,7 @@
}
/**
-@@ -651,34 +651,34 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase
+@@ -655,34 +655,34 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase
$html = '<head></head>First line<br />Second line';
$washed = $washer->wash($html);
diff -Nru roundcube-1.4.12+dfsg.1/debian/patches/fix-install-path.patch roundcube-1.4.13+dfsg.1/debian/patches/fix-install-path.patch
--- roundcube-1.4.12+dfsg.1/debian/patches/fix-install-path.patch 2021-11-18 20:07:03.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/debian/patches/fix-install-path.patch 2022-01-06 08:51:41.000000000 +0100
@@ -161,10 +161,10 @@
require_once INSTALL_PATH . 'program/include/clisetup.php';
diff --git a/program/include/iniset.php b/program/include/iniset.php
-index 5394031..2659c2d 100644
+index 1f8bfd7..a26900e 100644
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
-@@ -28,7 +28,7 @@ define('RCMAIL_VERSION', '1.4.12');
+@@ -28,7 +28,7 @@ define('RCMAIL_VERSION', '1.4.13');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.4.12+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch roundcube-1.4.13+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch
--- roundcube-1.4.12+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch 2021-11-18 20:07:03.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch 2022-01-06 08:51:41.000000000 +0100
@@ -15,7 +15,7 @@
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/program/include/iniset.php b/program/include/iniset.php
-index bf4cc11..8bc6f71 100644
+index 3919f74..cb6636b 100644
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
@@ -20,7 +20,9 @@
diff -Nru roundcube-1.4.12+dfsg.1/debian/patches/series roundcube-1.4.13+dfsg.1/debian/patches/series
--- roundcube-1.4.12+dfsg.1/debian/patches/series 2021-11-18 20:07:03.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/debian/patches/series 2022-01-06 08:51:41.000000000 +0100
@@ -17,3 +17,4 @@
fix-FTBFS-with-phpunit-9.5.0-1.patch
fix-FTBFS-with-phpunit-10.patch
hint-at-which-packages-needs-installing-under-PHP8.patch
+fix-Framework_Washtml-test_wash_xss_tests.patch
diff -Nru roundcube-1.4.12+dfsg.1/debian/patches/update-script.patch roundcube-1.4.13+dfsg.1/debian/patches/update-script.patch
--- roundcube-1.4.12+dfsg.1/debian/patches/update-script.patch 2021-11-18 20:07:03.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/debian/patches/update-script.patch 2022-01-06 08:51:41.000000000 +0100
@@ -88,7 +88,7 @@
// update composer dependencies
diff --git a/program/include/iniset.php b/program/include/iniset.php
-index 2659c2d..bf4cc11 100644
+index a26900e..3919f74 100644
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
@@ -39,6 +39,10 @@ if (!defined('RCUBE_LOCALIZATION_DIR')) {
diff -Nru roundcube-1.4.12+dfsg.1/index.php roundcube-1.4.13+dfsg.1/index.php
--- roundcube-1.4.12+dfsg.1/index.php 2021-11-12 22:35:37.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/index.php 2021-12-29 23:45:05.000000000 +0100
@@ -2,7 +2,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.4.12 |
+ | Version 1.4.13 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -Nru roundcube-1.4.12+dfsg.1/installer/index.php roundcube-1.4.13+dfsg.1/installer/index.php
--- roundcube-1.4.12+dfsg.1/installer/index.php 2021-11-12 22:35:37.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/installer/index.php 2021-12-29 23:45:05.000000000 +0100
@@ -3,7 +3,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail setup tool |
- | Version 1.4.12 |
+ | Version 1.4.13 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -Nru roundcube-1.4.12+dfsg.1/program/include/iniset.php roundcube-1.4.13+dfsg.1/program/include/iniset.php
--- roundcube-1.4.12+dfsg.1/program/include/iniset.php 2021-11-12 22:35:37.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/program/include/iniset.php 2021-12-29 23:45:05.000000000 +0100
@@ -24,7 +24,7 @@
}
// application constants
-define('RCMAIL_VERSION', '1.4.12');
+define('RCMAIL_VERSION', '1.4.13');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.4.12+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.4.13+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.4.12+dfsg.1/program/lib/Roundcube/bootstrap.php 2021-11-12 22:35:37.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/program/lib/Roundcube/bootstrap.php 2021-12-29 23:45:05.000000000 +0100
@@ -58,7 +58,7 @@
}
// framework constants
-define('RCUBE_VERSION', '1.4.12');
+define('RCUBE_VERSION', '1.4.13');
define('RCUBE_CHARSET', 'UTF-8');
define('RCUBE_TEMP_FILE_PREFIX', 'RCMTEMP');
diff -Nru roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_washtml.php roundcube-1.4.13+dfsg.1/program/lib/Roundcube/rcube_washtml.php
--- roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_washtml.php 2021-11-12 22:35:37.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/program/lib/Roundcube/rcube_washtml.php 2021-12-29 23:45:05.000000000 +0100
@@ -338,7 +338,7 @@
if ($url = $this->wash_uri($match[2])) {
$result .= ' ' . $attr->nodeName . '="' . $match[1]
. '(' . htmlspecialchars($url, ENT_QUOTES, $this->config['charset']) . ')'
- . substr($val, strlen($match[0])) . '"';
+ . htmlspecialchars(substr($val, strlen($match[0])), ENT_QUOTES, $this->config['charset']) . '"';
continue;
}
}
diff -Nru roundcube-1.4.12+dfsg.1/public_html/index.php roundcube-1.4.13+dfsg.1/public_html/index.php
--- roundcube-1.4.12+dfsg.1/public_html/index.php 2021-11-12 22:35:37.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/public_html/index.php 2021-12-29 23:45:05.000000000 +0100
@@ -3,7 +3,7 @@
/*
+-----------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.4.12 |
+ | Version 1.4.13 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -Nru roundcube-1.4.12+dfsg.1/tests/Framework/Washtml.php roundcube-1.4.13+dfsg.1/tests/Framework/Washtml.php
--- roundcube-1.4.12+dfsg.1/tests/Framework/Washtml.php 2021-11-12 22:35:37.000000000 +0100
+++ roundcube-1.4.13+dfsg.1/tests/Framework/Washtml.php 2021-12-29 23:45:05.000000000 +0100
@@ -448,6 +448,10 @@
'<!-- html ignored --><body x-washed="background"></body>'
],
[
+ '<html><body><img fill=\'asd:url(#asd)" src="x" onerror="alert(1)\' />',
+ '<body><img fill="asd:url(#asd)" src="x" onerror="alert(1)" /></body>'
+ ],
+ [
'<html><math href="javascript:alert(location);"><mi>clickme</mi></math>',
'<!-- html ignored --><body><math x-washed="href"><mi>clickme</mi></math></body>',
],
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20220106/49410e5f/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list