[Pkg-roundcube-maintainers] roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content
Guilhem Moulin
guilhem at debian.org
Wed Jan 12 13:15:30 GMT 2022
Dear LTS Team,
In a recent post roundcube webmail upstream has announced the following
security fix for #1003027.
CVE-2021-46144: Cross-site scripting (XSS) vulnerability via HTML
messages with malicious CSS content.
(Upstream only released fixes for 1.4 and 1.5 LTS branches, but 1.2 and
1.3 are affected too and the same fix applies cleanly. buster- and
bullseye-security are no longer affected.)
Debdiff against 1.2.3+dfsg.1-4+deb9u9 tested and attached. I can upload
if you'd like but would appreciate if you could take care of the DLA :-)
Thanks!
Cheers,
--
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1
changelog | 7 +++++++
patches/CVE-2021-46144.patch | 21 +++++++++++++++++++++
patches/series | 1 +
3 files changed, 29 insertions(+)
diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog 2021-12-06 11:51:48.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/changelog 2022-01-12 12:56:32.000000000 +0100
@@ -1,3 +1,10 @@
+roundcube (1.2.3+dfsg.1-4+deb9u10) stretch-security; urgency=high
+
+ * Backport fix for CVE-2021-46144: Fix cross-site scripting (XSS) via HTML
+ messages with malicious CSS content. (Closes: #1003027)
+
+ -- Guilhem Moulin <guilhem at debian.org> Wed, 12 Jan 2022 12:56:32 +0100
+
roundcube (1.2.3+dfsg.1-4+deb9u9) stretch-security; urgency=high
* Non-maintainer upload by the LTS team.
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch 2022-01-12 12:56:32.000000000 +0100
@@ -0,0 +1,21 @@
+commit b2400a4b592e3094b6c84e6000d512f99ae0eed8
+Author: Aleksander Machniak <alec at alec.pl>
+Date: Wed Dec 29 19:02:43 2021 +0100
+
+ Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
+
+---
+ program/lib/Roundcube/rcube_washtml.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -304,7 +304,7 @@ class rcube_washtml
+ if (preg_match('/^([a-z:]*url)\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)/iu', $value, $match)) {
+ if ($url = $this->wash_uri($match[2])) {
+ $result .= ' ' . $attr->nodeName . '="' . $match[1] . '(' . htmlspecialchars($url, ENT_QUOTES) . ')'
+- . substr($val, strlen($match[0])) . '"';
++ . htmlspecialchars(substr($val, strlen($match[0])), ENT_QUOTES) . '"';
+ continue;
+ }
+ }
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series 2021-12-06 11:51:48.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/series 2022-01-12 12:56:32.000000000 +0100
@@ -25,3 +25,4 @@
CVE-2020-35730.patch
CVE-2021-44025.patch
CVE-2021-44026.patch
+CVE-2021-46144.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20220112/6cebd454/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list