[Pkg-roundcube-maintainers] Bug#1052611: bullseye-pu: package roundcube/1.4.14+dfsg.1-1~deb11u1

Guilhem Moulin guilhem at debian.org
Mon Sep 25 11:11:47 BST 2023


Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: roundcube at packages.debian.org
Control: affects -1 + src:roundcube

[ Reason ]

roundcube 1.4.13+dfsg.1-1~deb11u1 is vulnerable to CVE-2023-43770:
cross-site scripting (XSS) vulnerability in handling of linkrefs in
plain text messages.

The Security Team decided not to issue a DSA for that CVE, but it's now
fixed in buster-security (1.3.17+dfsg.1-1~deb10u3) as well as
testing/sid (1.6.3+dfsg-1), so it makes sense to fix it via (o)s-pu
too.

[ Impact ]

Roundcube users will remain vulnerable to the XSS issue.  For users
uprading from buster-security to bullseye, that would be a security
regression.

[ Tests ]

The XSS fix is covered by automated tests (phpunit) at build time, and I
also manually tested the fix.

[ Risks ]

I believe the regression risk is very low, given the diff is fairly
simple, and this is not a backport but an official upstream release from
the LTS branch.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

[ Changes ]

  * New security/bugfix upstream release:
    + Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling
      of linkrefs in plain text messages. (Closes: #1052059)
    + Enigma: Fix initial synchronization of private keys.
  * d/u/signing-key.asc: Add Alec's key BEE674A019359DC1.
  * Refresh d/patches.

[ Other info ]

bullseye(-security) has been following the upstream 1.4 branch, so I
propose to upload 1.4.14+dfsg.1-1~deb11u1 rather than cherry-pick the
CVE-2023-43770 fix on top of 1.4.13+dfsg.1-1~deb11u1.

-- 
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.4.13+dfsg.1 roundcube-1.4.14+dfsg.1

 CHANGELOG                                                               |    8 
 composer.json-dist                                                      |    5 
 debian/changelog                                                        |   11 
 debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch                    |    4 
 debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch                     |    8 
 debian/patches/fix-install-path.patch                                   |    4 
 debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch |    2 
 debian/patches/update-composer.patch                                    |    9 
 debian/patches/update-script.patch                                      |    2 
 debian/upstream/signing-key.asc                                         |  199 +++++++---
 index.php                                                               |    2 
 installer/index.php                                                     |    2 
 plugins/enigma/lib/enigma_driver_gnupg.php                              |    7 
 program/include/iniset.php                                              |    2 
 program/lib/Roundcube/bootstrap.php                                     |    2 
 program/lib/Roundcube/rcube_string_replacer.php                         |    4 
 public_html/index.php                                                   |    2 
 public_html/plugins/enigma/lib/enigma_driver_gnupg.php                  |    7 
 tests/Framework/StringReplacer.php                                      |   12 
 tests/Framework/Text2Html.php                                           |   17 
 20 files changed, 223 insertions(+), 86 deletions(-)

diff -Nru roundcube-1.4.13+dfsg.1/CHANGELOG roundcube-1.4.14+dfsg.1/CHANGELOG
--- roundcube-1.4.13+dfsg.1/CHANGELOG	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/CHANGELOG	2023-09-16 22:01:19.000000000 +0200
@@ -1,5 +1,9 @@
-CHANGELOG Roundcube Webmail
-===========================
+# Changelog Roundcube Webmail
+
+RELEASE 1.4.14
+--------------
+- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
+- Enigma: Fix initial synchronization of private keys
 
 RELEASE 1.4.13
 --------------
diff -Nru roundcube-1.4.13+dfsg.1/composer.json-dist roundcube-1.4.14+dfsg.1/composer.json-dist
--- roundcube-1.4.13+dfsg.1/composer.json-dist	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/composer.json-dist	2023-09-16 22:01:19.000000000 +0200
@@ -27,5 +27,10 @@
     "suggest": {
         "kolab/net_ldap3": "~1.1.1 required for connecting to LDAP",
         "mkopinsky/zxcvbn-php": "^4.4.2 required for Zxcvbn password strength driver"
+    },
+    "config": {
+        "allow-plugins": {
+            "roundcube/plugin-installer": true
+        }
     }
 }
diff -Nru roundcube-1.4.13+dfsg.1/debian/changelog roundcube-1.4.14+dfsg.1/debian/changelog
--- roundcube-1.4.13+dfsg.1/debian/changelog	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/changelog	2023-09-25 11:32:59.000000000 +0200
@@ -1,3 +1,14 @@
+roundcube (1.4.14+dfsg.1-1~deb11u1) bullseye; urgency=high
+
+  * New security/bugfix upstream release:
+    + Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling
+      of linkrefs in plain text messages. (Closes: #1052059)
+    + Enigma: Fix initial synchronization of private keys.
+  * d/u/signing-key.asc: Add Alec's key BEE674A019359DC1.
+  * Refresh d/patches.
+
+ -- Guilhem Moulin <guilhem at debian.org>  Mon, 25 Sep 2023 11:32:59 +0200
+
 roundcube (1.4.13+dfsg.1-1~deb11u1) bullseye-security; urgency=high
 
   * New security upstream release, with fix for CVE-2021-46144: XSS
diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch
--- roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch	2023-09-25 11:32:59.000000000 +0200
@@ -1335,7 +1335,7 @@
  
      /**
 diff --git a/tests/Framework/StringReplacer.php b/tests/Framework/StringReplacer.php
-index ace8bf6..9d56fe2 100644
+index 16dff6a..756eddd 100644
 --- a/tests/Framework/StringReplacer.php
 +++ b/tests/Framework/StringReplacer.php
 @@ -5,7 +5,7 @@
@@ -1348,7 +1348,7 @@
  
      /**
 diff --git a/tests/Framework/Text2Html.php b/tests/Framework/Text2Html.php
-index db2dbac..273eeed 100644
+index 1d6ffd2..8f86b86 100644
 --- a/tests/Framework/Text2Html.php
 +++ b/tests/Framework/Text2Html.php
 @@ -5,7 +5,7 @@
diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch
--- roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch	2023-09-25 11:32:59.000000000 +0200
@@ -52,19 +52,19 @@
  
      function test_links()
 diff --git a/tests/Framework/StringReplacer.php b/tests/Framework/StringReplacer.php
-index 9d56fe2..d60cbd0 100644
+index 756eddd..32ce877 100644
 --- a/tests/Framework/StringReplacer.php
 +++ b/tests/Framework/StringReplacer.php
-@@ -75,8 +75,8 @@ class Framework_StringReplacer extends \PHPUnit\Framework\TestCase
+@@ -77,8 +77,8 @@ class Framework_StringReplacer extends \PHPUnit\Framework\TestCase
          $result = $replacer->replace($input);
          $result = $replacer->resolve($result);
  
 -        $this->assertContains('[<a href="http://en.wikipedia.org/wiki/Email">1</a>] to', $result, "Numeric linkref replacements");
 -        $this->assertContains('[<a href="http://www.link-ref.com">ref0</a>] repl', $result, "Alphanum linkref replacements");
--        $this->assertContains('of [Roundcube].', $result, "Don't touch strings wihtout an index entry");
+-        $this->assertContains('of [Roundcube].[ref<0]', $result, "Don't touch strings wihtout an index entry");
 +        $this->assertStringContainsString('[<a href="http://en.wikipedia.org/wiki/Email">1</a>] to', $result, "Numeric linkref replacements");
 +        $this->assertStringContainsString('[<a href="http://www.link-ref.com">ref0</a>] repl', $result, "Alphanum linkref replacements");
-+        $this->assertStringContainsString('of [Roundcube].', $result, "Don't touch strings wihtout an index entry");
++        $this->assertStringContainsString('of [Roundcube].[ref<0]', $result, "Don't touch strings wihtout an index entry");
      }
  }
 diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/fix-install-path.patch roundcube-1.4.14+dfsg.1/debian/patches/fix-install-path.patch
--- roundcube-1.4.13+dfsg.1/debian/patches/fix-install-path.patch	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/patches/fix-install-path.patch	2023-09-25 11:32:59.000000000 +0200
@@ -161,10 +161,10 @@
  require_once INSTALL_PATH . 'program/include/clisetup.php';
  
 diff --git a/program/include/iniset.php b/program/include/iniset.php
-index 1f8bfd7..a26900e 100644
+index d9388db..11142d2 100644
 --- a/program/include/iniset.php
 +++ b/program/include/iniset.php
-@@ -28,7 +28,7 @@ define('RCMAIL_VERSION', '1.4.13');
+@@ -28,7 +28,7 @@ define('RCMAIL_VERSION', '1.4.14');
  define('RCMAIL_START', microtime(true));
  
  if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch roundcube-1.4.14+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch
--- roundcube-1.4.13+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch	2023-09-25 11:32:59.000000000 +0200
@@ -15,7 +15,7 @@
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/program/include/iniset.php b/program/include/iniset.php
-index 3919f74..cb6636b 100644
+index 9c4c773..956750d 100644
 --- a/program/include/iniset.php
 +++ b/program/include/iniset.php
 @@ -20,7 +20,9 @@
diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/update-composer.patch roundcube-1.4.14+dfsg.1/debian/patches/update-composer.patch
--- roundcube-1.4.13+dfsg.1/debian/patches/update-composer.patch	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/patches/update-composer.patch	2023-09-25 11:32:59.000000000 +0200
@@ -20,10 +20,10 @@
  1 file changed, 10 insertions(+), 12 deletions(-)
 
 diff --git a/composer.json-dist b/composer.json-dist
-index 192551a..2307894 100644
+index 13064ce..a73e69d 100644
 --- a/composer.json-dist
 +++ b/composer.json-dist
-@@ -10,22 +10,20 @@
+@@ -10,23 +10,21 @@
      ],
      "require": {
          "php": ">=5.4.0 <8",
@@ -54,5 +54,6 @@
 +        "kolab/net_ldap3": ">=1.1.1",
 +        "pear-pear.php.net/crypt_gpg": ">=1.6.0",
 +        "mkopinsky/zxcvbn-php": ">=4.4.2 required for Zxcvbn password strength driver"
-     }
- }
+     },
+     "config": {
+         "allow-plugins": {
diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/update-script.patch roundcube-1.4.14+dfsg.1/debian/patches/update-script.patch
--- roundcube-1.4.13+dfsg.1/debian/patches/update-script.patch	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/patches/update-script.patch	2023-09-25 11:32:59.000000000 +0200
@@ -88,7 +88,7 @@
  
      // update composer dependencies
 diff --git a/program/include/iniset.php b/program/include/iniset.php
-index a26900e..3919f74 100644
+index 11142d2..9c4c773 100644
 --- a/program/include/iniset.php
 +++ b/program/include/iniset.php
 @@ -39,6 +39,10 @@ if (!defined('RCUBE_LOCALIZATION_DIR')) {
diff -Nru roundcube-1.4.13+dfsg.1/debian/upstream/signing-key.asc roundcube-1.4.14+dfsg.1/debian/upstream/signing-key.asc
--- roundcube-1.4.13+dfsg.1/debian/upstream/signing-key.asc	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/upstream/signing-key.asc	2023-09-25 11:32:59.000000000 +0200
@@ -116,62 +116,145 @@
 R5Tx6/YtysHeydQLrqjev9NSVUVjzcmqLSUB1Ra4smTRg76CW5jsAXId0t/s4OpK
 IZLniDIPYJLrbB0voZ54UsTc9DzlpgRSJTzmAvd3WphohnVZRGSrYVWZFUrrFQjB
 NGo9AhuRBH5dioO2iTlq+Hqers1fGK8XhSw84XWedJL/itdEpINH14tpJnM9hVNn
-1/W4DFOUElp1C2a+d9NM8XVWSRa5Ag0EVPYxAQEQAM6TZmb86hsfXeTqiV4JMpBL
-RiZ+6/mTDbdYRZEeErm/Vgw16r6tE7m3bNno0r/BRm3XmDBy4U72KP8oHiL55cUV
-Y+5ogrJBCq4BbZLyhtVcnDSI2uavwWMS9g6nKbAPl78IFoIg0E+QeJqJPZhRN6ec
-uBm2flOmhPyPK5NI0L03rYRpnC6XWBHqEtq8Rjj9KewhZiU2VisvGHbYi2Uj9Axc
-cZY1+O4p6rPjYqJEkjAOE1kOlm+96bzL+VuxXr8H+Js7Ae1+3A0rm360qfIEDOYd
-3vpQ4Om9rvrgwaX5XCZqTj6IFhlDS6gUMnyy2w9kes5YD/WVtH2jmjkOTi4ko9vC
-diSdixQA1DXUkyCZk5A25yWR9N9AHXv5/kijVOpHJ5mqoPdsOBIG3RFCjmaUTmqJ
-3nXhU8Zcd5/h7dVOwSq+NxYjYvF0CrB0TtzYXaA9UtHpTvbA2IuZarXn208RWgrr
-Pp+H1zP3NAS/pJ1FgX/izZxFhAWC7fhJfpHHTQkVFt4mJ25873QSuwCSsO6qS6mq
-oypByxNEAfVvIJUcf2ZdZkaRRFqOBgT13PhP8tKyRYp7wnuzngYDR7Pb2E9JRKT/
-WeAqEcEzWWmjNCs2MkOrDRNd3PC5VvkFCQnoIRsg763jcNrqNEfkm1lJ/Bf+qINr
-PYJJTc1MjWBt5sWs8iJrABEBAAGJBD4EGAECAAkFAlT2MQECGwICKQkQPlQo0CYs
-VPjBXSAEGQECAAYFAlT2MQEACgkQ0QXeoLVFs2zfsxAAzkKiAmiqQPWyjHV61IJl
-13HrJrJS2KZJBu1AY0HjWkSf0zzy4DNF/P3iPmaZvk6rxAb9Mwk5JHx0vlk/m5yW
-uM7yR97cyAt7FNrTq7PoVDzmB6nOcHYfLTnrA9Y7difUxE3ShVXWuSM/CDouSaPS
-mRIw+BIuP9Op0peGuwM1UBWZ+bKUjRZOVhDDQPrbGApzcg1Mp+zgHhpFUa6enIG8
-P/O6ApteoFrKLGx4/SjeKgv52+YyfD2odHlliHbcu/k+g+Dp+VkPW1I1FQREijGG
-K8c19UonBsSZxwT2gQwKtu++ZtLGsRkcpoonmR2mUkU8ruqoEdKk9Co3OQirrgep
-Viadv1pcJsa59r6lYIVPdBkJVE0UA2WWp4tullmB5lRD4NNw07HoYnDalz4O/Myb
-wjy9FCLgU7WZYtKDH+UiIe6uYIElkRbBBzO16MifgDrh0oNGmkl9m4EIkZeF/t+O
-4KF2xEiYqcvv/tVgRjQ/PuHKJh/uspeyUSpcJz8l4x2aAKHJu9RmCp8dD5BcHIk7
-bG9XGiXbr8MsDCC8RtMOfdJIQSTW0FDU/1T8RLAYxw/G+6ESvp+8DDwPqWn1I6Wl
-v8bBKwB3eNe1X35lHNsoFHhxsVPpdEvmMI43OWPXZ9CyU9O03FXADBp5L9A8Jq09
-qYasdAgt30ye7iPaTvtZWrS8SRAAgot+talYPKDemCGGXcm7Gj+hnRGe0h2kFzG5
-BJj0yYMcwlWK1fKHsmxxnBN9z3Eto5dcQZ36iLOwOjgdB24E3AEGbGxVnGUfHmqV
-Qb/SxSKYuTmeXTfCTicEydW7uX4Esfq91EXdZbqsg4OeS5/J5WB2InXH+FhguTvE
-9EkF2T/G4c+A837wOYphmPNnjKuw+so8WPUCaPR2CrjUh6diIjE3gVNloLvQlyke
-QGHGKjeA0RmNZOcEKfOFLWNT4s82Yp7syOXQNMNbUhsgl02OFuSekjVdYUApa1qs
-bo9P0A4AHk0EC0Paf6V8t6K1LUKUmfaueVQHC6TdHlEJmGU5azw86nKxyX3EtDKq
-HahWVPbGpeFKtm36Bis6yQaImQ3tVzV/7yTAkCmLCnct9lAy10OA/21Unb8u6Gmt
-AogOAIlELwKyC3mc1J1Br498uykaFgDrE4zXeg5d6x3btgd/0DBJlN65zz38s7Jv
-H7QITrTsSXD2tJcp56XAQ4fHNgVgiKS3pRPa7XkbJcaZpb38JotKyfajG9Ig9If6
-bTWkfksL6dEfb67ZO37jmTg4dan1O3IbSUTB0Pn1ske1BKjIMMANcMjcxvS1wDuE
-3WR4Ef+otIS6U4sVpkGHACUtjzfTxSSD6oTKxzXhvqQNVdRT7/LQlpg5FkjypP1Z
-kusW/UW5Ag0EVPXdCAEQAMGVKyTQqWizKqdhhNzaq6rwn1vCP8qjfPjg1IsK2b+R
-E0GObCuYIomotqOci5zWBqkLJUkZYqTyUqfh3w9BSB7nYi8TJXOYl19pxD2BPoOt
-ZrB6Qm8t7w8Bw4tZ7gb5qPmrULC22q7yTwo+zAzFeExIC4K3MUCnrhzEAszAOhnx
-qODXkxjImm42xEyS5wIARMEadAklfLmFZgCMIUiQ3eIpOGOYyfcXtySd9VrpyJ5Y
-VJ3VECCyfcZXrrPxarX0/3dmW5oJkew9m1blN744zEx1RsmOe7GjJR0wioANy1/k
-cjpJXnyKt5/XHGpHjuoHmjff+0BZzSS/Bjr0CiKijco/XauGvaRjYl0cvspnQqMl
-0lLyMM0Ecol/06SvN5PQ7dm9Yc4V6Rz5XHL/LsWhxsDFvSavMeumXQFeAGvldfva
-mLRuKfLZXA/A0G90nZdYC8MQt4NZvtcJLhpzowULFZEKfW9gDLcH3GQAVBrCMje7
-CGDL07fAzgDflwsm+W3fmAVKDACdjCrtgYn9No88Uj/JgpziiXk4fB/BUtySbODW
-Eg//7pqFfVodBcMv/4Sf6jf2WZI0s9VH0gbkGjIAHEtG7dIRKW2SqGrzIHv8Sj3G
-cUU6v+aF8GyI0mqM/IQG6JFA8eBAFt/120Ebk2aPd/3yoHP69bXU3fUuV6GDZ6Rx
-ABEBAAGJAh8EGAECAAkFAlT13QgCGwwACgkQPlQo0CYsVPgsFA//Xjglp6XoEjmX
-dk3upkT3+lgnWs5pHeHH23uPHd1VpNgVoGfl6ReQssqT4P5yRo9e00FKTlAokuEB
-fEsJzBR8JBWLVt2LAO7d7BORd3jNRZH/TvVBrKhX+VipKNNC6gE3V64VAUwOhFAG
-kSo2LtxXs/8nvPJ36fOriHOyoD1EMUe2lKyrVy8ox7qlRWu4YhMtZsLZutCsF64p
-2OcaAwqMeR1HWMszdNO+oPfXAR3F8ubiBkHQl92fCs1/BaLOlFhm0DIre4/p47nM
-q4fHjZE2N+D8K4tE76Z2kOgEjMGNfG4VCJOAIcj06Wq7QuCVlPv4dRUO2PfqW4ZS
-8/5sH+KJfy6XTelA4w92Jd1r5vd497iQDezc4hRTdVOHsdZTqkdBp1a61jl2GhDg
-PLoyDb+gCXnlucpg+vUdPUHDwRj+tOrfci3juwHI0WhUmWSXEGuCwJoagmtwMmnQ
-2uhMp5TbKfATMcNTtCSx8HDomXfSgSvuVt7BKt0OP5wdhje5PisXtyyvwuT1pH6J
-28PGPnRIiFDUFDLmDOC363F0w7Ng3FVJ2vryVIzp80yh6q+i5N3xvFrKVkZvnvUW
-6x5ADkLHGpZlxnjwRhgJPYyte8r/0V/m1OOeykO0IpWkU1A1IiSR1A/zT0tDSx/I
-nJvZpdFplfhUqMa5YRuuaVwAVlunTQU=
-=PYcV
+1/W4DFOUElp1C2a+d9NM8XVWSRa0KVRob21hcyBCcnVlZGVybGkgPGJydWVkZXJs
+aUBrb2xhYnN5cy5jb20+iQI4BBMBAgAiBQJVCeY5AhsDBgsJCAcDAgYVCAIJCgsE
+FgIDAQIeAQIXgAAKCRA+VCjQJixU+OK3D/0RKgxFHmIwqCuj4JSF1FWCc1D8jxcC
+PLWXnrZ8IhTIkplaWYQ7EIPPhT05pNFPlCFAc8w67YqZw0UCCChAeK0InxyFQtrs
+qBcqO1PedqqseX9wPlaoDFLVU6rC0BmG9e/3GQ+gcg6+cvEoQQ9Mp19oDZY33kUZ
+JYMhdiCsxaDwPSfz4ObZTEz9iMBdfYzNG38LSDu8v4H9x59ryQldErhYZyi9hIKu
+Fs+DoL3OnJxD7niyPqg3/wqNcVSgEaeV7al90LfgHYGyL7pr2sES0IXP+0kZfJAX
+7YWlk2QiW50nxrEasb+ntodXybjHpe9Vt4my2FSJPaOg2m1T46gamArR3TpVaJm5
+oN9D/ZFPdMnBJiwfEwE4d1hUCsbViJ8izIQoLiMqM+NgLAX4eAU/fbCn53zb5b8N
+LrdY5m6OHYyQ5J4+7bBBucc5LS64PqDdhmgBzWUOnVn3fNbfjoxxzbBQ7tF+S0zU
+JRj5zgxaaWBs5knLA/vbjA0h9pM+3yG5N2oEB29NTLsuKBrMBELP/bJRzQGcnPeR
+OYVVe1qfSbzXX2Ph8U42nNd7SAIOJdtzoqE4EbRlCJQaFAFjIEVTIUjw1Wrtruw+
+9YyJZLc9Fr1kEx4jc7BLy7QzJkrqcZxutAGAOW2iRraT8FAXERjfHGWUKcvt3GvF
+ts5HGTvL/0Aln7QtVGhvbWFzIEJydWVkZXJsaSA8YnJ1ZWRlcmxpQGtvbGFic3lz
+dGVtcy5jb20+iQI4BBMBAgAiBQJU9d0IAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe
+AQIXgAAKCRA+VCjQJixU+DipD/99hnk5ldlkxqENZiUMBjjkoT9hgE1u6AAcJgSI
+rTbBmWMa0QJp69hJ5bOsQq82wolCHnnM9o9dMRMzQuX2fG9Es3DK+Fk8kUT6lDJF
+OHvY5KP1ya1DI1uozvrzRZojBcPLUk1Ijg74PzgS5Gg9n7UFQ9LAo4xnlhB+KzgA
+agp1Si6jVJCSOLUCRHuauDwQNBJjp/18+aSRiI0Gx827gGsJ8ohot2N40EaVgw0K
+d2Q6WzfEZIyoXakRE9bjBK+lrWRVBNYiWAc+1CsFwf6y48eyn0NIlU2HKJiq8UnS
+hP5Wjp11YyUUiFm06zPYveMWOUyCQuJV55fh1/nG++c9SNct8RAvh7b7FjWmIowV
+eUjm1KBb0JoOrCEsooLwKU5/CKrALrfF3B3kunTI9JJ1mHQ2ZbjjwbVj7/CeEXXM
+uHgs17eZSD1IRZphlVu8X8QT03g0Diq+g7jH+tQLXXRNOGdaNCVSYj7gAveHkt8I
+NevviVeVcIdR/nd923Nalio9IznWf5QyS9sTep+bivH4P1iidX+LT40AcowrGN3g
+XLEDOc+UhV6974hhCaHN/8sLbEKugxZPLMyehFUW3K+GJlEYcNW7dOgk0QtYwMH/
+PdpLKasSr7aqzA0C9dvhYbPeWovSPOVfUPnkyHaSsLR1cCRMv74qKy0kCrqLGhEB
+r/uAZrkCDQRU9jEBARAAzpNmZvzqGx9d5OqJXgkykEtGJn7r+ZMNt1hFkR4Sub9W
+DDXqvq0Tubds2ejSv8FGbdeYMHLhTvYo/ygeIvnlxRVj7miCskEKrgFtkvKG1Vyc
+NIja5q/BYxL2DqcpsA+XvwgWgiDQT5B4mok9mFE3p5y4GbZ+U6aE/I8rk0jQvTet
+hGmcLpdYEeoS2rxGOP0p7CFmJTZWKy8YdtiLZSP0DFxxljX47inqs+NiokSSMA4T
+WQ6Wb73pvMv5W7Fevwf4mzsB7X7cDSubfrSp8gQM5h3e+lDg6b2u+uDBpflcJmpO
+PogWGUNLqBQyfLLbD2R6zlgP9ZW0faOaOQ5OLiSj28J2JJ2LFADUNdSTIJmTkDbn
+JZH030Ade/n+SKNU6kcnmaqg92w4EgbdEUKOZpROaonedeFTxlx3n+Ht1U7BKr43
+FiNi8XQKsHRO3NhdoD1S0elO9sDYi5lqtefbTxFaCus+n4fXM/c0BL+knUWBf+LN
+nEWEBYLt+El+kcdNCRUW3iYnbnzvdBK7AJKw7qpLqaqjKkHLE0QB9W8glRx/Zl1m
+RpFEWo4GBPXc+E/y0rJFinvCe7OeBgNHs9vYT0lEpP9Z4CoRwTNZaaM0KzYyQ6sN
+E13c8LlW+QUJCeghGyDvreNw2uo0R+SbWUn8F/6og2s9gklNzUyNYG3mxazyImsA
+EQEAAYkEPgQYAQIACQUCVPYxAQIbAgIpCRA+VCjQJixU+MFdIAQZAQIABgUCVPYx
+AQAKCRDRBd6gtUWzbN+zEADOQqICaKpA9bKMdXrUgmXXcesmslLYpkkG7UBjQeNa
+RJ/TPPLgM0X8/eI+Zpm+TqvEBv0zCTkkfHS+WT+bnJa4zvJH3tzIC3sU2tOrs+hU
+POYHqc5wdh8tOesD1jt2J9TETdKFVda5Iz8IOi5Jo9KZEjD4Ei4/06nSl4a7AzVQ
+FZn5spSNFk5WEMNA+tsYCnNyDUyn7OAeGkVRrp6cgbw/87oCm16gWsosbHj9KN4q
+C/nb5jJ8Pah0eWWIdty7+T6D4On5WQ9bUjUVBESKMYYrxzX1SicGxJnHBPaBDAq2
+775m0saxGRymiieZHaZSRTyu6qgR0qT0Kjc5CKuuB6lWJp2/Wlwmxrn2vqVghU90
+GQlUTRQDZZani26WWYHmVEPg03DTsehicNqXPg78zJvCPL0UIuBTtZli0oMf5SIh
+7q5ggSWRFsEHM7XoyJ+AOuHSg0aaSX2bgQiRl4X+347goXbESJipy+/+1WBGND8+
+4comH+6yl7JRKlwnPyXjHZoAocm71GYKnx0PkFwciTtsb1caJduvwywMILxG0w59
+0khBJNbQUNT/VPxEsBjHD8b7oRK+n7wMPA+pafUjpaW/xsErAHd417VffmUc2ygU
+eHGxU+l0S+Ywjjc5Y9dn0LJT07TcVcAMGnkv0DwmrT2phqx0CC3fTJ7uI9pO+1la
+tLxJEACCi361qVg8oN6YIYZdybsaP6GdEZ7SHaQXMbkEmPTJgxzCVYrV8oeybHGc
+E33PcS2jl1xBnfqIs7A6OB0HbgTcAQZsbFWcZR8eapVBv9LFIpi5OZ5dN8JOJwTJ
+1bu5fgSx+r3URd1luqyDg55Ln8nlYHYidcf4WGC5O8T0SQXZP8bhz4DzfvA5imGY
+82eMq7D6yjxY9QJo9HYKuNSHp2IiMTeBU2Wgu9CXKR5AYcYqN4DRGY1k5wQp84Ut
+Y1PizzZinuzI5dA0w1tSGyCXTY4W5J6SNV1hQClrWqxuj0/QDgAeTQQLQ9p/pXy3
+orUtQpSZ9q55VAcLpN0eUQmYZTlrPDzqcrHJfcS0MqodqFZU9sal4Uq2bfoGKzrJ
+BoiZDe1XNX/vJMCQKYsKdy32UDLXQ4D/bVSdvy7oaa0CiA4AiUQvArILeZzUnUGv
+j3y7KRoWAOsTjNd6Dl3rHdu2B3/QMEmU3rnPPfyzsm8ftAhOtOxJcPa0lynnpcBD
+h8c2BWCIpLelE9rteRslxpmlvfwmi0rJ9qMb0iD0h/ptNaR+Swvp0R9vrtk7fuOZ
+ODh1qfU7chtJRMHQ+fWyR7UEqMgwwA1wyNzG9LXAO4TdZHgR/6i0hLpTixWmQYcA
+JS2PN9PFJIPqhMrHNeG+pA1V1FPv8tCWmDkWSPKk/VmS6xb9RbkCDQRU9d0IARAA
+wZUrJNCpaLMqp2GE3NqrqvCfW8I/yqN8+ODUiwrZv5ETQY5sK5giiai2o5yLnNYG
+qQslSRlipPJSp+HfD0FIHudiLxMlc5iXX2nEPYE+g61msHpCby3vDwHDi1nuBvmo
++atQsLbarvJPCj7MDMV4TEgLgrcxQKeuHMQCzMA6GfGo4NeTGMiabjbETJLnAgBE
+wRp0CSV8uYVmAIwhSJDd4ik4Y5jJ9xe3JJ31WunInlhUndUQILJ9xleus/FqtfT/
+d2ZbmgmR7D2bVuU3vjjMTHVGyY57saMlHTCKgA3LX+RyOklefIq3n9ccakeO6gea
+N9/7QFnNJL8GOvQKIqKNyj9dq4a9pGNiXRy+ymdCoyXSUvIwzQRyiX/TpK83k9Dt
+2b1hzhXpHPlccv8uxaHGwMW9Jq8x66ZdAV4Aa+V1+9qYtG4p8tlcD8DQb3Sdl1gL
+wxC3g1m+1wkuGnOjBQsVkQp9b2AMtwfcZABUGsIyN7sIYMvTt8DOAN+XCyb5bd+Y
+BUoMAJ2MKu2Bif02jzxSP8mCnOKJeTh8H8FS3JJs4NYSD//umoV9Wh0Fwy//hJ/q
+N/ZZkjSz1UfSBuQaMgAcS0bt0hEpbZKoavMge/xKPcZxRTq/5oXwbIjSaoz8hAbo
+kUDx4EAW3/XbQRuTZo93/fKgc/r1tdTd9S5XoYNnpHEAEQEAAYkCHwQYAQIACQUC
+VPXdCAIbDAAKCRA+VCjQJixU+CwUD/9eOCWnpegSOZd2Te6mRPf6WCdazmkd4cfb
+e48d3VWk2BWgZ+XpF5CyypPg/nJGj17TQUpOUCiS4QF8SwnMFHwkFYtW3YsA7t3s
+E5F3eM1Fkf9O9UGsqFf5WKko00LqATdXrhUBTA6EUAaRKjYu3Fez/ye88nfp86uI
+c7KgPUQxR7aUrKtXLyjHuqVFa7hiEy1mwtm60KwXrinY5xoDCox5HUdYyzN0076g
+99cBHcXy5uIGQdCX3Z8KzX8Fos6UWGbQMit7j+njucyrh8eNkTY34Pwri0TvpnaQ
+6ASMwY18bhUIk4AhyPTpartC4JWU+/h1FQ7Y9+pbhlLz/mwf4ol/LpdN6UDjD3Yl
+3Wvm93j3uJAN7NziFFN1U4ex1lOqR0GnVrrWOXYaEOA8ujINv6AJeeW5ymD69R09
+QcPBGP606t9yLeO7AcjRaFSZZJcQa4LAmhqCa3AyadDa6EynlNsp8BMxw1O0JLHw
+cOiZd9KBK+5W3sEq3Q4/nB2GN7k+Kxe3LK/C5PWkfonbw8Y+dEiIUNQUMuYM4Lfr
+cXTDs2DcVUna+vJUjOnzTKHqr6Lk3fG8WspWRm+e9RbrHkAOQscalmXGePBGGAk9
+jK17yv/RX+bU457KQ7QilaRTUDUiJJHUD/NPS0NLH8icm9ml0WmV+FSoxrlhG65p
+XABWW6dNBZkBDQRMvU7ZAQgAuHn9CCWqkw0DUGeQj6x7zbOZHAAr7X38Mna03ESd
+vHR8I2Q/HWksX1WBKGnMgEXr0zr7Kd+lYKvGLewE7usuzDwWj4/S6tJMF+xzPEA5
+/I037nwIDI8XMOWw/iTUefvBvYVBdxd+YFbgHeO9YUvkAf1IPz3s3DcfR+chVDLr
+6zt8m8iA4cOaiSNkaCTIzK+QzylBu8/NdNXvzVu8vRXx6vjp8uwO9MPr3H79S/iy
+1+YH66SiN5tMypu3I9b8sWXwvUYoyM1mTdxoBMXsSCiXW5HIPRf84oCqO9kyYYL4
+8umGT9Nx5lmVXKbHd2iE908HoNHAor2ilQTXBUdaHWul7wARAQABtBZBLkwuRS5D
+IDxhbGVjQGFsZWMucGw+iQFSBBMBAgAlAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIe
+AQIXgAUCTL1QMAIZAQAhCRC+5nSgGTWdwRYhBLsi73Gclqhu70za0b7mdKAZNZ3B
+EhkH/1eAuCOSXsWg8YwZzmABoKKZfNpJZ3QTwAMxXyCPjJMwLMLHsrVO+VbGupFc
+IW/q/3bvt1r8LwPB73rg0TFiHoYzeQzdnOVYFW7wOYz9BDVjLE4goDk6xN5Nj1Cp
+BMXzQFdr3HVKyuRK1CLd9p13CofiBlLsQ4JqtosnlvSCEjTLyIajACU3kY2je1e5
+8N5VHzZ+VMeg2xbuQJ3q1iTkYggZ+xRC1muw4Xgt2vxgfWjn7u3dmjYMT3H2WFpr
+LZwliejHgzhWdYABdyCU5VuGCLOV+xk2UCADya0hvVVIezA/4YG3w01yjsljRrKy
+HFJUqw+MqagA6dsfflZSvmROKMa0IkFsZWtzYW5kZXIgTWFjaG5pYWsgPGFsZWNA
+YWxlYy5wbD6JAU8EEwECACIFAky9UCUCGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B
+AheAACEJEL7mdKAZNZ3BFiEEuyLvcZyWqG7vTNrRvuZ0oBk1ncHd6ggAoEj7tCV6
+VCueubKKkzLMLguELX0LUnA7990in5yqVFLvoVg7Kg/z67SnjT6DGYlyW+OPgvxz
+E+urJJ7eljVaYv9Yh5/UpF/ubTloQByBRI7g7dAOMhpFWO/Cp1qVlr6RJSbmDyFB
+xZBI0mDEpy/SmoUz0PqpxVIlrt7/8ND8ghYnxGo3+Db8+h1WiXRi6Miz7v7y3L0A
+H6/iKAA3u52lB1cxBLQWiEiKlQylRDhsIkjXa9LqF/kHRfUAIGUxWRyuQdLnRaYx
+2pyBNPcDYej+8zHqSdSkXSctVila2l/ZdEosqvRreFhpRQVDR2WKHjC8eNHUoD3I
+07x8PiMkpw6Z4rQtQWxla3NhbmRlciBNYWNobmlhayA8bWFjaG5pYWtAYXBoZWxl
+aWEtaXQuY2g+iQFOBBMBCgA4FiEEuyLvcZyWqG7vTNrRvuZ0oBk1ncEFAmHcFOMC
+GyMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQvuZ0oBk1ncHfBwf8Dq9YzPA3
+gxIJKZ2XZpgQi1XtB0fpV02IVi//wEvhwy3aE0hsNnw44g8FDy1jtMkhvvz2kGbk
+3chXfBMoMCSrfla7lLuJ54t+z59KmIpmVOai5HUz9FAkHSrG/d0ZNsomuYT+mWD9
+9sDTODQT429YZ02+AecRudQAW/2ny+0cySdrKvSlvQ8C73axiy4wAMiYWSl7LU36
+G4wtC/H3ZQL2LHToiAQmn5F4ECln7vJOKXr3MzUOI6kHFkjuArL1njI/D2BinsDt
+HWwHovNgbMqIecwcg43E/HKgpq9dK+ti2QMppjF6Vz/H3nkQ3e/WIKm9395zq1Hs
+jdt+3mwL78pXTLQrQWxla3NhbmRlciBNYWNobmlhayA8bWFjaG5pYWtAa29sYWJz
+eXMuY29tPokBTwQTAQIAIgUCTnH06gIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
+F4AAIQkQvuZ0oBk1ncEWIQS7Iu9xnJaobu9M2tG+5nSgGTWdwShlCACIexVvyaW6
+hMp6wK3eRHBVH4onKrCo/ayBIYBm2Rjzcm71tWfbVa8PE+C+IxweRL3S19OpDAO2
+2ymca8w9wcihLJ/HKZ7uYhTSQDcsLPyazBTHNKHTvDGO+kLFVzBJ+aLeLXPm8ums
+fR6/ZzGJt1E4qHeCHpBFhbN0IL2o8QvE9idMOZzDAB+mOSldircqGwzFx9eML0TJ
+6/vgrYvHGBnkC+FHD7I2xdFgnW5nef+p/5TYmQ7SS4vOw6A3WHKgKlFi4yyfTczo
+M4GEqtdqE40T16526OVv7VkBTiy4pgUna3JA4Sua0dpy1rfnUTr0y/VYrdHxnUZO
+YgA44cWcBeF2tC9BbGVrc2FuZGVyIE1hY2huaWFrIDxtYWNobmlha0Brb2xhYnN5
+c3RlbXMuY29tPokBTgQTAQgAIQUCWTJWlwIbIwULCQgHAgYVCAkKCwIEFgIDAQIe
+AQIXgAAhCRC+5nSgGTWdwRYhBLsi73Gclqhu70za0b7mdKAZNZ3Bh90IALeMO7uq
+yPOS7KVp+gbHbmgeROG2/rxDFE6SoY64Vpqy/ZPRiZXQzjPBy6gkgY2Fr8n2ZBbp
+NdxOHSKIc0SDWMO8ZxDteFhMi+9Y7uFO7ZqEL/BII0L2d4fRWiXCNnLQqoaI/f6Q
+UP3kB6DQtvRg1sxT8wM1RPZBphUnT2xFvHnLgayI+uM83xJiUREArA0tLinRH8HU
+O64iKMdvVAExWJ0BQQDDLia/CkTD4wh8d0iww978zySoFsLYF0Mv5wk6cclUgXwz
+KpSp3WGZ9hX4vbFLzMYk/KVQbuoHq4ZtlD4IVVH7q9lCavz452PfzFDIwpytCIBd
+RdsKmg8uuqspiym5AQ0ETL1O2QEIANHbid+rMQ/IX0/UyVtnLWunDEg6Yl2BtwHT
+ecZ4Ym3tBxc1sbPDoYpY0DZ86gYi9DCbolrdjnrRK9ldYItVJ8rJUkEIDz/2yhjc
+r3s3p2SyI94bocoG0WW+VRlssJMxTB2ihblihkY5HqT+9PgOFxnpSqz1ksTaI3JO
+VcokidhoB7MJmuyb28rNtZCJP7upRUwBSoZfHiL83w3Ad1Fn49QVO7kshH11lNyJ
+9jB17BTl1I0sj7RPqAorJcMxsSOJXW71ZcipXWym+GacY/qziQw7bT9CQYSmr4Si
+RV7GahD91enDkdv+pUAnb8NEifQ1LT26XcL6Ng9EbG5AT4qI46kAEQEAAYkBNgQY
+AQIACQUCTL1O2QIbDAAhCRC+5nSgGTWdwRYhBLsi73Gclqhu70za0b7mdKAZNZ3B
+7ZMIAJq7HeUeK0Pwgg7l/LpHE+rKbq8yUqI3QjKKVqG0nQDaG02rBsVvpO6SnMrD
+TgMZI8Q4Y9qjiF2wu1C2oA/CqtH4UYkNzpX+MPSs+NOELc1y+Qm6iLrbZksKyLxM
+AvmQGYXY1h3t6OzMHfXkTO+ldJ4RLz72m/rKyHNRuisSD1AqE/FbTK+t2PY7AVSV
+Gvr+MukqYwvNLHkXTISDXS6u9971K22TlNXMfJw5rWcpLOPv0XWNdOX+aOL+LTza
+zWeXBvx3os1WubR7W0YzFKT9amCEVVVKbg4y9S8yQQQOTAayb6Y9yZfhQ9y+r/BT
+eEaEN5WWmR9VMlAa8NsRTNNdvPo=
+=cGVH
 -----END PGP PUBLIC KEY BLOCK-----
diff -Nru roundcube-1.4.13+dfsg.1/index.php roundcube-1.4.14+dfsg.1/index.php
--- roundcube-1.4.13+dfsg.1/index.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/index.php	2023-09-16 22:01:19.000000000 +0200
@@ -2,7 +2,7 @@
 /**
  +-------------------------------------------------------------------------+
  | Roundcube Webmail IMAP Client                                           |
- | Version 1.4.13                                                          |
+ | Version 1.4.14                                                          |
  |                                                                         |
  | Copyright (C) The Roundcube Dev Team                                    |
  |                                                                         |
diff -Nru roundcube-1.4.13+dfsg.1/installer/index.php roundcube-1.4.14+dfsg.1/installer/index.php
--- roundcube-1.4.13+dfsg.1/installer/index.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/installer/index.php	2023-09-16 22:01:19.000000000 +0200
@@ -3,7 +3,7 @@
 /**
  +-------------------------------------------------------------------------+
  | Roundcube Webmail setup tool                                            |
- | Version 1.4.13                                                          |
+ | Version 1.4.14                                                          |
  |                                                                         |
  | Copyright (C) The Roundcube Dev Team                                    |
  |                                                                         |
diff -Nru roundcube-1.4.13+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php roundcube-1.4.14+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php
--- roundcube-1.4.13+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php	2023-09-16 22:01:19.000000000 +0200
@@ -586,6 +586,13 @@
                     continue;
                 }
 
+                // Private keys might be located in 'private-keys-v1.d' subdirectory. Make sure it exists.
+                if (strpos($file, '/private-keys-v1.d/')) {
+                    if (!file_exists($this->homedir . '/private-keys-v1.d')) {
+                        mkdir($this->homedir . '/private-keys-v1.d', 0700);
+                    }
+                }
+
                 $tmpfile = $file . '.tmp';
 
                 if (file_put_contents($tmpfile, $data, LOCK_EX) === strlen($data)) {
diff -Nru roundcube-1.4.13+dfsg.1/program/include/iniset.php roundcube-1.4.14+dfsg.1/program/include/iniset.php
--- roundcube-1.4.13+dfsg.1/program/include/iniset.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/program/include/iniset.php	2023-09-16 22:01:19.000000000 +0200
@@ -24,7 +24,7 @@
 }
 
 // application constants
-define('RCMAIL_VERSION', '1.4.13');
+define('RCMAIL_VERSION', '1.4.14');
 define('RCMAIL_START', microtime(true));
 
 if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.4.13+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.4.14+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.4.13+dfsg.1/program/lib/Roundcube/bootstrap.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/program/lib/Roundcube/bootstrap.php	2023-09-16 22:01:19.000000000 +0200
@@ -58,7 +58,7 @@
 }
 
 // framework constants
-define('RCUBE_VERSION', '1.4.13');
+define('RCUBE_VERSION', '1.4.14');
 define('RCUBE_CHARSET', 'UTF-8');
 define('RCUBE_TEMP_FILE_PREFIX', 'RCMTEMP');
 
diff -Nru roundcube-1.4.13+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php roundcube-1.4.14+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php
--- roundcube-1.4.13+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php	2023-09-16 22:01:19.000000000 +0200
@@ -59,8 +59,8 @@
         $link_prefix = "([\w]+:\/\/|{$this->noword}[Ww][Ww][Ww]\.|^[Ww][Ww][Ww]\.)";
 
         $this->options         = $options;
-        $this->linkref_index   = '/\[([^\]#]+)\](:?\s*' . substr($this->pattern, 1, -1) . ')/';
-        $this->linkref_pattern = '/\[([^\]#]+)\]/';
+        $this->linkref_index   = '/\[([^<>\]#]+)\](:?\s*' . substr($this->pattern, 1, -1) . ')/';
+        $this->linkref_pattern = '/\[([^<>\]#]+)\]/';
         $this->link_pattern    = "/$link_prefix($utf_domain([$url1]*[$url2]+)*)/";
         $this->mailto_pattern  = "/("
             . "[-\w!\#\$%&*+~\/^`|{}=]+(?:\.[-\w!\#\$%&*+~\/^`|{}=]+)*"  // local-part
diff -Nru roundcube-1.4.13+dfsg.1/public_html/index.php roundcube-1.4.14+dfsg.1/public_html/index.php
--- roundcube-1.4.13+dfsg.1/public_html/index.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/public_html/index.php	2023-09-16 22:01:19.000000000 +0200
@@ -3,7 +3,7 @@
 /*
  +-----------------------------------------------------------------------+
  | Roundcube Webmail IMAP Client                                         |
- | Version 1.4.13                                                        |
+ | Version 1.4.14                                                        |
  |                                                                       |
  | Copyright (C) The Roundcube Dev Team                                  |
  |                                                                       |
diff -Nru roundcube-1.4.13+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php roundcube-1.4.14+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php
--- roundcube-1.4.13+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php	2023-09-16 22:01:19.000000000 +0200
@@ -586,6 +586,13 @@
                     continue;
                 }
 
+                // Private keys might be located in 'private-keys-v1.d' subdirectory. Make sure it exists.
+                if (strpos($file, '/private-keys-v1.d/')) {
+                    if (!file_exists($this->homedir . '/private-keys-v1.d')) {
+                        mkdir($this->homedir . '/private-keys-v1.d', 0700);
+                    }
+                }
+
                 $tmpfile = $file . '.tmp';
 
                 if (file_put_contents($tmpfile, $data, LOCK_EX) === strlen($data)) {
diff -Nru roundcube-1.4.13+dfsg.1/tests/Framework/StringReplacer.php roundcube-1.4.14+dfsg.1/tests/Framework/StringReplacer.php
--- roundcube-1.4.13+dfsg.1/tests/Framework/StringReplacer.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/tests/Framework/StringReplacer.php	2023-09-16 22:01:19.000000000 +0200
@@ -64,12 +64,14 @@
         $this->assertEquals($output, $result);
     }
 
+    /**
+     * Test link references
+     */
     function test_linkrefs()
     {
-        $input = "This is a sample message [1] to test the new linkref [ref0] replacement feature of [Roundcube].\n";
-        $input.= "\n";
-        $input.= "[1] http://en.wikipedia.org/wiki/Email\n";
-        $input.= "[ref0] www.link-ref.com\n";
+        $input = "This is a sample message [1] to test the linkref [ref0] replacement feature of [Roundcube].[ref<0]\n"
+            . "[1] http://en.wikipedia.org/wiki/Email\n"
+            . "[ref0] www.link-ref.com\n";
 
         $replacer = new rcube_string_replacer;
         $result = $replacer->replace($input);
@@ -77,6 +79,6 @@
 
         $this->assertContains('[<a href="http://en.wikipedia.org/wiki/Email">1</a>] to', $result, "Numeric linkref replacements");
         $this->assertContains('[<a href="http://www.link-ref.com">ref0</a>] repl', $result, "Alphanum linkref replacements");
-        $this->assertContains('of [Roundcube].', $result, "Don't touch strings wihtout an index entry");
+        $this->assertContains('of [Roundcube].[ref<0]', $result, "Don't touch strings wihtout an index entry");
     }
 }
diff -Nru roundcube-1.4.13+dfsg.1/tests/Framework/Text2Html.php roundcube-1.4.14+dfsg.1/tests/Framework/Text2Html.php
--- roundcube-1.4.13+dfsg.1/tests/Framework/Text2Html.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/tests/Framework/Text2Html.php	2023-09-16 22:01:19.000000000 +0200
@@ -137,4 +137,21 @@
 
         $this->assertEquals($expected, $html);
     }
+
+    /**
+     * Test XSS issue
+     */
+    function test_text2html_xss2()
+    {
+        $input = "\n[<script>evil</script>] https://google.com\n";
+        $t2h = new rcube_text2html($input);
+
+        $html = $t2h->get_html();
+
+        $expected = "<div class=\"pre\"><br>\n[<script>evil</script>] "
+            . "<a rel=\"noreferrer\" target=\"_blank\" href=\"https://google.com\">https://google.com</a><br>\n"
+            . "</div>";
+
+        $this->assertEquals($expected, $html);
+    }
 }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20230925/a420a926/attachment-0001.sig>


More information about the Pkg-roundcube-maintainers mailing list