[Pkg-roundcube-maintainers] Bug#1052629: bookworm-pu: package roundcube/1.6.3+dfsg-1~deb12u1

Guilhem Moulin guilhem at debian.org
Mon Sep 25 14:15:57 BST 2023 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: roundcube at packages.debian.org
Control: affects -1 + src:roundcube

[ Reason ]

roundcube 1.6.1+dfsg-1 is vulnerable to CVE-2023-43770: cross-site
scripting (XSS) vulnerability in handling of linkrefs in plain text
messages.

The Security Team decided not to issue a DSA for that CVE, but it's now
fixed in buster-security (1.3.17+dfsg.1-1~deb10u3) as well as
testing/sid (1.6.3+dfsg-1), so it makes sense to fix it via (o)s-pu
too.

In addition, the roundcube version currently in bookworm currently
yields PHP warnings with PHP 8.2, and suffers from several regressions
affecting for instance OAuth2 authentication, LDAP backends, or BINARY
FETCHes.

[ Impact ]

Roundcube users will remain vulnerable to the XSS issue.  For users
uprading from buster-security to bookworm, that would be a security
regression.

In addition, OAuth2 authentication would remain broked and error
messages would keep polluting the log.

[ Tests ]

The upstream test suite is run at build time, and also via DEP-8 tests.
In addition, I manually double checked that the aforementioned XSS issue
is solved.

[ Risks ]

1.6 is upstream's stable branch, and like for Bullseye (and Buster) I
propose that Bookworm follows it.  The diff is not really trivial but
test coverage is decent except for the OAuth2 part (which again is
broken in bookworm).

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

  * New upstream security and bugfix release:
    + Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file
    + Fix regression that broke use_secure_urls feature
    + Fix potential PHP fatal error when opening a message with message/rfc822 part
    + Fix bug where a duplicate `<title>` tag in HTML email could cause some parts being cut off
    + Fix bug where a list of folders could have been sorted incorrectly
    + Fix regression where LDAP addressbook 'filter' option was ignored
    + Fix wrong order of a multi-folder search result when sorting by size
    + Fix so install/update scripts do not require PEAR
    + Fix regression where some mail parts could have been decoded incorrectly, or not at all
    + Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH
    + Fix PHP8 deprecation warning in the reconnect plugin
    + Fix "Show source" on mobile with x_frame_options = deny
    + Fix various PHP warnings
    + Fix deprecated use of ldap_connect() in password's ldap_simple driver
    + Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages (CVE-2023-43770)
    + Add Uyghur localization
    + Fix regression in OAuth request URI caused by use of REQUEST_URI instead of SCRIPT_NAME as a default
    + Fix bug where false attachment reminder was displayed on HTML mail with inline images
    + Fix bug where a non-ASCII character in app.js could cause error in javascript engine
    + Fix JWT decoding with url safe base64 schema
    + Fix bug where .wav instead of .mp3 file was used for the new mail notification in Firefox
    + Fix PHP8 warning
    + Fix support for Windows-31J charset
    + Fix so LDAP VLV option is disabled by default as documented
    + Fix so an email address with name is supported as input to the managesieve notify :from parameter
    + Fix Help plugin menu
    + Fix invalid onclick handler on the logo image when using non-array skin_logo setting
    + Fix duplicate recipients in "To" and "Cc" on reply
    + Fix bug where it wasn't possible to scroll lists by clicking middle mouse button
    + Fix bug where label text in a single-input dialog could be partially invisible in some locales
    + Fix bug where LDAP (fulltext) search didn't work without 'search_fields' in config
    + Fix extra leading newlines in plain text converted from HTML
    + Fix so recipients with a domain ending with .s are allowed
    + Fix so vCard output does not contain non-standard/redundant TYPE=OTHER and TYPE=INTERNET
    + Fix QR code images for contacts with non-ASCII characters
    + Fix PHP8 warnings when using list_flags and list_cols properties by plugins
    + Fix bug where subfolders could loose subscription on parent folder rename
    + Fix connecting to LDAP using an URI with ldapi:// scheme
    + Fix insecure shell command params handling in cmd_learn driver of markasjunk plugin
    + Fix bug where some mail headers didn't work in cmd_learn driver of markasjunk plugin
    + Fix PHP fatal error when importing vcf file using PHP 8.2
    + Fix so output of log_date_format with microseconds contains time in server time zone, not UTC
  * roundcube-core.cron: Trigger gc twice every hour. (Closes: #1043395)
  * Fix GuzzleHttp autoload location. (Closes: #1040705)
  * d/p/fix-autoload-location.patch: Set ‘Forwarded: not-needed’ DEP-3 header.
  * Test suite: Adjust short date test to make it work with all ICUs. (Closes: #1030161)
  * Add Romanian debconf templates translation. (Closes: #1033468)
  * d/gbp.conf, d/README.source: Remove obsolete comment.
  * d/sql/mysql/1.3.0-1: Move inline comment.
  * d/p/fix-short-date-test-icu72.patch: Remove patch applied upstream.
  * Refresh d/patches.

[ Other info ]

In addition to the debdiff.gz between 1.6.1+dfsg-1 (bookworm) and 1.6.3+dfsg-1~deb12u1,
I attach a patch-applied diff excluding upstream's tests/**, program/localization/**,
and plugins/*/localization/**, which should more accurately show what
this p-u is about.

If you think that 1.6.3+dfsg-1~deb12u1 is beyond the scope of bookworm-pu then
I'll prepare another upload, this time backporting the aforementioned
regressions and security issue instead of following the upstream stable
branch.

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: roundcube.debdiff.gz
Type: application/gzip
Size: 145491 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20230925/6052051c/attachment-0001.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20230925/6052051c/attachment-0001.sig>

More information about the Pkg-roundcube-maintainers mailing list