[Pkg-roundcube-maintainers] CVE-2024-3738[34]/roundcube: {bullseye, bookworm}-security uploads
Guilhem Moulin
guilhem at debian.org
Mon Jun 17 04:46:05 BST 2024
Dear security team,
I'd like to propose the attached tested debdiffs to fix CVE-2024-37383
and CVE-2024-37384 (both XSS issues) in roundcube.
Cheers
--
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.4.15+dfsg.1 roundcube-1.4.15+dfsg.1
changelog | 9 +++++
patches/CVE-2024-37383.patch | 43 +++++++++++++++++++++++++++
patches/CVE-2024-37384.patch | 68 +++++++++++++++++++++++++++++++++++++++++++
patches/series | 2 +
4 files changed, 122 insertions(+)
diff -Nru roundcube-1.4.15+dfsg.1/debian/changelog roundcube-1.4.15+dfsg.1/debian/changelog
--- roundcube-1.4.15+dfsg.1/debian/changelog 2023-11-28 15:49:21.000000000 +0100
+++ roundcube-1.4.15+dfsg.1/debian/changelog 2024-06-17 04:10:38.000000000 +0200
@@ -1,3 +1,12 @@
+roundcube (1.4.15+dfsg.1-1+deb11u3) bullseye-security; urgency=high
+
+ * Fix CVE-2024-37384: Cross-site scripting (XSS) vulnerability in handling
+ list columns from user preferences. (Closes: #1071474)
+ * Fix CVE-2024-37383: Cross-site scripting (XSS) vulnerability in handling
+ SVG animate attributes. (Closes: #1071474)
+
+ -- Guilhem Moulin <guilhem at debian.org> Mon, 17 Jun 2024 04:10:38 +0200
+
roundcube (1.4.15+dfsg.1-1~deb11u2) bullseye-security; urgency=high
* Fix CVE-2023-47272: Cross-site scripting (XSS) vulnerability in setting
diff -Nru roundcube-1.4.15+dfsg.1/debian/patches/CVE-2024-37383.patch roundcube-1.4.15+dfsg.1/debian/patches/CVE-2024-37383.patch
--- roundcube-1.4.15+dfsg.1/debian/patches/CVE-2024-37383.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.4.15+dfsg.1/debian/patches/CVE-2024-37383.patch 2024-06-17 04:10:38.000000000 +0200
@@ -0,0 +1,43 @@
+From: Aleksander Machniak <alec at alec.pl>
+Date: Sun, 19 May 2024 10:20:09 +0200
+Subject: Fix cross-site scripting (XSS) vulnerability in handling SVG animate
+ attributes
+
+Reported by Valentin T. and Lutz Wolf of CrowdStrike.
+
+Origin: https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-37383
+Bug-Debian: https://bugs.debian.org/1071474
+---
+ program/lib/Roundcube/rcube_washtml.php | 2 +-
+ tests/Framework/Washtml.php | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
+index 231ca85..8cb0d24 100644
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -526,7 +526,7 @@ class rcube_washtml
+
+ foreach ($node->attributes as $name => $attr) {
+ if (strtolower($name) === $attr_name) {
+- if (strtolower($attr_value) === strtolower($attr->nodeValue)) {
++ if (strtolower($attr_value) === strtolower(trim($attr->nodeValue))) {
+ return true;
+ }
+ }
+diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
+index b6aed39..6848eb2 100644
+--- a/tests/Framework/Washtml.php
++++ b/tests/Framework/Washtml.php
+@@ -419,6 +419,10 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase
+ . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+ '<!-- html ignored --><!-- body ignored --><svg xmlns="http://www.w3.org/1999/xhtml"><use x-washed="href"></use></svg>'
+ ],
++ [
++ '<html><svg><animate attributeName="href " values="javascript:alert(\'XSS\')" href="#link" /></animate></svg></html>',
++ '<!-- html ignored --><!-- body ignored --><svg xmlns="http://www.w3.org/1999/xhtml"><!-- animate blocked --></svg>',
++ ],
+ ];
+ }
+
diff -Nru roundcube-1.4.15+dfsg.1/debian/patches/CVE-2024-37384.patch roundcube-1.4.15+dfsg.1/debian/patches/CVE-2024-37384.patch
--- roundcube-1.4.15+dfsg.1/debian/patches/CVE-2024-37384.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.4.15+dfsg.1/debian/patches/CVE-2024-37384.patch 2024-06-17 04:10:38.000000000 +0200
@@ -0,0 +1,68 @@
+From: Aleksander Machniak <alec at alec.pl>
+Date: Sun, 19 May 2024 10:15:30 +0200
+Subject: Fix cross-site scripting (XSS) vulnerability in handling list
+ columns from user preferences
+
+Reported by Huy Nguyễn Phạm Nhật.
+
+Origin: https://github.com/roundcube/roundcubemail/commit/0d0bc61b139d6ca321d5923d769d03a3253596ed
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-37384
+Bug-Debian: https://bugs.debian.org/1071474
+---
+ program/steps/mail/func.inc | 7 ++++++-
+ program/steps/mail/list.inc | 9 ++++++---
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
+index 9bc61c4..4b96270 100644
+--- a/program/steps/mail/func.inc
++++ b/program/steps/mail/func.inc
+@@ -602,7 +602,12 @@ function rcmail_message_list_head($attrib, $a_show_cols)
+ }
+
+ foreach ($a_show_cols as $col) {
+- $label = '';
++ // sanity check
++ if (!preg_match('/^[a-zA-Z_-]+$/', $col)) {
++ continue;
++ }
++
++ $label = '';
+ $sortable = false;
+ $rel_col = $col == 'date' && $sort_col == 'arrival' ? 'arrival' : $col;
+
+diff --git a/program/steps/mail/list.inc b/program/steps/mail/list.inc
+index 00bfa75..39bfe39 100644
+--- a/program/steps/mail/list.inc
++++ b/program/steps/mail/list.inc
+@@ -24,8 +24,11 @@ if (!$OUTPUT->ajax_call) {
+ $save_arr = array();
+ $dont_override = (array) $RCMAIL->config->get('dont_override');
+
+-// is there a sort type for this request?
+ $sort = rcube_utils::get_input_value('_sort', rcube_utils::INPUT_GET);
++$cols = rcube_utils::get_input_value('_cols', rcube_utils::INPUT_GET);
++$layout = rcube_utils::get_input_value('_layout', rcube_utils::INPUT_GET);
++
++// is there a sort type for this request?
+ if ($sort && preg_match('/^[a-zA-Z_-]+$/', $sort)) {
+ // yes, so set the sort vars
+ list($sort_col, $sort_order) = explode('_', $sort);
+@@ -40,7 +43,7 @@ if ($sort && preg_match('/^[a-zA-Z_-]+$/', $sort)) {
+ }
+
+ // is there a set of columns for this request?
+-if ($cols = rcube_utils::get_input_value('_cols', rcube_utils::INPUT_GET)) {
++if ($cols && preg_match('/^[a-zA-Z_,-]+$/', $cols)) {
+ $_SESSION['list_attrib']['columns'] = explode(',', $cols);
+ if (!in_array('list_cols', $dont_override)) {
+ $save_arr['list_cols'] = explode(',', $cols);
+@@ -48,7 +51,7 @@ if ($cols = rcube_utils::get_input_value('_cols', rcube_utils::INPUT_GET)) {
+ }
+
+ // register layout change
+-if ($layout = rcube_utils::get_input_value('_layout', rcube_utils::INPUT_GET)) {
++if ($layout && preg_match('/^[a-zA-Z_-]+$/', $layout)) {
+ $OUTPUT->set_env('layout', $layout);
+ $save_arr['layout'] = $layout;
+ // force header replace on layout change
diff -Nru roundcube-1.4.15+dfsg.1/debian/patches/series roundcube-1.4.15+dfsg.1/debian/patches/series
--- roundcube-1.4.15+dfsg.1/debian/patches/series 2023-11-28 15:49:21.000000000 +0100
+++ roundcube-1.4.15+dfsg.1/debian/patches/series 2024-06-17 04:10:38.000000000 +0200
@@ -20,3 +20,5 @@
fix-Framework_Washtml-test_wash_xss_tests.patch
bump-upstream-version.patch
CVE-2023-47272.patch
+CVE-2024-37384.patch
+CVE-2024-37383.patch
-------------- next part --------------
diffstat for roundcube-1.6.5+dfsg roundcube-1.6.5+dfsg
changelog | 9 +++++
patches/CVE-2024-37383.patch | 43 +++++++++++++++++++++++++++
patches/CVE-2024-37384.patch | 68 +++++++++++++++++++++++++++++++++++++++++++
patches/series | 2 +
4 files changed, 122 insertions(+)
diff -Nru roundcube-1.6.5+dfsg/debian/changelog roundcube-1.6.5+dfsg/debian/changelog
--- roundcube-1.6.5+dfsg/debian/changelog 2023-11-28 16:10:54.000000000 +0100
+++ roundcube-1.6.5+dfsg/debian/changelog 2024-06-17 03:15:26.000000000 +0200
@@ -1,3 +1,12 @@
+roundcube (1.6.5+dfsg-1+deb12u2) bookworm-security; urgency=high
+
+ * Fix CVE-2024-37384: Cross-site scripting (XSS) vulnerability in handling
+ list columns from user preferences. (Closes: #1071474)
+ * Fix CVE-2024-37383: Cross-site scripting (XSS) vulnerability in handling
+ SVG animate attributes. (Closes: #1071474)
+
+ -- Guilhem Moulin <guilhem at debian.org> Mon, 17 Jun 2024 03:15:26 +0200
+
roundcube (1.6.5+dfsg-1~deb12u1) bookworm-security; urgency=high
* New upstream security and bugfix release:
diff -Nru roundcube-1.6.5+dfsg/debian/patches/CVE-2024-37383.patch roundcube-1.6.5+dfsg/debian/patches/CVE-2024-37383.patch
--- roundcube-1.6.5+dfsg/debian/patches/CVE-2024-37383.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.6.5+dfsg/debian/patches/CVE-2024-37383.patch 2024-06-17 03:15:26.000000000 +0200
@@ -0,0 +1,43 @@
+From: Aleksander Machniak <alec at alec.pl>
+Date: Sun, 19 May 2024 10:20:09 +0200
+Subject: Fix cross-site scripting (XSS) vulnerability in handling SVG animate
+ attributes
+
+Reported by Valentin T. and Lutz Wolf of CrowdStrike.
+
+Origin: https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-37383
+Bug-Debian: https://bugs.debian.org/1071474
+---
+ program/lib/Roundcube/rcube_washtml.php | 2 +-
+ tests/Framework/Washtml.php | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
+index 74d455e..3041842 100644
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -541,7 +541,7 @@ class rcube_washtml
+
+ foreach ($node->attributes as $name => $attr) {
+ if (strtolower($name) === $attr_name) {
+- if (strtolower($attr_value) === strtolower($attr->nodeValue)) {
++ if (strtolower($attr_value) === strtolower(trim($attr->nodeValue))) {
+ return true;
+ }
+ }
+diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
+index f9757f3..6bfbc14 100644
+--- a/tests/Framework/Washtml.php
++++ b/tests/Framework/Washtml.php
+@@ -473,6 +473,10 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase
+ . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+ '<svg><use x-washed="href"></use></svg>'
+ ],
++ [
++ '<html><svg><animate attributeName="href " values="javascript:alert(\'XSS\')" href="#link" /></animate></svg></html>',
++ '<svg><!-- animate blocked --></svg>',
++ ],
+ ];
+ }
+
diff -Nru roundcube-1.6.5+dfsg/debian/patches/CVE-2024-37384.patch roundcube-1.6.5+dfsg/debian/patches/CVE-2024-37384.patch
--- roundcube-1.6.5+dfsg/debian/patches/CVE-2024-37384.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.6.5+dfsg/debian/patches/CVE-2024-37384.patch 2024-06-17 03:15:26.000000000 +0200
@@ -0,0 +1,68 @@
+From: Aleksander Machniak <alec at alec.pl>
+Date: Sun, 19 May 2024 10:15:30 +0200
+Subject: Fix cross-site scripting (XSS) vulnerability in handling list
+ columns from user preferences
+
+Reported by Huy Nguyễn Phạm Nhật.
+
+Origin: https://github.com/roundcube/roundcubemail/commit/cde4522c5c95f13c6aeeb1600ab17e5067a536f7
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-37384
+Bug-Debian: https://bugs.debian.org/1071474
+---
+ program/actions/mail/index.php | 5 +++++
+ program/actions/mail/list.php | 10 ++++++----
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/program/actions/mail/index.php b/program/actions/mail/index.php
+index 41e09bf..e075359 100644
+--- a/program/actions/mail/index.php
++++ b/program/actions/mail/index.php
+@@ -652,6 +652,11 @@ class rcmail_action_mail_index extends rcmail_action
+ }
+
+ foreach ($a_show_cols as $col) {
++ // sanity check
++ if (!preg_match('/^[a-zA-Z_-]+$/', $col)) {
++ continue;
++ }
++
+ $label = '';
+ $sortable = false;
+ $rel_col = $col == 'date' && $sort_col == 'arrival' ? 'arrival' : $col;
+diff --git a/program/actions/mail/list.php b/program/actions/mail/list.php
+index 81374f1..33962ba 100644
+--- a/program/actions/mail/list.php
++++ b/program/actions/mail/list.php
+@@ -31,10 +31,12 @@ class rcmail_action_mail_list extends rcmail_action_mail_index
+ $rcmail = rcmail::get_instance();
+ $save_arr = [];
+ $dont_override = (array) $rcmail->config->get('dont_override');
+- $cols = null;
+
+- // is there a sort type for this request?
+ $sort = rcube_utils::get_input_string('_sort', rcube_utils::INPUT_GET);
++ $cols = rcube_utils::get_input_string('_cols', rcube_utils::INPUT_GET);
++ $layout = rcube_utils::get_input_string('_layout', rcube_utils::INPUT_GET);
++
++ // is there a sort type for this request?
+ if ($sort && preg_match('/^[a-zA-Z_-]+$/', $sort)) {
+ // yes, so set the sort vars
+ list($sort_col, $sort_order) = explode('_', $sort);
+@@ -49,7 +51,7 @@ class rcmail_action_mail_list extends rcmail_action_mail_index
+ }
+
+ // is there a set of columns for this request?
+- if ($cols = rcube_utils::get_input_string('_cols', rcube_utils::INPUT_GET)) {
++ if ($cols && preg_match('/^[a-zA-Z_,-]+$/', $cols)) {
+ $_SESSION['list_attrib']['columns'] = explode(',', $cols);
+ if (!in_array('list_cols', $dont_override)) {
+ $save_arr['list_cols'] = explode(',', $cols);
+@@ -57,7 +59,7 @@ class rcmail_action_mail_list extends rcmail_action_mail_index
+ }
+
+ // register layout change
+- if ($layout = rcube_utils::get_input_string('_layout', rcube_utils::INPUT_GET)) {
++ if ($layout && preg_match('/^[a-zA-Z_-]+$/', $layout)) {
+ $rcmail->output->set_env('layout', $layout);
+ $save_arr['layout'] = $layout;
+ // force header replace on layout change
diff -Nru roundcube-1.6.5+dfsg/debian/patches/series roundcube-1.6.5+dfsg/debian/patches/series
--- roundcube-1.6.5+dfsg/debian/patches/series 2023-11-28 16:10:54.000000000 +0100
+++ roundcube-1.6.5+dfsg/debian/patches/series 2024-06-17 03:15:26.000000000 +0200
@@ -16,3 +16,5 @@
mark-flaky-tests-as-such.patch
dont-force-set-session.gc_probability=1.patch
fix-upstream-test-suite.patch
+CVE-2024-37384.patch
+CVE-2024-37383.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20240617/3885e100/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list