[Pkg-roundcube-maintainers] bookworm-security upload for CVE-2025-49113/roundcube

Mon Jun 2 12:45:10 BST 2025

Hi,

I'd like to propose the attached tested debdiff to fix CVE-2025-49113 in
roundcube.  AFAICT neither upstream nor the reporter provided a PoC, but
a simple way to trigger the attack is to edit app.js to pass a malicious
crafted _from parameter when uploading an image.  Such a request now
fails with an “Invalid input” error.

The debdiff also includes a regression fix for the CVE-2024-42009 patch.
Both patches come from upstream's release-1.6 branch.

Cheers,
-- 
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.6.5+dfsg roundcube-1.6.5+dfsg

 changelog                                                               |    9 +
 patches/CVE-2025-49113.patch                                            |   89 ++++++++++
 patches/Fix-regression-where-HTML-messages-were-displayed-unstyle.patch |   54 ++++++
 patches/series                                                          |    2 
 4 files changed, 154 insertions(+)

diff -Nru roundcube-1.6.5+dfsg/debian/changelog roundcube-1.6.5+dfsg/debian/changelog

--- roundcube-1.6.5+dfsg/debian/changelog	2024-08-12 14:59:59.000000000 +0200
+++ roundcube-1.6.5+dfsg/debian/changelog	2025-06-02 10:01:44.000000000 +0200
@@ -1,3 +1,12 @@
+roundcube (1.6.5+dfsg-1+deb12u5) bookworm-security; urgency=high
+
+  * Fix CVE-2025-49113: Post-Auth RCE via PHP Object Deserialization.
+    (Closes: #1107073)
+  * Regression fix: CVE-2024-42009.patch from 1.6.5+dfsg-1+deb12u3 and
+    1.6.5+dfsg-1+deb12u4 caused some HTML messages to be displayed unstyled.
+
+ -- Guilhem Moulin <guilhem at debian.org>  Mon, 02 Jun 2025 10:01:44 +0200
+
 roundcube (1.6.5+dfsg-1+deb12u4) bookworm-security; urgency=medium
 
   * Regression fix: The original fix for CVE-2024-42008 broke printing and
diff -Nru roundcube-1.6.5+dfsg/debian/patches/CVE-2025-49113.patch roundcube-1.6.5+dfsg/debian/patches/CVE-2025-49113.patch
--- roundcube-1.6.5+dfsg/debian/patches/CVE-2025-49113.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.6.5+dfsg/debian/patches/CVE-2025-49113.patch	2025-06-02 10:01:44.000000000 +0200
@@ -0,0 +1,89 @@
+From: Pablo Zmdl <57864086+pabzm at users.noreply.github.com>
+Date: Sun, 1 Jun 2025 09:18:54 +0200
+Subject: Validate URL parameter in upload code
+
+Origin: https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d
+Bug: https://github.com/roundcube/roundcubemail/pull/9865
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-49113
+Bug-Debian: https://bugs.debian.org/1107073
+---
+ program/actions/settings/upload.php   |  7 +++++++
+ program/lib/Roundcube/rcube_utils.php | 16 ++++++++++++++++
+ tests/Framework/Utils.php             | 19 +++++++++++++++++++
+ 3 files changed, 42 insertions(+)
+
+diff --git a/program/actions/settings/upload.php b/program/actions/settings/upload.php
+index d1cbbdc..513e5d1 100644
+--- a/program/actions/settings/upload.php
++++ b/program/actions/settings/upload.php
+@@ -32,6 +32,13 @@ class rcmail_action_settings_upload extends rcmail_action
+         $from   = rcube_utils::get_input_string('_from', rcube_utils::INPUT_GET);
+         $type   = preg_replace('/(add|edit)-/', '', $from);
+ 
++        // Validate URL input.
++        if (!rcube_utils::is_simple_string($type)) {
++            rcmail::write_log('errors', 'The URL parameter "_from" contains disallowed characters and the request is thus rejected.');
++            $rcmail->output->command('display_message', 'Invalid input', 'error');
++            $rcmail->output->send('iframe');
++        }
++
+         // Plugins in Settings may use this file for some uploads (#5694)
+         // Make sure it does not contain a dot, which is a special character
+         // when using rcube_session::append() below
+diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
+index 6811553..b5f8606 100644
+--- a/program/lib/Roundcube/rcube_utils.php
++++ b/program/lib/Roundcube/rcube_utils.php
+@@ -285,6 +285,22 @@ class rcube_utils
+         return is_string($value) ? $value : '';
+     }
+ 
++    /**
++     * Check if input value is a "simple" string.
++     * "Simple" is defined as a non-empty string containing only
++     *  - "word" characters (alphanumeric plus underscore),
++     *  - dots,
++     *  - dashes.
++     *
++     * @param string $input The string to test
++     *
++     * @return bool
++     */
++    public static function is_simple_string($input)
++    {
++        return is_string($input) && !!preg_match('/^[\w.-]+$/i', $input);
++    }
++
+     /**
+      * Read request parameter value and convert it for internal use
+      * Performs stripslashes() and charset conversion if necessary
+diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
+index 4cd2750..019895b 100644
+--- a/tests/Framework/Utils.php
++++ b/tests/Framework/Utils.php
+@@ -503,6 +503,25 @@ class Framework_Utils extends PHPUnit\Framework\TestCase
+         $this->assertSame('', rcube_utils::get_input_string('test', rcube_utils::INPUT_GET));
+     }
+ 
++    /**
++     * rcube_utils::is_simple_string()
++     */
++    function test_is_simple_string()
++    {
++        $this->assertTrue(rcube_utils::is_simple_string('some-thing.123_'));
++        $this->assertFalse(rcube_utils::is_simple_string(''));
++        $this->assertFalse(rcube_utils::is_simple_string(' '));
++        $this->assertFalse(rcube_utils::is_simple_string('some–thing'));
++        $this->assertFalse(rcube_utils::is_simple_string('some=thing'));
++        $this->assertFalse(rcube_utils::is_simple_string('some thing'));
++        $this->assertFalse(rcube_utils::is_simple_string('some!thing'));
++        $this->assertFalse(rcube_utils::is_simple_string('%20'));
++        $this->assertFalse(rcube_utils::is_simple_string('\0000'));
++        $this->assertFalse(rcube_utils::is_simple_string(1));
++        $this->assertFalse(rcube_utils::is_simple_string(new stdClass()));
++        $this->assertFalse(rcube_utils::is_simple_string(null));
++    }
++
+     /**
+      * rcube:utils::file2class()
+      */
diff -Nru roundcube-1.6.5+dfsg/debian/patches/Fix-regression-where-HTML-messages-were-displayed-unstyle.patch roundcube-1.6.5+dfsg/debian/patches/Fix-regression-where-HTML-messages-were-displayed-unstyle.patch
--- roundcube-1.6.5+dfsg/debian/patches/Fix-regression-where-HTML-messages-were-displayed-unstyle.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.6.5+dfsg/debian/patches/Fix-regression-where-HTML-messages-were-displayed-unstyle.patch	2025-06-02 10:01:44.000000000 +0200
@@ -0,0 +1,54 @@
+From: Aleksander Machniak <alec at alec.pl>
+Date: Fri, 16 Aug 2024 19:56:51 +0200
+Subject: Fix regression where HTML messages were displayed unstyled
+
+Origin: https://github.com/roundcube/roundcubemail/commit/f343ecea09f8968d0655ff97fb7cea7a6d873a79
+Bug: https://github.com/roundcube/roundcubemail/issues/9586
+---
+ program/lib/Roundcube/rcube_washtml.php |  6 ++++++
+ tests/Actions/Mail/Index.php            | 15 +++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
+index e9dcea4..281d369 100644
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -709,6 +709,12 @@ class rcube_washtml
+      */
+     public function get_config($prop)
+     {
++        $config_props = ['html_elements', 'html_attribs', 'ignore_elements', 'void_elements', 'css_prefix'];
++
++        if (in_array($prop, $config_props)) {
++            return $this->{"_{$prop}"};
++        }
++
+         return $this->config[$prop] ?? null;
+     }
+ 
+diff --git a/tests/Actions/Mail/Index.php b/tests/Actions/Mail/Index.php
+index b3ae049..d3fcca2 100644
+--- a/tests/Actions/Mail/Index.php
++++ b/tests/Actions/Mail/Index.php
+@@ -422,6 +422,21 @@ class Actions_Mail_Index extends ActionTestCase
+         $this->assertSame('<html><head></head>' . $part->body . '</html>', $washed);
+     }
+ 
++    /**
++     * Test handling css style in HTML in wash_html() method
++     */
++    public function test_wash_html()
++    {
++        $html = '<div id="testid" class="testclass">Test</div>'
++            . '<style type="text/css">#testid .testclass { color: red; } *.testclass { font-weight: bold; }</style>';
++        $opts = ['safe' => false, 'css_prefix' => 'v1', 'add_comments' => false];
++
++        $washed = \rcmail_action_mail_index::wash_html($html, $opts);
++
++        $this->assertStringContainsString('<div id="v1testid" class="v1testclass">', $washed);
++        $this->assertStringContainsString('<style type="text/css">#v1testid .v1testclass { color: red; } *.v1testclass { font-weight: bold; }</style>', $washed);
++    }
++
+     /**
+      * Test handling of body style attributes
+      */
diff -Nru roundcube-1.6.5+dfsg/debian/patches/series roundcube-1.6.5+dfsg/debian/patches/series
--- roundcube-1.6.5+dfsg/debian/patches/series	2024-08-12 14:59:59.000000000 +0200
+++ roundcube-1.6.5+dfsg/debian/patches/series	2025-06-02 10:01:44.000000000 +0200
@@ -26,3 +26,5 @@
 CVE-2024-42008.patch
 Fix-regression-where-printing-scaling-rotating-image-atta.patch
 CVE-2024-42010.patch
+Fix-regression-where-HTML-messages-were-displayed-unstyle.patch
+CVE-2025-49113.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20250602/0a702cb7/attachment.sig>
