Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi there, In a recent post roundcube webmail upstream has announced the following security fix: CVE-2020-15562: Prevent cross-site scripting (XSS) via HTML messages with malicious svg/namespace. This is tracker as #964355. The security team gave the green light for an upload of 1.3.14+dfsg.1-1~deb10u1 to buster-security, but suggested to target old-p-u for stretch. stretch currently has 1.2.3+dfsg.1-4+deb9u3 wwhile stretch-security and stretch-pu have 1.2.3+dfsg.1-4+deb9u5. Both debdiffs attached. unblock roundcube/1.2.3+dfsg.1-4+deb9u6 cheers -- Guilhem.
diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1 changelog | 8 ++++++++ patches/CVE-2020-15562.patch | 33 +++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 42 insertions(+) diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog --- roundcube-1.2.3+dfsg.1/debian/changelog 2020-06-09 13:46:01.000000000 +0200 +++ roundcube-1.2.3+dfsg.1/debian/changelog 2020-07-06 16:14:59.000000000 +0200 @@ -1,3 +1,11 @@ +roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high + + * Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS) + vulnerability via HTML messages with malicious svg/namespace + (Closes: #964355) + + -- Guilhem Moulin <guil...@debian.org> Mon, 06 Jul 2020 16:14:59 +0200 + roundcube (1.2.3+dfsg.1-4+deb9u5) stretch-security; urgency=high * Backport security fixes from 1.3.12: diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch --- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch 1970-01-01 01:00:00.000000000 +0100 +++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch 2020-07-06 16:14:59.000000000 +0200 @@ -0,0 +1,33 @@ +From f3d1566cf223eb04f47b6dfffcd88753f66c36ee Mon Sep 17 00:00:00 2001 +From: Aleksander Machniak <a...@alec.pl> +Date: Fri, 3 Jul 2020 11:29:50 +0200 +Subject: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace + +Credits to SSD Secure Disclosure (https://ssd-disclosure.com/) +--- + program/lib/Roundcube/rcube_washtml.php | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/program/lib/Roundcube/rcube_washtml.php ++++ b/program/lib/Roundcube/rcube_washtml.php +@@ -445,7 +445,10 @@ class rcube_washtml + $xpath = new DOMXPath($node->ownerDocument); + foreach ($xpath->query('namespace::*') as $ns) { + if ($ns->nodeName != 'xmlns:xml') { +- $dump .= ' ' . $ns->nodeName . '="' . $ns->nodeValue . '"'; ++ $dump .= sprintf(' %s="%s"', ++ $ns->nodeName, ++ htmlspecialchars($ns->nodeValue, ENT_QUOTES, $this->config['charset']) ++ ); + } + } + } +@@ -507,7 +510,7 @@ class rcube_washtml + $this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level'); + + // SVG need to be parsed as XML +- $this->is_xml = stripos($html, '<html') === false && stripos($html, '<svg') !== false; ++ $this->is_xml = !preg_match('/<(html|head|body)/i', $html) && stripos($html, '<svg') !== false; + $method = $this->is_xml ? 'loadXML' : 'loadHTML'; + $options = 0; + diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series --- roundcube-1.2.3+dfsg.1/debian/patches/series 2020-06-09 13:46:01.000000000 +0200 +++ roundcube-1.2.3+dfsg.1/debian/patches/series 2020-07-06 16:14:59.000000000 +0200 @@ -20,3 +20,4 @@ CVE-2020-12626.patch CVE-2020-13964.patch CVE-2020-13965.patch +CVE-2020-15562.patch
diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1 changelog | 8 ++++++++ patches/CVE-2020-15562.patch | 33 +++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 42 insertions(+) diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog --- roundcube-1.2.3+dfsg.1/debian/changelog 2020-06-09 13:46:01.000000000 +0200 +++ roundcube-1.2.3+dfsg.1/debian/changelog 2020-07-06 16:14:59.000000000 +0200 @@ -1,3 +1,11 @@ +roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high + + * Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS) + vulnerability via HTML messages with malicious svg/namespace + (Closes: #964355) + + -- Guilhem Moulin <guil...@debian.org> Mon, 06 Jul 2020 16:14:59 +0200 + roundcube (1.2.3+dfsg.1-4+deb9u5) stretch-security; urgency=high * Backport security fixes from 1.3.12: diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch --- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch 1970-01-01 01:00:00.000000000 +0100 +++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch 2020-07-06 16:14:59.000000000 +0200 @@ -0,0 +1,33 @@ +From f3d1566cf223eb04f47b6dfffcd88753f66c36ee Mon Sep 17 00:00:00 2001 +From: Aleksander Machniak <a...@alec.pl> +Date: Fri, 3 Jul 2020 11:29:50 +0200 +Subject: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace + +Credits to SSD Secure Disclosure (https://ssd-disclosure.com/) +--- + program/lib/Roundcube/rcube_washtml.php | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/program/lib/Roundcube/rcube_washtml.php ++++ b/program/lib/Roundcube/rcube_washtml.php +@@ -445,7 +445,10 @@ class rcube_washtml + $xpath = new DOMXPath($node->ownerDocument); + foreach ($xpath->query('namespace::*') as $ns) { + if ($ns->nodeName != 'xmlns:xml') { +- $dump .= ' ' . $ns->nodeName . '="' . $ns->nodeValue . '"'; ++ $dump .= sprintf(' %s="%s"', ++ $ns->nodeName, ++ htmlspecialchars($ns->nodeValue, ENT_QUOTES, $this->config['charset']) ++ ); + } + } + } +@@ -507,7 +510,7 @@ class rcube_washtml + $this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level'); + + // SVG need to be parsed as XML +- $this->is_xml = stripos($html, '<html') === false && stripos($html, '<svg') !== false; ++ $this->is_xml = !preg_match('/<(html|head|body)/i', $html) && stripos($html, '<svg') !== false; + $method = $this->is_xml ? 'loadXML' : 'loadHTML'; + $options = 0; + diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series --- roundcube-1.2.3+dfsg.1/debian/patches/series 2020-06-09 13:46:01.000000000 +0200 +++ roundcube-1.2.3+dfsg.1/debian/patches/series 2020-07-06 16:14:59.000000000 +0200 @@ -20,3 +20,4 @@ CVE-2020-12626.patch CVE-2020-13964.patch CVE-2020-13965.patch +CVE-2020-15562.patch
signature.asc
Description: PGP signature