Your message dated Fri, 31 Aug 2012 21:58:50 +0100
with message-id <[email protected]>
and subject line Re: Bug#685918: unblock: roundcube/0.7.2-4
has caused the Debian Bug report #685918,
regarding unblock: roundcube/0.7.2-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
685918: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685918
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear release team,
Please unblock package roundcube
The upload fixes an XSS issue (CVE-2012-3508). I am attaching the
debdiff against the current package in testing.
unblock roundcube/0.7.2-4
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQOh75AAoJEJWkL+g1NSX5j7EQAIVT4YcKcO+2Q2TOUzoeR7rW
1KdSvQobt76wG0MMqdXc1Sl9FOILQfwfbKPbuh/xHcTAW+vR/lQ5HCDbkZ3ughox
7qPcTNzkOxHxQP3gw2/MY+VBQIh9fhBF5/ShVli2l3PX9AzyqHT7ZoVJ5A75JkND
no1n/b9rbpN5qJVI5arrHaS9Cocb4+xMf3dKvBJJpckU1PmyMaxSEtoyJfYJ8a7Q
E99kA2ajMZlkBGZdCM/B61IT0dkJw4Bff3yaEIYbD21dhUzZEpGokT8fv9XfhNOA
JjLqfVEQHaXG0mQHMhcCJ7U19WN6UcCnbnTfpDVhc54aq3tfFVta7BBwQOe2wBYr
b2+woe+ow3g+sj3Zl/dt2oBJO9253U9p4A6pi1aLECHjGnAY7uAi5Kjvc79ffXWw
CXnwrPgO5j8YA8oFhMiFdtjuZmmefKXURpA0eVvEn3ywZkoaPsygIWzy36nL7cbK
/yEEecXLfsTnHSuictqbsJkIr+sfycOsUWdibSDYrzJKiGhRG6Qt3jV51tCTLC6s
WHEfsR7urQK6fwT7bJorySMCt6fAxr4/OH6Z5PionVLpAbw9DA4jq+byI2GFuiHY
PAATqw6Ny9UqWARzjZOvgZ2hx0GkRqLenIAiYR6hSrONfwlpq37cQ7D4N5Mpg6vN
8q3vWKOBwQ50+4rZahGg
=aj71
-----END PGP SIGNATURE-----
diff -Nru roundcube-0.7.2/debian/changelog roundcube-0.7.2/debian/changelog
--- roundcube-0.7.2/debian/changelog 2012-06-24 01:51:00.000000000 +0200
+++ roundcube-0.7.2/debian/changelog 2012-08-26 14:21:48.000000000 +0200
@@ -1,3 +1,9 @@
+roundcube (0.7.2-4) unstable; urgency=high
+
+ * Fix self XSS with plain signatures. CVE-2012-3508. Closes: #685475.
+
+ -- Vincent Bernat <[email protected]> Sun, 26 Aug 2012 14:20:24 +0200
+
roundcube (0.7.2-3) unstable; urgency=low
* Remove old Replaces/Breaks for roundcube-core since it is not needed
diff -Nru roundcube-0.7.2/debian/patches/cve-2012-3508.patch roundcube-0.7.2/debian/patches/cve-2012-3508.patch
--- roundcube-0.7.2/debian/patches/cve-2012-3508.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-0.7.2/debian/patches/cve-2012-3508.patch 2012-08-26 14:21:48.000000000 +0200
@@ -0,0 +1,126 @@
+Fix CVE-2012-3508. Self XSS with signature.
+See:
+ https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
+
+Index: roundcube/program/js/app.js.src
+===================================================================
+--- roundcube.orig/program/js/app.js.src 2012-04-28 10:26:30.133307979 +0200
++++ roundcube/program/js/app.js.src 2012-08-26 14:19:04.611476200 +0200
+@@ -3183,8 +3183,7 @@
+ input_message = $("[name='_message']"),
+ message = input_message.val(),
+ is_html = ($("input[name='_is_html']").val() == '1'),
+- sig = this.env.identity,
+- sig_separator = this.env.sig_above && (this.env.compose_mode == 'reply' || this.env.compose_mode == 'forward') ? '---' : '-- ';
++ sig = this.env.identity;
+
+ // enable manual signature insert
+ if (this.env.signatures && this.env.signatures[id]) {
+@@ -3197,25 +3196,18 @@
+ if (!is_html) {
+ // remove the 'old' signature
+ if (show_sig && sig && this.env.signatures && this.env.signatures[sig]) {
+-
+- sig = this.env.signatures[sig].is_html ? this.env.signatures[sig].plain_text : this.env.signatures[sig].text;
++ sig = this.env.signatures[sig].text;
+ sig = sig.replace(/\r\n/g, '\n');
+
+- if (!sig.match(/^--[ -]\n/m))
+- sig = sig_separator + '\n' + sig;
+-
+ p = this.env.sig_above ? message.indexOf(sig) : message.lastIndexOf(sig);
+ if (p >= 0)
+ message = message.substring(0, p) + message.substring(p+sig.length, message.length);
+ }
+ // add the new signature string
+ if (show_sig && this.env.signatures && this.env.signatures[id]) {
+- sig = this.env.signatures[id]['is_html'] ? this.env.signatures[id]['plain_text'] : this.env.signatures[id]['text'];
++ sig = this.env.signatures[id].text;
+ sig = sig.replace(/\r\n/g, '\n');
+
+- if (!sig.match(/^--[ -]\n/m))
+- sig = sig_separator + '\n' + sig;
+-
+ if (this.env.sig_above) {
+ if (p >= 0) { // in place of removed signature
+ message = message.substring(0, p) + sig + message.substring(p, message.length);
+@@ -3279,21 +3271,8 @@
+ }
+ }
+
+- if (this.env.signatures[id]) {
+- if (this.env.signatures[id].is_html) {
+- sig = this.env.signatures[id].text;
+- if (!this.env.signatures[id].plain_text.match(/^--[ -]\r?\n/m))
+- sig = sig_separator + '<br />' + sig;
+- }
+- else {
+- sig = this.env.signatures[id].text;
+- if (!sig.match(/^--[ -]\r?\n/m))
+- sig = sig_separator + '\n' + sig;
+- sig = '<pre>' + sig + '</pre>';
+- }
+-
+- sigElem.innerHTML = sig;
+- }
++ if (this.env.signatures[id])
++ sigElem.innerHTML = this.env.signatures[id].html;
+ }
+
+ this.env.identity = id;
+Index: roundcube/program/steps/mail/compose.inc
+===================================================================
+--- roundcube.orig/program/steps/mail/compose.inc 2012-02-04 09:18:15.186795165 +0100
++++ roundcube/program/steps/mail/compose.inc 2012-08-26 14:19:04.615476279 +0200
+@@ -520,7 +520,7 @@
+
+ function rcmail_compose_header_from($attrib)
+ {
+- global $MESSAGE, $OUTPUT;
++ global $MESSAGE, $OUTPUT, $RCMAIL, $compose_mode;
+
+ // pass the following attributes to the form class
+ $field_attrib = array('name' => '_from');
+@@ -531,6 +531,8 @@
+ if (count($MESSAGE->identities))
+ {
+ $a_signatures = array();
++ $separator = $RCMAIL->config->get('sig_above')
++ && ($compose_mode == RCUBE_COMPOSE_REPLY || $compose_mode == RCUBE_COMPOSE_FORWARD) ? '---' : '-- ';
+
+ $field_attrib['onchange'] = JS_OBJECT_NAME.".change_identity(this)";
+ $select_from = new html_select($field_attrib);
+@@ -544,13 +546,27 @@
+ // add signature to array
+ if (!empty($sql_arr['signature']) && empty($COMPOSE['param']['nosig']))
+ {
+- $a_signatures[$identity_id]['text'] = $sql_arr['signature'];
+- $a_signatures[$identity_id]['is_html'] = ($sql_arr['html_signature'] == 1) ? true : false;
+- if ($a_signatures[$identity_id]['is_html'])
+- {
+- $h2t = new html2text($a_signatures[$identity_id]['text'], false, false);
+- $a_signatures[$identity_id]['plain_text'] = trim($h2t->get_text());
++ $text = $html = $sql_arr['signature'];
++
++ if ($sql_arr['html_signature']) {
++ $h2t = new html2text($sql_arr['signature'], false, false);
++ $text = trim($h2t->get_text());
++ }
++ else {
++ $html = htmlentities($html, ENT_NOQUOTES, RCMAIL_CHARSET);
++ }
++
++ if (!preg_match('/^--[ -]\r?\n/m', $text)) {
++ $text = $separator . "\n" . $text;
++ $html = $separator . "<br>" . $html;
+ }
++
++ if (!$sql_arr['html_signature']) {
++ $html = "<pre>" . $html . "</pre>";
++ }
++
++ $a_signatures[$identity_id]['text'] = $text;
++ $a_signatures[$identity_id]['html'] = $html;
+ }
+ }
+
diff -Nru roundcube-0.7.2/debian/patches/series roundcube-0.7.2/debian/patches/series
--- roundcube-0.7.2/debian/patches/series 2012-06-24 01:51:00.000000000 +0200
+++ roundcube-0.7.2/debian/patches/series 2012-08-26 14:21:48.000000000 +0200
@@ -6,3 +6,4 @@
default-charset-utf8.patch
debianize_password_plugin.patch
use-debian-jquery-ui.patch
+cve-2012-3508.patch
--- End Message ---
--- Begin Message ---
On Sun, 2012-08-26 at 15:05 +0200, Vincent Bernat wrote:
> Please unblock package roundcube
>
> The upload fixes an XSS issue (CVE-2012-3508). I am attaching the
> debdiff against the current package in testing.
Unblocked; thanks.
Regards,
Adam
--- End Message ---
