612796 – (CVE-2017-6820) <mail-client/roundcube-1.2.4: XSS issue in handling of a style tag inside of an svg element (CVE-2017-6820)

Bug 612796 (CVE-2017-6820) - <mail-client/roundcube-1.2.4: XSS issue in handling of a style tag inside of an svg element (CVE-2017-6820)

Summary: <mail-client/roundcube-1.2.4: XSS issue in handling of a style tag inside of ...

Status:	RESOLVED FIXED

Alias:	CVE-2017-6820

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	http://seclists.org/oss-sec/2017/q1/583
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:	612662
Blocks:
	Show dependency tree

Reported:	2017-03-16 08:56 UTC by Thomas Deutschmann (RETIRED)
Modified:	2017-04-19 07:07 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	=mail-client/roundcube-1.2.4
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2017-03-16 08:56:11 UTC

From $URL:

rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is
susceptible to a cross-site scripting vulnerability via a crafted
Cascading Style Sheets (CSS) token sequence within an SVG element..

https://github.com/roundcube/roundcubemail/releases/tag/1.1.8
https://github.com/roundcube/roundcubemail/releases/tag/1.2.4
https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released

Upstream fix (sequence of two commits):

https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305
https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-03-18 13:36:19 UTC

@ Arches,

please test and mark stable: =mail-client/roundcube-1.2.4

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2017-03-19 13:48:02 UTC

CVE-2017-6820 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6820):
  rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is
  susceptible to a cross-site scripting vulnerability via a crafted Cascading
  Style Sheets (CSS) token sequence within an SVG element.

Comment 3 Agostino Sarubbo gentoo-dev

2017-03-20 12:28:55 UTC

amd64 stable

Comment 4 Michael Weber (RETIRED) gentoo-dev

2017-03-21 10:00:26 UTC

arm stable.

Comment 5 Agostino Sarubbo gentoo-dev

2017-03-21 14:34:45 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2017-03-23 20:35:11 UTC

GLSA Vote: Yes

New GLSA request filed.

Comment 7 Yury German Gentoo Infrastructure

2017-03-29 06:18:03 UTC

(In reply to Thomas Deutschmann from comment #6)
> GLSA Vote: Yes
> 
> New GLSA request filed.

There are no GLSA's for Cross Site Scripting
Maintainer(s), please drop the vulnerable version(s).

Comment 8 Aaron W. Swenson gentoo-dev

2017-04-18 13:16:59 UTC

(In reply to Yury German from comment #7)
> (In reply to Thomas Deutschmann from comment #6)
> > GLSA Vote: Yes
> > 
> > New GLSA request filed.
> 
> There are no GLSA's for Cross Site Scripting
> Maintainer(s), please drop the vulnerable version(s).

Dropped.

Comment 9 Yury German Gentoo Infrastructure

2017-04-19 07:07:27 UTC

Arches and Maintainer(s), Thank you for your work.