Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 669696 - <mail-client/roundcube-1.3.8: XSS via email attachments
Summary: <mail-client/roundcube-1.3.8: XSS via email attachments
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/roundcube/roundcub...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-26 18:48 UTC by Vlad K.
Modified: 2018-11-26 19:01 UTC (History)
4 users (show)

See Also:
Package list:
mail-client/roundcube-1.3.8
Runtime testing required: No
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vlad K. 2018-10-26 18:48:00 UTC 
New release of Roundcube 1.3 is available, 1.3.8. Among other things, it fixes a security issue.

"This is a service release to update the stable version 1.3 of Roundcube Webmail.
It contains fixes to several bugs backported from the master branch including a security fix for a reported XSS vulnerability plus updates to ensure compatibility with PHP 7.3 and recent versions of Courier-IMAP, Dovecot and MySQL 8."

No CVE assigned yet.


* Release notes:

  https://github.com/roundcube/roundcubemail/releases/tag/1.3.8


* XSS vuln issue:

  https://github.com/roundcube/roundcubemail/issues/6410


--
Gentoo Security Scout
Vladimir Krstulja
Comment 1 Larry the Git Cow gentoo-dev 2018-11-04 11:00:55 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da4ec2b100597b0e25a43e10059ac2dbfba3dd0e

commit da4ec2b100597b0e25a43e10059ac2dbfba3dd0e
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2018-11-04 11:00:31 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2018-11-04 11:00:34 +0000

    mail-client/roundcube: Security Bump to 1.3.8
    
    Resolves a XSS vulnerability.
    
    Additionally, contains updates to ensure compatibility with PHP 7.3 and recent
    versions of Courier-IMAP, Dovecot and MySQL 8.
    
    Bug: https://bugs.gentoo.org/669696
    Package-Manager: Portage-2.3.49, Repoman-2.3.11
    Signed-off-by: Aaron Swenson <titanofold@gentoo.org>

 mail-client/roundcube/Manifest               |  1 +
 mail-client/roundcube/roundcube-1.3.8.ebuild | 96 ++++++++++++++++++++++++++++
 2 files changed, 97 insertions(+)
Comment 2 Aaron W. Swenson gentoo-dev 2018-11-04 11:05:04 UTC 
Please stabilize:
=mail-client/roundcube-1.3.8 ~amd64 ~arm ~ppc ~ppc64 ~sparc ~x86
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-04 19:15:23 UTC 
x86 stable
Comment 4 Rolf Eike Beer archtester 2018-11-05 17:33:40 UTC 
sparc stable
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-11-05 18:11:06 UTC 
amd64 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-11-17 15:41:38 UTC 
arm stable
Comment 7 ernsteiswuerfel archtester 2018-11-18 01:32:40 UTC 
Looking good on ppc64.

# cat roundcube-669696.report 
USE tests started on Sa 17. Nov 20:35:51 CET 2018

merging test dependencies of =mail-client/roundcube-1.3.8 failed
USE='-change-password enigma ldap managesieve -mysql -postgres spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='-change-password enigma ldap managesieve mysql postgres spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='-change-password enigma ldap managesieve mysql -postgres -spell -sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='-change-password enigma -ldap -managesieve mysql -postgres spell -sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='change-password -enigma -ldap -managesieve mysql postgres -spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='-change-password -enigma -ldap managesieve mysql postgres spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='-change-password enigma -ldap managesieve mysql -postgres spell -sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='-change-password enigma ldap -managesieve mysql postgres spell -sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='change-password -enigma ldap -managesieve mysql postgres -spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='-change-password -enigma -ldap -managesieve mysql postgres spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='-change-password enigma ldap -managesieve -mysql postgres -spell -sqlite ssl vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='-change-password -enigma ldap managesieve -mysql -postgres -spell sqlite ssl vhosts' succeeded for =mail-client/roundcube-1.3.8
Comment 8 ernsteiswuerfel archtester 2018-11-18 01:34:16 UTC 
Looking good on ppc.

# cat /mnt/mychroot/root/tatt/roundcube-669696.report 
USE tests started on Sa 17. Nov 15:04:06 CET 2018

merging test dependencies of =mail-client/roundcube-1.3.8 failed
USE='change-password -enigma ldap -managesieve mysql -postgres -spell -sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='-change-password -enigma ldap -managesieve -mysql postgres -spell -sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='change-password -enigma ldap managesieve -mysql -postgres -spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='-change-password enigma -ldap managesieve mysql postgres -spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='change-password enigma ldap -managesieve mysql -postgres spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='change-password enigma ldap -managesieve -mysql postgres spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='-change-password -enigma -ldap managesieve -mysql postgres -spell -sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='-change-password -enigma ldap managesieve -mysql -postgres spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='change-password enigma ldap -managesieve mysql postgres spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='change-password -enigma ldap -managesieve mysql -postgres spell -sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='change-password -enigma ldap managesieve -mysql postgres spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.8
USE='-change-password -enigma ldap managesieve mysql -postgres spell sqlite ssl vhosts' succeeded for =mail-client/roundcube-1.3.8
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-25 12:06:26 UTC 
ppc/ppc64 stable thanks to ernsteiswuerfel!
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-11-25 15:42:20 UTC 
@maintainers, please drop the vulnerable.
Comment 11 Larry the Git Cow gentoo-dev 2018-11-26 10:20:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ccd38d0162c3dea1860773d0c53dd6c7c90c56a8

commit ccd38d0162c3dea1860773d0c53dd6c7c90c56a8
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2018-11-26 10:19:29 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2018-11-26 10:20:34 +0000

    mail-client/roundcube: Remove old, insecure
    
    Bug: https://bugs.gentoo.org/669696
    Package-Manager: Portage-2.3.51, Repoman-2.3.11
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 mail-client/roundcube/Manifest               |  2 -
 mail-client/roundcube/roundcube-1.3.6.ebuild | 99 ----------------------------
 mail-client/roundcube/roundcube-1.3.7.ebuild | 96 ---------------------------
 3 files changed, 197 deletions(-)
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2018-11-26 19:01:10 UTC 
(In reply to Larry the Git Cow from comment #11)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=ccd38d0162c3dea1860773d0c53dd6c7c90c56a8
> 
> commit ccd38d0162c3dea1860773d0c53dd6c7c90c56a8
> Author:     Aaron W. Swenson <titanofold@gentoo.org>
> AuthorDate: 2018-11-26 10:19:29 +0000
> Commit:     Aaron W. Swenson <titanofold@gentoo.org>
> CommitDate: 2018-11-26 10:20:34 +0000
> 
>     mail-client/roundcube: Remove old, insecure
>     
>     Bug: https://bugs.gentoo.org/669696
>     Package-Manager: Portage-2.3.51, Repoman-2.3.11
>     Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>
> 
>  mail-client/roundcube/Manifest               |  2 -
>  mail-client/roundcube/roundcube-1.3.6.ebuild | 99
> ----------------------------
>  mail-client/roundcube/roundcube-1.3.7.ebuild | 96
> ---------------------------
>  3 files changed, 197 deletions(-)

Thank you!