731080 – <mail-client/roundcube-1.4.7: cross-site scripting (XSS) via HTML messages with malicious svg/namespace

Bug 731080 - <mail-client/roundcube-1.4.7: cross-site scripting (XSS) via HTML messages with malicious svg/namespace

Summary: <mail-client/roundcube-1.4.7: cross-site scripting (XSS) via HTML messages wi...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://roundcube.net/news/2020/07/05...
Whiteboard:	B4 [noglsa cve]
Keywords:	PullRequest

Duplicates (1):	732116 (view as bug list)
Depends on:	CVE-2020-16145
Blocks:
	Show dependency tree

Reported:	2020-07-06 13:10 UTC by Tupone Alfredo
Modified:	2020-08-30 03:17 UTC (History)
CC List:	5 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/16660
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tupone Alfredo gentoo-dev

2020-07-06 13:10:33 UTC

<=mail-client/roundcube-1.4.6 and
<=mail-client/roundcube-1.3.11 are affected

Reproducible: Always

Comment 1 Sam James archtester

2020-07-10 17:24:01 UTC

*** Bug 732116 has been marked as a duplicate of this bug. ***

Comment 2 Sam James archtester

2020-07-10 17:25:09 UTC

Please bump (and ideally add the stabilise-allarches to metadata.xml if appropriate), thanks!

Comment 3 Philippe Chaintreuil 2020-07-10 18:15:03 UTC

@titanofold: The PR[1] for 1.4.7, also adds the <stabilize-allarches/> tag as requested by @sam.  Seems like it applies, and @hydrapolic 
 seemed to agree in that last stablization bug[2].  

If you disagree, say the word and I'll pull it out of the PR.

[1] https://github.com/gentoo/gentoo/pull/16660
[2] https://bugs.gentoo.org/727150#c4

Comment 4 Larry the Git Cow gentoo-dev

2020-07-24 03:40:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37285d87c17c7accb45486a022f094bc1a76a0a8

commit 37285d87c17c7accb45486a022f094bc1a76a0a8
Author:     Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com>
AuthorDate: 2020-07-10 17:41:43 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2020-07-24 03:40:40 +0000

    mail-client/roundcube: Bump to 1.4.7
    
     - 1.4.7 ebuild is just a copy of 1.4.6's.
     - Added <stabilize-allarches/> to metadata.xml
    
    Bug: https://bugs.gentoo.org/731080
    Closes: https://github.com/gentoo/gentoo/pull/16660
    Package-Manager: Portage-2.3.99, Repoman-2.3.23
    Signed-off-by: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com>
    Closes: https://github.com/gentoo/gentoo/pull/16660
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 mail-client/roundcube/Manifest               |  1 +
 mail-client/roundcube/metadata.xml           |  1 +
 mail-client/roundcube/roundcube-1.4.7.ebuild | 73 ++++++++++++++++++++++++++++
 3 files changed, 75 insertions(+)

Comment 5 Larry the Git Cow gentoo-dev

2020-08-30 03:17:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4a4b6f347e99cdc11c7123fb6ad82da3f0e1cb5

commit a4a4b6f347e99cdc11c7123fb6ad82da3f0e1cb5
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-30 03:16:51 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-30 03:16:58 +0000

    mail-client/roundcube: security cleanup
    
    Bug: https://bugs.gentoo.org/736742
    Bug: https://bugs.gentoo.org/731080
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 mail-client/roundcube/Manifest               |  2 -
 mail-client/roundcube/roundcube-1.4.6.ebuild | 73 ----------------------------
 mail-client/roundcube/roundcube-1.4.7.ebuild | 73 ----------------------------
 3 files changed, 148 deletions(-)