Summary: | <mail-client/roundcube-1.0.2: XSS issue in the addressbook group name field (CVE-2013-5646) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | renato gallo <renatogallo> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | bug, dschridde+gentoobugs, duncan, evadim, forrestfunk81, gentoo, gentoo_bugs_peep, jer, lordvan, mal, mjo, reuben-gentoo-bugzilla, web-apps, web | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://trac.roundcube.net/ticket/1489333 | ||||||
Whiteboard: | B4 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
renato gallo
2014-04-12 15:38:17 UTC
done in ::ixit overlay, feel free to use it. BEWARE: you should move configuration into defaults.inc.php but it will work with old config anyway, so no need to rush. There are three new bundled libs that should be removed from program/lib and added as dependencies: * dev-php/PEAR-Crypt_GPG (program/lib/Crypt) * dev-php/PEAR-Net_Sieve (program/lib/Sieve) * dev-php/PEAR-Net_Socket (program/lib/Net/Socket.php) Please also address bug #489970 during the bump. Note: 1.0.1 has been released, so we might just want to jump to that. See bug #510264. *** Bug 510264 has been marked as a duplicate of this bug. *** Created attachment 378270 [details] roundcube-1.0.1.ebuild I made the changes requested in comment #2 above to okias's earlier mentioned ebuild, he's accepted the changes on github @ https://github.com/okias/ixit/tree/master/mail-client/roundcube -- I've attached the file for ease-of-use. 1.0-beta fixed an XSS issue in the addressbook group name field. The release notes at http://trac.roundcube.net/wiki/Changelog further add a fix, released in 1.0.0 for an unspecified "security issue in DomainFactory? driver of Password plugin". Furthermore, a security issue was found in 1.0-beta with a "wrong rule in .htaccess". Furthermore, 1.0.1 fixed an "XSS issue in plain text spellchecker"[2] that was apparently found in 1.0.0, and was later demoted to a "Mail composing" issue because "[y]ou can only XSS yourself with this". I stopped looking for more vulnerabilities after this. [1] http://trac.roundcube.net/ticket/1489477 [2] http://trac.roundcube.net/ticket/1489806 Roundcube 1.0.2 was released: http://roundcube.net/news/2014/07/20/update-1.0.2-released/ News? Arch teams, please test and mark stable: =mail-client/roundcube-1.0.2 =dev-php/PEAR-Crypt_GPG-1.3.2 Targeted stable KEYWORDS : amd64 arm ppc x86 Arch teams, please test and keyword: =mail-client/roundcube-1.0.2 =dev-php/PEAR-Crypt_GPG-1.3.2 Targeted unstable KEYWORDS : ppc64 sparc amd64 stable x86 stable arm stable, and ~sparc done ppc64 done. Maintainer(s), please cleanup. Security, please vote. No GLSA for Cross Site Scripting As per Jer's STABLEREQ add Please correct me if I am wrong but based on comment 9 PPC stabilization was missed for : =mail-client/roundcube-1.0.2 =dev-php/PEAR-Crypt_GPG-1.3.2 Setting back to stable from (noglsa/cleanup), adding ppc arch. ppc stable. Maintainer(s), please cleanup. Security, please vote. (In reply to Agostino Sarubbo from comment #16) > ppc stable. > > Maintainer(s), please cleanup. > Security, please vote. Still no GLSA for XSS. Maintainer(s), please cleanup. *** Bug 508202 has been marked as a duplicate of this bug. *** It looks like we're still missing hppa and ppc64 stabilizations on both, =mail-client/roundcube-1.0.2 =dev-php/PEAR-Crypt_GPG-1.3.2 Is ppc64 a stable arch? The "Add arches" box in Bugzilla suggests that it is, but if not, feel free to ignore. HPPA however I'm pretty sure is a stable arch. (In reply to Michael Orlitzky from comment #19) > It looks like we're still missing hppa and ppc64 stabilizations on both, > > =mail-client/roundcube-1.0.2 http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/mail-client/roundcube/roundcube-0.9.5.ebuild?hideattic=0&view=markup KEYWORDS="amd64 arm ~hppa ppc ~ppc64 ~sparc x86" They were never stable to begin with. > =dev-php/PEAR-Crypt_GPG-1.3.2 Maybe that's for another stabilisation bug. Ah I see, sorry for the noise. Just wanted to be sure. This is cleaned up now. |