Bug 612796 (CVE-2017-6820)

Summary:	<mail-client/roundcube-1.2.4: XSS issue in handling of a style tag inside of an svg element (CVE-2017-6820)
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	titanofold, web-apps
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://seclists.org/oss-sec/2017/q1/583
Whiteboard:	B4 [noglsa cve]
Package list:	=mail-client/roundcube-1.2.4	Runtime testing required:	---
Bug Depends on:	612662
Bug Blocks:

Description Thomas Deutschmann (RETIRED) gentoo-dev

2017-03-16 08:56:11 UTC

From $URL:

rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is
susceptible to a cross-site scripting vulnerability via a crafted
Cascading Style Sheets (CSS) token sequence within an SVG element..

https://github.com/roundcube/roundcubemail/releases/tag/1.1.8
https://github.com/roundcube/roundcubemail/releases/tag/1.2.4
https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released

Upstream fix (sequence of two commits):

https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305
https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-03-18 13:36:19 UTC

@ Arches,

please test and mark stable: =mail-client/roundcube-1.2.4

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2017-03-19 13:48:02 UTC

CVE-2017-6820 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6820):
  rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is
  susceptible to a cross-site scripting vulnerability via a crafted Cascading
  Style Sheets (CSS) token sequence within an SVG element.

Comment 3 Agostino Sarubbo gentoo-dev

2017-03-20 12:28:55 UTC

amd64 stable

Comment 4 Michael Weber (RETIRED) gentoo-dev

2017-03-21 10:00:26 UTC

arm stable.

Comment 5 Agostino Sarubbo gentoo-dev

2017-03-21 14:34:45 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2017-03-23 20:35:11 UTC

GLSA Vote: Yes

New GLSA request filed.

Comment 7 Yury German Gentoo Infrastructure

2017-03-29 06:18:03 UTC

(In reply to Thomas Deutschmann from comment #6)
> GLSA Vote: Yes
> 
> New GLSA request filed.

There are no GLSA's for Cross Site Scripting
Maintainer(s), please drop the vulnerable version(s).

Comment 8 Aaron W. Swenson gentoo-dev

2017-04-18 13:16:59 UTC

(In reply to Yury German from comment #7)
> (In reply to Thomas Deutschmann from comment #6)
> > GLSA Vote: Yes
> > 
> > New GLSA request filed.
> 
> There are no GLSA's for Cross Site Scripting
> Maintainer(s), please drop the vulnerable version(s).

Dropped.

Comment 9 Yury German Gentoo Infrastructure

2017-04-19 07:07:27 UTC

Arches and Maintainer(s), Thank you for your work.