Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 720876 (CVE-2020-12625, CVE-2020-12626, CVE-2020-12640, CVE-2020-12641)

Summary: <mail-client/roundcube-{1.3.11,1.4.4}: Multiple vulnerabilities (CVE-2020-{12641,12625,12626,12640})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: ajak, bertrand, dan, titanofold, web-apps
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10
See Also: https://bugs.gentoo.org/show_bug.cgi?id=720142
https://bugs.gentoo.org/show_bug.cgi?id=720144
https://bugs.gentoo.org/show_bug.cgi?id=711270
https://bugs.gentoo.org/show_bug.cgi?id=726944
Whiteboard: B1 [glsa+ cve]
Package list:
mail-client/roundcube-1.3.11
Runtime testing required: ---

Description Sam James archtester gentoo-dev Security 2020-05-04 03:58:09 UTC
* Fixed in 1.4.4, 1.3.11, 1.2.10 (not in tree)

- Cross-Site Scripting (XSS) via malicious HTML content
- CSRF attack can cause an authenticated user to be logged out
- Remote code execution via crafted config options
- Path traversal vulnerability allowing local file inclusion via crafted ‘plugins’ option

URL: https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10

(Note that upstream say the latter two are only possible with public installer so unlikely in production.)

* Fixed in 1.3.10

- Fix bug where it was possible to bypass the position:fixed CSS check in received messages (6898)
- Fix bug where some strict remote URIs in url() style were unintentionally blocked (6899)
- Fix bug where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (6897)
- Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (6896)

URL: https://github.com/roundcube/roundcubemail/releases/tag/1.3.10
Comment 1 Sam James archtester gentoo-dev Security 2020-05-04 03:59:53 UTC
@maintainer(s), please bump to 1.4.4 and 1.3.11.
Comment 2 Larry the Git Cow gentoo-dev 2020-05-11 10:52:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08d3ce13b04dd7fb41103d143630e2751f36faf8

commit 08d3ce13b04dd7fb41103d143630e2751f36faf8
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-05-11 10:50:56 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-05-11 10:52:09 +0000

    mail-client/roundcube: bump to v1.311
    
    Bug: https://bugs.gentoo.org/720876
    Closes: https://bugs.gentoo.org/720144
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-client/roundcube/Manifest                |  1 +
 mail-client/roundcube/roundcube-1.3.11.ebuild | 97 +++++++++++++++++++++++++++
 2 files changed, 98 insertions(+)
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-05-14 21:30:29 UTC
x86 stable
Comment 4 Rolf Eike Beer 2020-05-25 21:45:27 UTC
sparc stable
Comment 5 Sam James archtester gentoo-dev Security 2020-05-25 21:59:43 UTC
@amd64, ping
Comment 6 John Helmert III gentoo-dev Security 2020-06-23 22:06:55 UTC
PPC, PPC64, ARM, AMD64?
Comment 7 Sam James archtester gentoo-dev Security 2020-06-26 20:33:03 UTC
arm stable
Comment 8 ernsteiswuerfel 2020-06-27 12:01:45 UTC
Looking good on ppc64.

# cat roundcube-720876.report 
USE tests started on Sa 27. Jun 13:39:23 CEST 2020

FEATURES=' test' USE='mysql' succeeded for =mail-client/roundcube-1.3.11
USE='-change-password enigma -ldap -managesieve mysql postgres spell -sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='-change-password enigma ldap managesieve mysql postgres spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='-change-password -enigma -ldap -managesieve -mysql postgres -spell -sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='-change-password enigma -ldap -managesieve -mysql -postgres -spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='change-password enigma ldap -managesieve mysql postgres -spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='change-password -enigma -ldap managesieve -mysql -postgres spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='-change-password -enigma ldap managesieve mysql -postgres spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='-change-password -enigma -ldap managesieve mysql postgres spell -sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='-change-password enigma ldap managesieve -mysql -postgres spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='change-password enigma -ldap -managesieve mysql postgres spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='change-password enigma -ldap managesieve mysql -postgres -spell sqlite ssl vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='change-password enigma ldap managesieve -mysql -postgres spell sqlite ssl vhosts' succeeded for =mail-client/roundcube-1.3.11
Comment 9 ernsteiswuerfel 2020-06-27 16:07:19 UTC
Looking good on ppc.

 # cat roundcube-720876.report 
USE tests started on Sa 27. Jun 17:52:40 CEST 2020

FEATURES=' test' USE='mysql' succeeded for =mail-client/roundcube-1.3.11
USE='-change-password -enigma -ldap -managesieve mysql postgres spell -sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='change-password enigma -ldap managesieve mysql -postgres -spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='change-password enigma -ldap managesieve mysql postgres spell sqlite -ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='-change-password enigma ldap managesieve mysql -postgres spell -sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='-change-password -enigma ldap -managesieve -mysql postgres spell -sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='change-password enigma -ldap -managesieve -mysql -postgres spell sqlite ssl -vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='change-password -enigma ldap managesieve mysql postgres -spell -sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='-change-password -enigma -ldap managesieve mysql postgres -spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='change-password enigma ldap -managesieve mysql -postgres spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='-change-password enigma ldap managesieve mysql postgres spell sqlite -ssl vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='change-password -enigma -ldap -managesieve mysql postgres -spell sqlite ssl vhosts' succeeded for =mail-client/roundcube-1.3.11
USE='-change-password -enigma -ldap managesieve -mysql postgres spell sqlite ssl vhosts' succeeded for =mail-client/roundcube-1.3.11
Comment 10 Sergei Trofimovich gentoo-dev 2020-06-28 08:03:11 UTC
ppc/ppc64 stable thanks to ernsteiswuerfel \o/
Comment 11 Sam James archtester gentoo-dev Security 2020-07-17 00:04:22 UTC
amd64: ping
Comment 12 Sam James archtester gentoo-dev Security 2020-07-17 23:26:04 UTC
amd64 stable

----
Please cleanup.
Comment 13 Larry the Git Cow gentoo-dev 2020-07-23 20:40:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=637bca0e8feef63e8d6578d81bf342ac1d8e1e65

commit 637bca0e8feef63e8d6578d81bf342ac1d8e1e65
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2020-07-23 20:31:54 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2020-07-23 20:39:56 +0000

    mail-client/roundcube: Cleanup
    
    Bug: https://bugs.gentoo.org/720876
    Bug: https://bugs.gentoo.org/726944
    Closes: https://bugs.gentoo.org/705388
    Package-Manager: Portage-2.3.99, Repoman-2.3.23
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 mail-client/roundcube/Manifest                |  7 --
 mail-client/roundcube/roundcube-1.3.10.ebuild | 96 ---------------------------
 mail-client/roundcube/roundcube-1.3.8.ebuild  | 96 ---------------------------
 mail-client/roundcube/roundcube-1.3.9.ebuild  | 96 ---------------------------
 mail-client/roundcube/roundcube-1.4.0.ebuild  | 73 --------------------
 mail-client/roundcube/roundcube-1.4.1.ebuild  | 73 --------------------
 mail-client/roundcube/roundcube-1.4.2.ebuild  | 73 --------------------
 mail-client/roundcube/roundcube-1.4.3.ebuild  | 73 --------------------
 8 files changed, 587 deletions(-)
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 00:51:50 UTC
This issue was resolved and addressed in
 GLSA 202007-41 at https://security.gentoo.org/glsa/202007-41
by GLSA coordinator Sam James (sam_c).