Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 736742 (CVE-2020-16145)

Summary: <mail-client/roundcube-1.4.8: cross-site scripting (XSS) via HTML messages with malicious svg or math content
Product: Gentoo Security Reporter: Meik Frischke <meik.frischke>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, gentoo_bugs_peep, hydrapolic, titanofold, web-apps
Priority: Normal Keywords: ALLARCHES, CC-ARCHES, PullRequest
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://roundcube.net/news/2020/08/10/security-updates-1.4.8-1.3.15-and-1.2.12
See Also: https://github.com/gentoo/gentoo/pull/17078
Whiteboard: B4 [noglsa]
Package list:
mail-client/roundcube-1.4.8
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 731080    

Description Meik Frischke 2020-08-11 11:04:31 UTC 
Similar to Bug #731080:
<=mail-client/roundcube-1.4.7 and
<=mail-client/roundcube-1.3.14 and
<=mail-client/roundcube-1.2.11 are affected


Reproducible: Always
Comment 1 Tomáš Mózes 2020-08-11 11:34:35 UTC 
Just tested 1.4.8, seems to work fine.
Comment 2 Larry the Git Cow gentoo-dev 2020-08-20 19:20:07 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19bf444bb00c60a3af82c5efcea93a0624b98887

commit 19bf444bb00c60a3af82c5efcea93a0624b98887
Author:     Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com>
AuthorDate: 2020-08-11 13:54:30 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-08-20 19:19:59 +0000

    mail-client/roundcube: Bump to 1.4.8
    
    Just a copy of 1.4.7's ebuild.
    
    Bug: https://bugs.gentoo.org/736742
    Closes: https://github.com/gentoo/gentoo/pull/17078
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-client/roundcube/Manifest               |  1 +
 mail-client/roundcube/roundcube-1.4.8.ebuild | 73 ++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-20 23:38:48 UTC 
Maintainer, please let us know when ready to stable 1.4.8.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-26 00:07:35 UTC 
CCing arches..
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-29 03:49:59 UTC 
amd64 arm ppc ppc64 sparc x86 (ALLARCHES) done

all arches done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-29 03:51:17 UTC 
Please cleanup, thanks!
Comment 7 Larry the Git Cow gentoo-dev 2020-08-30 03:17:07 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4a4b6f347e99cdc11c7123fb6ad82da3f0e1cb5

commit a4a4b6f347e99cdc11c7123fb6ad82da3f0e1cb5
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-30 03:16:51 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-30 03:16:58 +0000

    mail-client/roundcube: security cleanup
    
    Bug: https://bugs.gentoo.org/736742
    Bug: https://bugs.gentoo.org/731080
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 mail-client/roundcube/Manifest               |  2 -
 mail-client/roundcube/roundcube-1.4.6.ebuild | 73 ----------------------------
 mail-client/roundcube/roundcube-1.4.7.ebuild | 73 ----------------------------
 3 files changed, 148 deletions(-)