Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 507512 (CVE-2013-5646) - <mail-client/roundcube-1.0.2: XSS issue in the addressbook group name field (CVE-2013-5646)
Summary: <mail-client/roundcube-1.0.2: XSS issue in the addressbook group name field (...
Alias: CVE-2013-5646
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor with 2 votes (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
: 510264 (view as bug list)
Depends on:
Reported: 2014-04-12 15:38 UTC by renato gallo
Modified: 2015-01-17 21:25 UTC (History)
14 users (show)

See Also:
Package list:
Runtime testing required: ---

roundcube-1.0.1.ebuild (roundcube-1.0.1.ebuild,2.05 KB, text/plain)
2014-06-04 16:30 UTC, Philippe Chaintreuil
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description renato gallo 2014-04-12 15:38:17 UTC

Cleaned up the configuration into a single file
Importing email messages and contact group assignments
Advanced LDAP address book functionality
Toggle to switch between HTML and plaintext view
Save Drafts to local storage for recovery
Canned responses to save and recall boilerplate texts
Improved keyboard navigation in messages list
Optimized UI to work on tablet and mobile devices
Attachment reminder plugin
With the announcement, they have also introduced the Roundcube Plugin Repository.

Reproducible: Always

Steps to Reproduce:
1. emerge roundcube
Actual Results:  
it emerges the old version

Expected Results:  
it emerges 1.0.0
Comment 1 David Heidelberg (okias) 2014-04-17 18:17:30 UTC
done in ::ixit overlay, feel free to use it.

BEWARE: you should move configuration into but it will work with old config anyway, so no need to rush.
Comment 2 Michael Orlitzky gentoo-dev 2014-04-20 02:56:41 UTC
There are three new bundled libs that should be removed from program/lib and added as dependencies:

  * dev-php/PEAR-Crypt_GPG (program/lib/Crypt)
  * dev-php/PEAR-Net_Sieve (program/lib/Sieve)
  * dev-php/PEAR-Net_Socket (program/lib/Net/Socket.php)

Please also address bug #489970 during the bump.
Comment 3 Philippe Chaintreuil 2014-05-13 20:54:06 UTC
Note: 1.0.1 has been released, so we might just want to jump to that.  See bug #510264.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-05-14 01:37:37 UTC
*** Bug 510264 has been marked as a duplicate of this bug. ***
Comment 5 Philippe Chaintreuil 2014-06-04 16:30:49 UTC
Created attachment 378270 [details]

I made the changes requested in comment #2 above to okias's earlier mentioned ebuild, he's accepted the changes on github @ -- I've attached the file for ease-of-use.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2014-06-14 21:10:43 UTC
1.0-beta fixed an XSS issue in the addressbook group name field.

The release notes at further add a fix, released in 1.0.0 for an unspecified "security issue in DomainFactory? driver of Password plugin".

Furthermore, a security issue was found in 1.0-beta with a "wrong rule in .htaccess".

Furthermore, 1.0.1 fixed an "XSS issue in plain text spellchecker"[2] that was apparently found in 1.0.0, and was later demoted to a "Mail composing" issue because "[y]ou can only XSS yourself with this".

I stopped looking for more vulnerabilities after this.

Comment 7 Daniel Kenzelmann 2014-07-23 08:22:58 UTC
Roundcube 1.0.2 was released:
Comment 8 Dennis Schridde 2014-08-10 17:06:11 UTC
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2014-08-12 10:53:27 UTC
Arch teams, please test and mark stable:
Targeted stable KEYWORDS : amd64 arm ppc x86

Arch teams, please test and keyword:
Targeted unstable KEYWORDS : ppc64 sparc
Comment 10 Agostino Sarubbo gentoo-dev 2014-08-12 15:08:18 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-08-12 15:25:35 UTC
x86 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2014-08-20 11:33:47 UTC
arm stable, and ~sparc done
Comment 13 Agostino Sarubbo gentoo-dev 2014-08-30 17:07:52 UTC
ppc64 done.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-09-01 19:58:25 UTC
No GLSA for Cross Site Scripting
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-09-10 05:00:00 UTC
As per Jer's STABLEREQ add

Please correct me if I am wrong but based on comment 9 PPC stabilization was missed for :


Setting back to stable from (noglsa/cleanup), adding ppc arch.
Comment 16 Agostino Sarubbo gentoo-dev 2014-09-14 07:51:25 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 17 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-09-14 20:42:57 UTC
(In reply to Agostino Sarubbo from comment #16)
> ppc stable.
> Maintainer(s), please cleanup.
> Security, please vote.

Still no GLSA for XSS. 

Maintainer(s), please cleanup.
Comment 18 Michael Orlitzky gentoo-dev 2014-10-04 16:23:12 UTC
*** Bug 508202 has been marked as a duplicate of this bug. ***
Comment 19 Michael Orlitzky gentoo-dev 2014-10-04 16:23:56 UTC
It looks like we're still missing hppa and ppc64 stabilizations on both,


Is ppc64 a stable arch? The "Add arches" box in Bugzilla suggests that it is, but if not, feel free to ignore. HPPA however I'm pretty sure is a stable arch.
Comment 20 Jeroen Roovers (RETIRED) gentoo-dev 2014-10-04 20:43:19 UTC
(In reply to Michael Orlitzky from comment #19)
> It looks like we're still missing hppa and ppc64 stabilizations on both,
>   =mail-client/roundcube-1.0.2

KEYWORDS="amd64 arm ~hppa ppc ~ppc64 ~sparc x86"

They were never stable to begin with.

>   =dev-php/PEAR-Crypt_GPG-1.3.2

Maybe that's for another stabilisation bug.
Comment 21 Michael Orlitzky gentoo-dev 2014-10-04 20:55:34 UTC
Ah I see, sorry for the noise. Just wanted to be sure.
Comment 22 Sean Amoss (RETIRED) gentoo-dev Security 2015-01-17 21:25:57 UTC
This is cleaned up now.