Re: CVE-request: Roundcube XSS issues

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 08/20/2012 05:24 AM, Jan Lieskovsky wrote:
> Hi Jon,
>
> this is due the recent roundcubemail XSS issues post: [1] 
> http://www.openwall.com/lists/oss-security/2012/08/20/2
>
> which detailed leads into: 1, issue #1 New larry skin & literal in 
> Subject header display Ticket: 
> http://trac.roundcube.net/ticket/1488519 Upstream patch:
http://trac.roundcube.net/changeset/a7d5e3e8580466639a18da35af13b97dc3765c16/github
> Upon code review, I don't think this issue affects 0.7.x versions, 
> we ship in Fedora and EPEL (iilc the Larry skin was introduced
> only in 0.8.x version and in 0.7.x version the related code looks 
> different). I don't have filed RH bug for this based on the above. 
> Could you have a look and confirm this?

Please use CVE-2012-3507 for this issue.


> 2, Issue 2a: Description: Stored XSS in e-mail body. Ticket: 
> http://trac.roundcube.net/ticket/1488613 Upstream patch:
https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee
> Upon code review doesn't seem to affect rcmail we ship in Fedora / 
> EPEL -> haven't filed RH bug for it. Could you double-check and 
> confirm that?,
>
> Issue 2b: Self XSS in e-mail body (Signature). Ticket: 
> http://trac.roundcube.net/ticket/1488613 Upstream patch:
https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
> The 'program/js/app.js' rcube_webmail() upstream change from the 
> patch above seems to be applicable to Fedora / EPEL rcmail 
> versions. Thus I have filed: 
> https://bugzilla.redhat.com/show_bug.cgi?id=849615
>
> to track this. But not sure whole 'Self XSS in e-mail body 
> (Signature).' upstream patch would apply with its logic to 0.7.x 
> versions: https://bugzilla.redhat.com/show_bug.cgi?id=849615#c3
>
> Therefore this needs review by someone more familiar with 
> rcube_webmail() routine code to decide if apply that patch or not. 
> Could you do that?

Please use CVE-2012-3508 for these two issues (same version, same type
of vuln so cve merge).

> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat 
> Security Response Team


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQMmGwAAoJEBYNRVNeJnmT1xcQAIuQQwlBfIJjQipIjUrdT35Q
zvKke9+QkCv/jvSjHRBdOiOAE1616Y2RhKE4QLRp0wzu2L20m0xDX/ypehsFtovH
0OVrKX/R72RVxv0chUysxYuwROIAYsqOWyfH/pBx1H7hYiBMn0JarOl/Yl23Ii6P
PaTIonCtgv8Cg+eHuumoBS6O6tCosazPxRD7NE40RWc88Wydr6gGYVDgYP3Glt0D
RoOu1vmb+sDo1Vba1vqim/f6Kyv1CP4TPV/Z8aeZiW5EdyXW5Jx6fm37cXV7/Kde
pJToiFw6jPHrY7h74yStVOAxZ6yXhBLUwVzqQ+wio13XOEtiSvhIY13pdOi1nFdE
mk0IgH8dmM/7muTIBF4Hw8BnR8i5SpCus5J1gxW6L4Wb03Xz4yPnrmRw9LV54VKu
dG2RLAtHEx2dd0jIRQLarCndg+GEWfk7ldM7ijxzb0tYgdatl07T7MJmic0V1Y4g
wKrm6z8RVsvQjZCtcYG0hFBcUeJsWaw5Ta+iyhHk66uIQf8Rq7hpp9I1PanWujSn
Uo217JPcR3QdXjRQ7QPgFBdnkwbF6qr6Vw7WC0s1jBIW6LtdBx5CyOWQUppnebNk
QUEbXV051D+t09a9bBRyqR3N5dbK1gsx9RBSa8qizL4P+ibd8fip6yUOzC0/ATYx
fcYldh0Vgu6ghLMIEEDZ
=wELK
-----END PGP SIGNATURE-----