Bug 849615 (CVE-2012-3508, CVE-2012-4668)
| Summary: | CVE-2012-3508 roundcubemail: XSS by processing signatures in HTML mode | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | christoph.wickert, gwync, mhlavink |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-01-31 10:24:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 849616, 849617 | ||
| Bug Blocks: | |||
|
Description
Jan Lieskovsky
2012-08-20 11:09:26 UTC
This issue affects the version of the roundcubemail package, as shipped with Fedora 16 and Fedora 17. Please schedule an update. -- This issue affects the version of the roundcubemail package, as shipped with Fedora EPEL 6. Please schedule an update. Created roundcubemail tracking bugs for this issue Affects: fedora-all [bug 849616] Affects: epel-6 [bug 849617] (In reply to comment #1) > This issue affects the version of the roundcubemail package, as shipped with > Fedora 16 and Fedora 17. Please schedule an update. Affects in the sense the 'programp/js/app.js rcube_webmail()' corresponding routine change from upstream patch: https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32 is applicable to roundcubemail-0.7.x versions, shipped within F-16, F-17, EPEL-6 versions too (but not sure whole upstream patch / functionality change would be applicable, since the relevant code is different to most recent upstream version. This will need review by someone more familiar with rcube_webmail() / signature handling code). Looking into relative applicability to 0.7.3 or 0.8.1 So on further review, only the second issue in 1488613 would apply, the rest were 0.8+ only. Upstream isn't concerned about backporting to 0.7.x (see comment #2 on that Trac). I'm not entirely sure how severe this bug is, but I don't think it would be that difficult to patch for 0.7.3. It's fixed in 0.8.1. Should I ignore, patch all 0.7.x branches, or upgrade all 0.7.x branches to 0.8.1? I'm leaning toward the second option, and updating only rawhide and maybe f18 to 0.8.1. (In reply to comment #5) > So on further review, only the second issue in 1488613 would apply, the rest > were 0.8+ only. Thank you for the confirmation, Jon. > Upstream isn't concerned about backporting to 0.7.x (see > comment #2 on that Trac). Yes, noticed that one previously. > I'm not entirely sure how severe this bug is, Though not being patched by upstream. It's still XSS flaw (allowing JavaScript execution) and as such should be fixed in all versions, where applicable (thus in 0.7.x one too). > but > I don't think it would be that difficult to patch for 0.7.3. It's fixed in > 0.8.1. Should I ignore, patch all 0.7.x branches, or upgrade all 0.7.x > branches to 0.8.1? I'm leaning toward the second option, and updating only > rawhide and maybe f18 to 0.8.1. Do it in a way which is easier for you to deal with it with (either patch 0.7.3 version or rebase to 0.8.1, which contain fixes for all issues). Either way is OK for us (Security Response Team) under assumption, the issue is corrected. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team Based on: http://www.openwall.com/lists/oss-security/2012/08/20/9 1) The CVE identifier of CVE-2012-3507 has been assigned to the "Larry skin Subject header XSS" flaw: Upstream ticket: http://trac.roundcube.net/ticket/1488519 Relevant patch: http://trac.roundcube.net/changeset/a7d5e3e8580466639a18da35af13b97dc3765c16/github 2) and the CVE identifier of CVE-2012-3508 has been assigned to the: a) "Stored XSS in e-mail body" and Upstream ticket: http://trac.roundcube.net/ticket/1488613 Relevant patch: https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee b) "Self XSS in e-mail body (Signature)" flaws. Upstream ticket: http://trac.roundcube.net/ticket/1488613 Relevant patch: https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32 This was partially split: Name: CVE-2012-3508 Reference: CONFIRM:https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email. Name: CVE-2012-4668 Reference: CONFIRM:https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32 Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email. |