Bug 849615 - (CVE-2012-3508, CVE-2012-4668) CVE-2012-3508 roundcubemail: XSS by processing signatures in HTML mode
CVE-2012-3508 roundcubemail: XSS by processing signatures in HTML mode
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120814,repor...
: Security
Depends On: 849616 849617
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-20 07:09 EDT by Jan Lieskovsky
Modified: 2016-03-04 07:28 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-08-20 07:09:26 EDT
A cross-site scripting (XSS) flaw was found in the way RoundCube Webmail, a browser-based multilingual IMAP client, performed sanitization of signatures content in the HTML email. A remote attacker could send an email message with specially-crafted signature value that, when processed in roundcubemail would lead to arbitrary HTML or web script execution.

Upstream ticket:
[1] http://trac.roundcube.net/ticket/1488613

Relevant patch:
[2] https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32

References:
[3] http://trac.roundcube.net/wiki/Changelog
[4] http://www.openwall.com/lists/oss-security/2012/08/20/2

Note: The "Larry skin Subject header XSS flaw:
      http://trac.roundcube.net/ticket/1488519
      http://trac.roundcube.net/changeset/a7d5e3e8580466639a18da35af13b97dc3765c16/github

      and "Stored XSS in email body" flaw:
      http://trac.roundcube.net/ticket/1488613
      https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee

      does not apply to the roundcubemail-0.7.x version yet, that are currently shipped
      in Fedora 16, Fedora 17, and Fedora EPEL 6.
Comment 1 Jan Lieskovsky 2012-08-20 07:10:42 EDT
This issue affects the version of the roundcubemail package, as shipped with Fedora 16 and Fedora 17. Please schedule an update.

--

This issue affects the version of the roundcubemail package, as shipped with Fedora EPEL 6. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-08-20 07:11:54 EDT
Created roundcubemail tracking bugs for this issue

Affects: fedora-all [bug 849616]
Affects: epel-6 [bug 849617]
Comment 3 Jan Lieskovsky 2012-08-20 07:14:57 EDT
(In reply to comment #1)
> This issue affects the version of the roundcubemail package, as shipped with
> Fedora 16 and Fedora 17. Please schedule an update.

Affects in the sense the 'programp/js/app.js rcube_webmail()' corresponding routine change from upstream patch:
https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32

is applicable to roundcubemail-0.7.x versions, shipped within F-16, F-17, EPEL-6 versions too (but not sure whole upstream patch / functionality change would be applicable, since the relevant code is different to most recent upstream version. This will need review by someone more familiar with rcube_webmail() / signature handling code).
Comment 4 Jon Ciesla 2012-08-20 09:45:54 EDT
Looking into relative applicability to 0.7.3 or 0.8.1
Comment 5 Jon Ciesla 2012-08-20 10:10:28 EDT
So on further review, only the second issue in 1488613 would apply, the rest were 0.8+ only.  Upstream isn't concerned about backporting to 0.7.x (see comment #2 on that Trac).  I'm not entirely sure how severe this bug is, but I don't think it would be that difficult to patch for 0.7.3.  It's fixed in 0.8.1.  Should I ignore, patch all 0.7.x branches, or upgrade all 0.7.x branches to 0.8.1?  I'm leaning toward the second option, and updating only rawhide and maybe f18 to 0.8.1.
Comment 6 Jan Lieskovsky 2012-08-20 10:30:50 EDT
(In reply to comment #5)
> So on further review, only the second issue in 1488613 would apply, the rest
> were 0.8+ only.

Thank you for the confirmation, Jon.

>  Upstream isn't concerned about backporting to 0.7.x (see
> comment #2 on that Trac).

Yes, noticed that one previously.

>  I'm not entirely sure how severe this bug is,

Though not being patched by upstream. It's still XSS flaw (allowing JavaScript execution) and as such should be fixed in all versions, where applicable (thus in 0.7.x one too).

> but
> I don't think it would be that difficult to patch for 0.7.3.  It's fixed in
> 0.8.1.  Should I ignore, patch all 0.7.x branches, or upgrade all 0.7.x
> branches to 0.8.1?  I'm leaning toward the second option, and updating only
> rawhide and maybe f18 to 0.8.1.

Do it in a way which is easier for you to deal with it with (either patch 0.7.3 version or rebase to 0.8.1, which contain fixes for all issues). Either way is OK for us (Security Response Team) under assumption, the issue is corrected.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 7 Jan Lieskovsky 2012-08-21 05:04:39 EDT
Based on:
  http://www.openwall.com/lists/oss-security/2012/08/20/9

1) The CVE identifier of CVE-2012-3507 has been assigned to the "Larry skin Subject header XSS" flaw:
  Upstream ticket: http://trac.roundcube.net/ticket/1488519
  Relevant patch:
  http://trac.roundcube.net/changeset/a7d5e3e8580466639a18da35af13b97dc3765c16/github

2) and the CVE identifier of CVE-2012-3508 has been assigned to the:
   a) "Stored XSS in e-mail body" and
      Upstream ticket: http://trac.roundcube.net/ticket/1488613
      Relevant patch: 
      https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee

   b) "Self XSS in e-mail body (Signature)" flaws.
      Upstream ticket: http://trac.roundcube.net/ticket/1488613
      Relevant patch:
      https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
Comment 8 Kurt Seifried 2012-08-26 23:07:04 EDT
This was partially split:

Name: CVE-2012-3508
Reference: CONFIRM:https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee
Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in
Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary
web script or HTML by using "javascript:" in an href attribute in the
body of an HTML-formatted email.

Name: CVE-2012-4668
Reference: CONFIRM:https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1
and earlier allows remote attackers to inject arbitrary web script or
HTML via the signature in an email.

Note You need to log in before you can comment on or make changes to this bug.