A cross-site scripting (XSS) flaw was found in the way RoundCube Webmail, a browser-based multilingual IMAP client, performed sanitization of signatures content in the HTML email. A remote attacker could send an email message with specially-crafted signature value that, when processed in roundcubemail would lead to arbitrary HTML or web script execution. Upstream ticket: [1] http://trac.roundcube.net/ticket/1488613 Relevant patch: [2] https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32 References: [3] http://trac.roundcube.net/wiki/Changelog [4] http://www.openwall.com/lists/oss-security/2012/08/20/2 Note: The "Larry skin Subject header XSS flaw: http://trac.roundcube.net/ticket/1488519 http://trac.roundcube.net/changeset/a7d5e3e8580466639a18da35af13b97dc3765c16/github and "Stored XSS in email body" flaw: http://trac.roundcube.net/ticket/1488613 https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee does not apply to the roundcubemail-0.7.x version yet, that are currently shipped in Fedora 16, Fedora 17, and Fedora EPEL 6.
This issue affects the version of the roundcubemail package, as shipped with Fedora 16 and Fedora 17. Please schedule an update. -- This issue affects the version of the roundcubemail package, as shipped with Fedora EPEL 6. Please schedule an update.
Created roundcubemail tracking bugs for this issue Affects: fedora-all [bug 849616] Affects: epel-6 [bug 849617]
(In reply to comment #1) > This issue affects the version of the roundcubemail package, as shipped with > Fedora 16 and Fedora 17. Please schedule an update. Affects in the sense the 'programp/js/app.js rcube_webmail()' corresponding routine change from upstream patch: https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32 is applicable to roundcubemail-0.7.x versions, shipped within F-16, F-17, EPEL-6 versions too (but not sure whole upstream patch / functionality change would be applicable, since the relevant code is different to most recent upstream version. This will need review by someone more familiar with rcube_webmail() / signature handling code).
Looking into relative applicability to 0.7.3 or 0.8.1
So on further review, only the second issue in 1488613 would apply, the rest were 0.8+ only. Upstream isn't concerned about backporting to 0.7.x (see comment #2 on that Trac). I'm not entirely sure how severe this bug is, but I don't think it would be that difficult to patch for 0.7.3. It's fixed in 0.8.1. Should I ignore, patch all 0.7.x branches, or upgrade all 0.7.x branches to 0.8.1? I'm leaning toward the second option, and updating only rawhide and maybe f18 to 0.8.1.
(In reply to comment #5) > So on further review, only the second issue in 1488613 would apply, the rest > were 0.8+ only. Thank you for the confirmation, Jon. > Upstream isn't concerned about backporting to 0.7.x (see > comment #2 on that Trac). Yes, noticed that one previously. > I'm not entirely sure how severe this bug is, Though not being patched by upstream. It's still XSS flaw (allowing JavaScript execution) and as such should be fixed in all versions, where applicable (thus in 0.7.x one too). > but > I don't think it would be that difficult to patch for 0.7.3. It's fixed in > 0.8.1. Should I ignore, patch all 0.7.x branches, or upgrade all 0.7.x > branches to 0.8.1? I'm leaning toward the second option, and updating only > rawhide and maybe f18 to 0.8.1. Do it in a way which is easier for you to deal with it with (either patch 0.7.3 version or rebase to 0.8.1, which contain fixes for all issues). Either way is OK for us (Security Response Team) under assumption, the issue is corrected. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Based on: http://www.openwall.com/lists/oss-security/2012/08/20/9 1) The CVE identifier of CVE-2012-3507 has been assigned to the "Larry skin Subject header XSS" flaw: Upstream ticket: http://trac.roundcube.net/ticket/1488519 Relevant patch: http://trac.roundcube.net/changeset/a7d5e3e8580466639a18da35af13b97dc3765c16/github 2) and the CVE identifier of CVE-2012-3508 has been assigned to the: a) "Stored XSS in e-mail body" and Upstream ticket: http://trac.roundcube.net/ticket/1488613 Relevant patch: https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee b) "Self XSS in e-mail body (Signature)" flaws. Upstream ticket: http://trac.roundcube.net/ticket/1488613 Relevant patch: https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
This was partially split: Name: CVE-2012-3508 Reference: CONFIRM:https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email. Name: CVE-2012-4668 Reference: CONFIRM:https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32 Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email.