Moritz Muehlenhoff
2012-Aug-21 05:51 UTC
[Secure-testing-team] Bug#685475: roundcube: CVE-2012-3508
Package: roundcube
Severity: grave
Tags: security
Justification: user security hole
This was reported on the oss-sec mailing list:
Cheers,
Moritz
--
> 2, Issue 2a: Description: Stored XSS in e-mail body. Ticket:
> http://trac.roundcube.net/ticket/1488613 Upstream patch:
>
https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee>
> Upon code review doesn''t seem to affect rcmail we ship in Fedora /
> EPEL -> haven''t filed RH bug for it. Could you double-check and
> confirm that?,
>
> Issue 2b: Self XSS in e-mail body (Signature). Ticket:
> http://trac.roundcube.net/ticket/1488613 Upstream patch:
>
https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32>
> The ''program/js/app.js'' rcube_webmail() upstream change
from the
> patch above seems to be applicable to Fedora / EPEL rcmail
> versions. Thus I have filed:
> https://bugzilla.redhat.com/show_bug.cgi?id=849615
>
> to track this. But not sure whole ''Self XSS in e-mail body
> (Signature).'' upstream patch would apply with its logic to 0.7.x
> versions: https://bugzilla.redhat.com/show_bug.cgi?id=849615#c3
>
> Therefore this needs review by someone more familiar with
> rcube_webmail() routine code to decide if apply that patch or not.
> Could you do that?
Please use CVE-2012-3508 for these two issues (same version, same type
of vuln so cve merge).
--