CVE-2020-35730: #978491 - roundcube: CVE-2020-35730: XSS vulnerability via malious HTML or plaintext messages

Reported by: Guilhem Moulin [email protected]

Date: Mon, 28 Dec 2020 00:33:02 UTC

Severity: important

Tags: security

Found in versions roundcube/1.4.9+dfsg.1-1, roundcube/1.3.15+dfsg.1-1~deb10u1, roundcube/1.2.3+dfsg.1-4+deb9u7

Fixed in versions roundcube/1.4.10+dfsg.1-1, roundcube/1.3.16+dfsg.1-1~deb10u1

Done: Guilhem Moulin [email protected]

Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to [email protected], Debian Roundcube Maintainers <[email protected]>:
Bug#978491; Package src:roundcube. (Mon, 28 Dec 2020 00:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to Guilhem Moulin <[email protected]>:
New Bug report received and forwarded. Copy sent to Debian Roundcube Maintainers <[email protected]>. (Mon, 28 Dec 2020 00:33:04 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Source: roundcube Severity: important Tags: security Control: found -1 1.4.9+dfsg.1-1 Control: found -1 1.3.15+dfsg.1-1~deb10u1 Control: found -1 1.2.3+dfsg.1-4+deb9u7

In a recent post roundcube webmail upstream has announced the following security fix:

Cross-site scripting (XSS) via HTML or Plain text messages with
malicious content (CVE-2020-35730)

1.2.x, 1.3.x and 1.4.x branches are affected. Upstream fix:

1.4.x https://github.com/roundcube/roundcubemail/commit/0bceba301aa621ecc0263eac17beee2a4cef0c6d
1.3.x https://github.com/roundcube/roundcubemail/commit/a06ec1dcf9c972d302b16e1ac6aa079a4f6a1c3e
1.2.x https://github.com/roundcube/roundcubemail/commit/47e4d44f62ea16f923761d57f1773a66d51afad4

– Guilhem.

[signature.asc (application/pgp-signature, inline)]

Marked as found in versions roundcube/1.4.9+dfsg.1-1. Request was from Guilhem Moulin <[email protected]> to [email protected]. (Mon, 28 Dec 2020 00:33:04 GMT) (full text, mbox, link).

Marked as found in versions roundcube/1.3.15+dfsg.1-1~deb10u1. Request was from Guilhem Moulin <[email protected]> to [email protected]. (Mon, 28 Dec 2020 00:33:04 GMT) (full text, mbox, link).

Marked as found in versions roundcube/1.2.3+dfsg.1-4+deb9u7. Request was from Guilhem Moulin <[email protected]> to [email protected]. (Mon, 28 Dec 2020 00:33:05 GMT) (full text, mbox, link).

Reply sent to Guilhem Moulin <[email protected]>:
You have taken responsibility. (Mon, 28 Dec 2020 01:21:07 GMT) (full text, mbox, link).

Notification sent to Guilhem Moulin <[email protected]>:
Bug acknowledged by developer. (Mon, 28 Dec 2020 01:21:07 GMT) (full text, mbox, link).

Message #16 received at [email protected] (full text, mbox, reply):

Source: roundcube Source-Version: 1.4.10+dfsg.1-1 Done: Guilhem Moulin [email protected]

We believe that the bug you reported is fixed in the latest version of roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Guilhem Moulin [email protected] (supplier of updated roundcube package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Format: 1.8 Date: Mon, 28 Dec 2020 01:33:45 +0100 Source: roundcube Architecture: source Version: 1.4.10+dfsg.1-1 Distribution: unstable Urgency: high Maintainer: Debian Roundcube Maintainers [email protected] Changed-By: Guilhem Moulin [email protected] Closes: 978069 978491 Changes: roundcube (1.4.10+dfsg.1-1) unstable; urgency=high . * New upstream bugfix release, including security fix for: CVE-2020-35730: Cross-site scripting (XSS) vulnerability via HTML or Plain text messages with malicious content svg/namespace. (Closes: #978491) * d/rules: Make sure to fail the build when an error is raised in a for loop. (Closes: #978069) * d/rules: Refactor and move CSS/JS generation and minification from override_dh_auto_install to override_dh_auto_build. Thanks to Jonas Smedegaard pointing this out. * Bump Standards-Version to 4.5.1 (no changes needed). * Upgrade watch file to version 4. * Rename Debian branch to debian/latest for DEP-14 compliance. * d/gbp.conf: Remove custom setting compression=xz. Checksums-Sha1: 40af6bbe6410e1da6f8d29b9cddd7a599452e14b 3108 roundcube_1.4.10+dfsg.1-1.dsc 5565ee2e76734a2ef5edb4c20c6dde95a6a819bc 128812 roundcube_1.4.10+dfsg.1.orig-tinymce-langs.tar.xz fab4edb0291d5b68c5b9347f64d057379f4b0885 888912 roundcube_1.4.10+dfsg.1.orig-tinymce.tar.xz e21e4874021bb3c61e3af53c536bdd18f2406a6a 2935948 roundcube_1.4.10+dfsg.1.orig.tar.xz 95913c9d228fc0e11edb2b9b8dd1838150534c6f 75400 roundcube_1.4.10+dfsg.1-1.debian.tar.xz ae934592535d6165d699ff4d67232e3e4e730b9d 9599 roundcube_1.4.10+dfsg.1-1_amd64.buildinfo Checksums-Sha256: 2bdcea77ff129dc06c327d7ce1d7155d6f52f07ca955fff7173eb50a8839d614 3108 roundcube_1.4.10+dfsg.1-1.dsc 56b4a1e09fa0c8e3d4de7971fcaf52951857f1779cfcf2ebcfef208f9d40c62c 128812 roundcube_1.4.10+dfsg.1.orig-tinymce-langs.tar.xz f8c8a7940f52e2b21a2f0c5aa5c15376251c7c025b0b1318d6d217f5cc5c2f3a 888912 roundcube_1.4.10+dfsg.1.orig-tinymce.tar.xz ccbc4d66f91fbf1364a86f9c6b422c882decbab05b76d2173618ce4e72d4ff5f 2935948 roundcube_1.4.10+dfsg.1.orig.tar.xz 3e0c95b034d708e0a1f73aa278fb62202b19315007368bde5748934389a9f057 75400 roundcube_1.4.10+dfsg.1-1.debian.tar.xz 7635b2c2d43025c3e2a2ad33dd502b6037d2ab68973f8ef21310f69e3d4f85a5 9599 roundcube_1.4.10+dfsg.1-1_amd64.buildinfo Files: b7de68f748a525470d08d97cd32a3c25 3108 web optional roundcube_1.4.10+dfsg.1-1.dsc 043152684335e5c4142343b4498cb000 128812 web optional roundcube_1.4.10+dfsg.1.orig-tinymce-langs.tar.xz 40e4177d55dc1c93b01e3f765beb689b 888912 web optional roundcube_1.4.10+dfsg.1.orig-tinymce.tar.xz f0772217b48101dfc0783da3a4de4663 2935948 web optional roundcube_1.4.10+dfsg.1.orig.tar.xz eadbfb95c7ca9353ecc58c46190eb4a1 75400 web optional roundcube_1.4.10+dfsg.1-1.debian.tar.xz eef8b92295e918359e4cfc28759d600e 9599 web optional roundcube_1.4.10+dfsg.1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAl/pKPkACgkQ05pJnDwh pVJxlBAAzSxhr5fx7peaqZe+dxBHv8omPz+iWm/YyWoZVYpMwZdFOhzXMVoKDqpi 8jHcQQ50qYtq8E+il9UE9HrhhnphEBB3fNgnS6YxtWQbyirviX2KKJs+dHGl5L1O 3HGYd0/mCukE4o4/q/bZ1VN2CLckqiGcdXUVJcK5fAcnOuy2iQwmvbCreL1fLv1M AP7MUgOGW/B1iLAl0zbbNyX/DWV523BKl7oM7akSTdoVnO5dJRMtR2YCkoq1+DDP ro6ezRhFpzjsxVlrrhF1WoA8eLJS6SnndRqlFRPUaqd2FGrnfPPKtEqMydTdetxt oSvmVPV0SjZtnFTmBJjLWCPUBHzwRCtZ4IVlzsRshAt2rNl1RXoNpic4t5TMX6BL WjBBICIcbb/KcJCu6uZREjhhk4ZX/bu8BbXf8qHKBc9XyuphU7UwHOSfbgglZK8i qbbBr4T815NhoCJ5045g7wylUNNV/cfh2y6HHuKHwdAL7e1zPsqhLobbxyzXmchA WuYwHiwaRMMuF2vizeT3cs/fgrq2eThcmfhM+DNK/0tQ/lYNkWzXRqExbuj98QkI ySF19hscCil0yDH16JftYSDEQsdd4pLwggPGbblGdanwpxeS0Gb5dtl9eW36pYz+ +A8cfXdGSULhI0U26wi7NUpS9i17/B9qNaLWCiwU3Xr1pxINoW4= =ykMb -----END PGP SIGNATURE-----

Reply sent to Guilhem Moulin <[email protected]>:
You have taken responsibility. (Tue, 29 Dec 2020 19:36:02 GMT) (full text, mbox, link).

Notification sent to Guilhem Moulin <[email protected]>:
Bug acknowledged by developer. (Tue, 29 Dec 2020 19:36:03 GMT) (full text, mbox, link).

Message #21 received at [email protected] (full text, mbox, reply):

Source: roundcube Source-Version: 1.3.16+dfsg.1-1~deb10u1 Done: Guilhem Moulin [email protected]

We believe that the bug you reported is fixed in the latest version of roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Guilhem Moulin [email protected] (supplier of updated roundcube package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Format: 1.8 Date: Mon, 28 Dec 2020 02:49:49 +0100 Source: roundcube Architecture: source Version: 1.3.16+dfsg.1-1~deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Roundcube Maintainers [email protected] Changed-By: Guilhem Moulin [email protected] Closes: 978491 Changes: roundcube (1.3.16+dfsg.1-1~deb10u1) buster-security; urgency=high . * New upstream bugfix release, with security fix for CVE-2020-35730: Cross-site scripting (XSS) vulnerability via HTML or Plain text messages with malicious content svg/namespace. (Closes: #978491) * Revert upstream commit 435cfa116 to avoid irrelevant jstz update. Checksums-Sha1: 357cc65b1f4ef6bfc6038bf2ee38c5691034496b 2487 roundcube_1.3.16+dfsg.1-1~deb10u1.dsc fc6be87bfe587295cc0e2e1a9a3d749124a0dba4 2194236 roundcube_1.3.16+dfsg.1.orig.tar.xz 4e221bfe79b2d5fd1544d6f5e722ce25b1d5dbae 3055912 roundcube_1.3.16+dfsg.1-1~deb10u1.debian.tar.xz fa5adcf00cc6021e6c076b629fc9107917105ed6 9465 roundcube_1.3.16+dfsg.1-1~deb10u1_amd64.buildinfo Checksums-Sha256: 23ff645aaaaa00024c251b383798c7176eac9007eaf9a6470798e2df4a9b61e3 2487 roundcube_1.3.16+dfsg.1-1~deb10u1.dsc bdedcef77669267a2cae22021c652ee21d05d953287ee6986cd6e4f8e7c96d21 2194236 roundcube_1.3.16+dfsg.1.orig.tar.xz cef93f449632719c688499b3d7a698483a2574735c44a799a464bfd762f99934 3055912 roundcube_1.3.16+dfsg.1-1~deb10u1.debian.tar.xz 9b8f37bbf1db5f679af66191c9f231836abe94b52c06018452b23041da2b5a50 9465 roundcube_1.3.16+dfsg.1-1~deb10u1_amd64.buildinfo Files: 62ec16053573d040d2ea109cea228b95 2487 web optional roundcube_1.3.16+dfsg.1-1~deb10u1.dsc 7ae59502715a5199831b1a2d6e5149ed 2194236 web optional roundcube_1.3.16+dfsg.1.orig.tar.xz 803670bdfbe87e1125264f59a5ba876b 3055912 web optional roundcube_1.3.16+dfsg.1-1~deb10u1.debian.tar.xz 8feefa761bcd44437e336f810df086aa 9465 web optional roundcube_1.3.16+dfsg.1-1~deb10u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAl/pRVcACgkQ05pJnDwh pVJvGBAAxaHQZNTRG17jtnn/5CqgklVCKtfrb5Xkg90OQpi/kEeoDlUvJ5KwEhYi s+PYpYa5oK4jXyadiD6qZvGbxou31igRaz+hc/tzTWgWGv0H47Jn6fDmQ4TqpgCH UUKyeSslk5EXpJbI6POt3ZsTiep4QuY+mpruaXaU9KpEpBXGwJ6EKpyZ/j3FrcSX ngtD/vbOpJYINJ7xg56nenq3n4kXPlA3t+Ew9tAq5P5Ty9m7MY0tN75GMuyU1ZRS YwLDEY8OPRjs6jPmALdTeLNKTb12lD+sNIhPtCSjgdAETRJBPSBXOwRvT27ZwqIU tp+/KRaBPe6mgYFGGtNjv7spSBc4Z2RUtvhCjiZdEDB5bxe6oJPEs/DEdhr0w+UY rKJONAlDBsXHY01ygSy6Slpd0BxBykbLQXIMYk8pMcdg7ejPvhNuuHL+/RFc+Eoe L2Jk2RzC2FAxQreWYeiTSEAH7FSBp9bRXqf7VpcL9EJiPhUreYm83m25fGNeHqMP ttkRc9u5uuaB4dGkCw9IcQy5V9xZMor7h/mnyepVUNRVe0nLhmKKkZBVrv/jP4Gy J3tvYh22RrIDV4XQt4jZpaosSNrF9Cs4AH4PYmM5Vak2ulU5OX5eX10hVgHxrOVE GQj4fgf7d2CkGtRKsj2s+4Xs69kYWlb/ptQDLC+xsPd7oAhoRWU= =jFFq -----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <[email protected]> to [email protected]. (Wed, 27 Jan 2021 07:29:28 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Thu Mar 10 15:00:34 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.