Date: Mon, 20 Aug 2012 10:11:28 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Henri Salo <henri@...v.fi>, Moritz Muehlenhoff <jmm@...ian.org> Subject: Re: CVE-request: Roundcube XSS issues -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/20/2012 05:24 AM, Jan Lieskovsky wrote: > Hi Jon, > > this is due the recent roundcubemail XSS issues post:  > http://www.openwall.com/lists/oss-security/2012/08/20/2 > > which detailed leads into: 1, issue #1 New larry skin & literal in > Subject header display Ticket: > http://trac.roundcube.net/ticket/1488519 Upstream patch: > http://trac.roundcube.net/changeset/a7d5e3e8580466639a18da35af13b97dc3765c16/github > > Upon code review, I don't think this issue affects 0.7.x versions, > we ship in Fedora and EPEL (iilc the Larry skin was introduced > only in 0.8.x version and in 0.7.x version the related code looks > different). I don't have filed RH bug for this based on the above. > Could you have a look and confirm this? Please use CVE-2012-3507 for this issue. > 2, Issue 2a: Description: Stored XSS in e-mail body. Ticket: > http://trac.roundcube.net/ticket/1488613 Upstream patch: > https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee > > Upon code review doesn't seem to affect rcmail we ship in Fedora / > EPEL -> haven't filed RH bug for it. Could you double-check and > confirm that?, > > Issue 2b: Self XSS in e-mail body (Signature). Ticket: > http://trac.roundcube.net/ticket/1488613 Upstream patch: > https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32 > > The 'program/js/app.js' rcube_webmail() upstream change from the > patch above seems to be applicable to Fedora / EPEL rcmail > versions. Thus I have filed: > https://bugzilla.redhat.com/show_bug.cgi?id=849615 > > to track this. But not sure whole 'Self XSS in e-mail body > (Signature).' upstream patch would apply with its logic to 0.7.x > versions: https://bugzilla.redhat.com/show_bug.cgi?id=849615#c3 > > Therefore this needs review by someone more familiar with > rcube_webmail() routine code to decide if apply that patch or not. > Could you do that? Please use CVE-2012-3508 for these two issues (same version, same type of vuln so cve merge). > Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat > Security Response Team - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQMmGwAAoJEBYNRVNeJnmT1xcQAIuQQwlBfIJjQipIjUrdT35Q zvKke9+QkCv/jvSjHRBdOiOAE1616Y2RhKE4QLRp0wzu2L20m0xDX/ypehsFtovH 0OVrKX/R72RVxv0chUysxYuwROIAYsqOWyfH/pBx1H7hYiBMn0JarOl/Yl23Ii6P PaTIonCtgv8Cg+eHuumoBS6O6tCosazPxRD7NE40RWc88Wydr6gGYVDgYP3Glt0D RoOu1vmb+sDo1Vba1vqim/f6Kyv1CP4TPV/Z8aeZiW5EdyXW5Jx6fm37cXV7/Kde pJToiFw6jPHrY7h74yStVOAxZ6yXhBLUwVzqQ+wio13XOEtiSvhIY13pdOi1nFdE mk0IgH8dmM/7muTIBF4Hw8BnR8i5SpCus5J1gxW6L4Wb03Xz4yPnrmRw9LV54VKu dG2RLAtHEx2dd0jIRQLarCndg+GEWfk7ldM7ijxzb0tYgdatl07T7MJmic0V1Y4g wKrm6z8RVsvQjZCtcYG0hFBcUeJsWaw5Ta+iyhHk66uIQf8Rq7hpp9I1PanWujSn Uo217JPcR3QdXjRQ7QPgFBdnkwbF6qr6Vw7WC0s1jBIW6LtdBx5CyOWQUppnebNk QUEbXV051D+t09a9bBRyqR3N5dbK1gsx9RBSa8qizL4P+ibd8fip6yUOzC0/ATYx fcYldh0Vgu6ghLMIEEDZ =wELK -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ