Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 23 Apr 2016 19:53:03 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Roundcube: XSS issue in SVG image handling and protection for download urs against CSRF

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/roundcube/roundcubemail/wiki/Changelog
> https://github.com/roundcube/roundcubemail/releases

> Fix XSS issue in SVG images handling (#4949):
> https://github.com/roundcube/roundcubemail/issues/4949
> https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18
> https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0

Use CVE-2015-8864 for the issue that was fixed by these commits. Use
CVE-2016-4068 for the remaining SVG XSS issues that were not fixed
(i.e., the SVG XSS issues that remain present in versions 1.0.9,
1.1.5, and 1.2-rc), as described in the
https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218
comment:

   thomascube commented on 40d7342 Jan 6, 2016

   Good start! Removing script nodes, however, is just the beginning.
   XSS code can also be in node attributes like onclick, onmouseover,
   href="javascript:, etc. or even in CSS url() as we learned with
   HTML messages.

   So traversing the entire DOM is probably necessary to provide
   protection that goes beyond the one example we received.


> Protect download urls against CSRF using unique request tokens (#4957):
> https://github.com/roundcube/roundcubemail/issues/4957
> https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5
> https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53

Use CVE-2016-4069. This is not a typical type of impact associated
with CSRF; however, it is still probably best to categorize this as a
CSRF issue, not an SSRF issue.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXHAorAAoJEHb/MwWLVhi2yNYP/iihOBpJh4D9q5H+LtOinltO
kuiy+mRQ3LhCNOfNtL7j5oI87UnZfWFua61wxPf3ce8q05ElU0pnrALVtM3ZIewO
9Mko0i7TuVysb/0Kmr522BXKbkkumSmxmapOV83rsk2VSpVrMFXNmhPDwhQUiQ72
tJr/kCDj8yK66zRse2bO2wzmpLyAHxWaJcXb76dGuaDAyBO/PsJ+Hg32qCNTuZaf
lkhhcKIVYxVWf5zLfID9X2OQgD511DOeWJUJAKIt3LhnYfZa9ho7HYuZSAHcjoox
Vc1zz46tS8njkzJcUpBm6RhfN5p9PbXOcxo8FCC2HBAculk4qILAvPvYZInwetEx
CEpU5K9jvV1SEgwngwxVLPUf+V7o5KhBy0305W8GpFpASjOYksAi3Aho1Q0HKjd6
BOKR3+w8t+Lr+dgO6/s8r+321nLfIfEslcVky+oPDyLcgWQ5lKwCiPkJDW0BhY6K
WK4t5sSyQ+L/+hhWyX1WvRT+pR+J82pS4J+vDf9xPH41ejw7GUcMIsAXyxKFTJD4
yBphN1hmQwAdOn6DOoQeT0q22hXMFjrpy2mNSpJO7/mvC1Cezh4H9mOieo+m1/WR
rEQMgU0YvLbLU+QGJs70ffu7GbctyEy0Hcqro3PypseYazXBXbco3oeA5YoXpO4w
CnimPVkwnLWULwjvomSM
=bl7U
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.