Roundup: [oss-security] Roundcube: CVE-2017-6820: XSS issue in handling of a style tag inside of an svg element

[grahamc]

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

• [ ] Update Graham's database

Info

Triage Indicator:

-needs-triage +roundup27 thread:000000000000413e

• File Search: https://search.nix.gsc.io/?q=inside&i=fosho&repos=nixos-nixpkgs
• GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=inside+in%3Apath&type=Code

Should the search term be changed from inside? Suggest a new package search by commenting:

-suggested:inside +suggested:correctPackageName thread:000000000000413e

Known CVEs: CVE-2017-6820

---

Skip to End

Sun, 12 Mar 2017 17:41:49 +0100 Salvatore Bonaccorso , 20170312164149.4ivltlh32pglgfgm@eldamar.local

Hi

I have requested a CVE for the following Roundcube issue, wich got
assigned CVE-2017-6820[*].

rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is
susceptible to a cross-site scripting vulnerability via a crafted
Cascading Style Sheets (CSS) token sequence within an SVG element..

https://github.com/roundcube/roundcubemail/releases/tag/1.1.8
https://github.com/roundcube/roundcubemail/releases/tag/1.2.4
https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released

Upstream fix (sequence of two commits):

https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305
https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4

Regards,
Salvatore

 [*] ideally that would be done by the upstream project on it's own
 before publishing an issue in case it was privately reported, since
 it was not immediately clear to me if one was already requested or
 some other vendors/distributors have done it.

Skip to End

---

[calvertvl]

We don't appear to have this packaged - search comes up empty: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=roundcube&type=