roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content

Guilhem Moulin Wed, 12 Jan 2022 05:26:32 -0800

Dear LTS Team,

In a recent post roundcube webmail upstream has announced the following
security fix for #1003027.


    CVE-2021-46144: Cross-site scripting (XSS) vulnerability via HTML
    messages with malicious CSS content.

(Upstream only released fixes for 1.4 and 1.5 LTS branches, but 1.2 and
1.3 are affected too and the same fix applies cleanly.  buster- and
bullseye-security are no longer affected.)

Debdiff against 1.2.3+dfsg.1-4+deb9u9 tested and attached.  I can upload
if you'd like but would appreciate if you could take care of the DLA :-)

Thanks!
Cheers,
-- 
Guilhem.

diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1

 changelog                    |    7 +++++++
 patches/CVE-2021-46144.patch |   21 +++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 29 insertions(+)

diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog 
roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog     2021-12-06 11:51:48.000000000 
+0100
+++ roundcube-1.2.3+dfsg.1/debian/changelog     2022-01-12 12:56:32.000000000 
+0100
@@ -1,3 +1,10 @@
+roundcube (1.2.3+dfsg.1-4+deb9u10) stretch-security; urgency=high
+
+  * Backport fix for CVE-2021-46144: Fix cross-site scripting (XSS) via HTML
+    messages with malicious CSS content. (Closes: #1003027)
+
+ -- Guilhem Moulin <guil...@debian.org>  Wed, 12 Jan 2022 12:56:32 +0100
+
 roundcube (1.2.3+dfsg.1-4+deb9u9) stretch-security; urgency=high
 
   * Non-maintainer upload by the LTS team.
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch 
roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch  1970-01-01 
01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch  2022-01-12 
12:56:32.000000000 +0100
@@ -0,0 +1,21 @@
+commit b2400a4b592e3094b6c84e6000d512f99ae0eed8
+Author: Aleksander Machniak <a...@alec.pl>
+Date:   Wed Dec 29 19:02:43 2021 +0100
+
+    Security: Fix cross-site scripting (XSS) via HTML messages with malicious 
CSS content
+
+---
+ program/lib/Roundcube/rcube_washtml.php |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -304,7 +304,7 @@ class rcube_washtml
+                         if 
(preg_match('/^([a-z:]*url)\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)/iu', $value, 
$match)) {
+                             if ($url = $this->wash_uri($match[2])) {
+                                 $result .= ' ' . $attr->nodeName . '="' . 
$match[1] . '(' . htmlspecialchars($url, ENT_QUOTES) . ')'
+-                                     . substr($val, strlen($match[0])) . '"';
++                                     . htmlspecialchars(substr($val, 
strlen($match[0])), ENT_QUOTES) . '"';
+                                 continue;
+                             }
+                         }
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series 
roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series        2021-12-06 
11:51:48.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/series        2022-01-12 
12:56:32.000000000 +0100
@@ -25,3 +25,4 @@
 CVE-2020-35730.patch
 CVE-2021-44025.patch
 CVE-2021-44026.patch
+CVE-2021-46144.patch

signature.asc
Description: PGP signature

roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content

Reply via email to