+roundcube (0.7.2-5) unstable; urgency=low
+
+ * Fix problem with some uuencoded attachments. Patch from Michał
+ Mirosław. Closes: #686857.
+
+ -- Vincent Bernat <bernat@debian.org> Sat, 29 Sep 2012 11:30:04 +0200
+
roundcube (0.7.2-4) unstable; urgency=high
* Fix self XSS with plain signatures. CVE-2012-3508. Closes: #685475.
--- /dev/null
+Roundcube 0.7 doesn't properly recognize uuencoded attachments. Space
+(0x20) is a valid character to be found in uuencoded paragraphs while
+anything above backquote (0x60) is not valid.
+
+Source:
+ http://en.wikipedia.org/wiki/Uuencoding#Formatting_Mechanism
+
+Patch from Michał Mirosław.
+
+--- a/program/include/rcube_message.php.orig 2012-01-17 08:50:40.000000000 +0100
++++ a/program/include/rcube_message.php 2012-09-06 19:54:54.000000000 +0200
+@@ -622,8 +622,7 @@
+ $part->body = $this->imap->get_message_part($this->uid, $part->mime_id, $part);
+
+ $parts = array();
+- // FIXME: line length is max.65?
+- $uu_regexp = '/begin [0-7]{3,4} ([^\n]+)\n(([\x21-\x7E]{0,65}\n)+)`\nend/s';
++ $uu_regexp = '/begin [0-7]{3,4} ([^\n]+)\n(([\x20-\x60]{0,65}\n)+)`\nend/s';
+
+ if (preg_match_all($uu_regexp, $part->body, $matches, PREG_SET_ORDER)) {
+ // remove attachments bodies from the message body
projects / roundcube.git / commitdiff