+roundcube (0.2~stable-1) unstable; urgency=low
+
+ * New upstream version. Closes: #503573.
+ + Add SQL update scripts for this new release and for
+ 0.2~alpha. Remove copy of SQL upgrade script from debian/rules.
+ + Remove patch for CVE-2008-5620 which is now fixed upstream.
+ + Remove patch correcting a vulnerability in html2text.php.
+ + Remove patch fixing login issue. This is fixed upstream.
+ + Remove patch setting the default backend to db instead of mdb2:
+ this is not possible any more. We depend on php-mdb2 now.
+ * Upload to unstable since Lenny is out.
+ * Apply fix for XSS issue (CVE-2009-0413). Closes: #514179.
+
+ -- Vincent Bernat <bernat@debian.org> Sun, 15 Feb 2009 16:18:58 +0100
+
roundcube (0.2~alpha-4) experimental; urgency=low
* Add missing ${misc:Depends} to make Lintian happy.
Priority: extra
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Uploaders: Vincent Bernat <bernat@debian.org>, Romain Beauxis <toots@rastageeks.org>
-Build-Depends: debhelper (>= 5), quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27), po-debconf
+Build-Depends: cdbs (>= 0.4.23-1.1), debhelper (>= 5), quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27), po-debconf
Homepage: http://www.roundcube.net/
Standards-Version: 3.8.0
Vcs-Svn: svn://svn.debian.org/svn/pkg-roundcube/roundcube
Package: roundcube-core
Architecture: all
-Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
+Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-mdb2, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
Replaces: roundcube
Conflicts: roundcube (<< 0.1~rc2-2)
Description: skinnable AJAX based webmail solution for IMAP servers
Package: roundcube-mysql
Architecture: all
-Depends: php5-mysql, mysql-client | virtual-mysql-client, ${misc:Depends}
+Depends: php-mdb2-driver-mysql, mysql-client | virtual-mysql-client, ${misc:Depends}
Suggests: mysql-server
Provides: roundcube-db
Description: metapackage providing MySQL dependencies for RoundCube
Package: roundcube-pgsql
Architecture: all
-Depends: php5-pgsql, postgresql-client, ${misc:Depends}
+Depends: php-mdb2-driver-pgsql, postgresql-client-8.1 | postgresql-client, ${misc:Depends}
Suggests: postgresql-server
Provides: roundcube-db
Description: metapackage providing PostgreSQL dependencies for RoundCube
Package: roundcube-sqlite
Architecture: all
-Depends: php5-sqlite, sqlite, ${misc:Depends}
+Depends: php-mdb2-driver-sqlite, sqlite, ${misc:Depends}
Provides: roundcube-db
Description: metapackage providing sqlite dependencies for RoundCube
This package provides sqlite dependencies for RoundCube Webmail, a
Package: roundcube-core
Architecture: all
-Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
+Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-mdb2, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
Replaces: roundcube
Conflicts: roundcube (<< 0.1~rc2-2)
Description: skinnable AJAX based webmail solution for IMAP servers
Package: roundcube-mysql
Architecture: all
-Depends: php5-mysql, mysql-client | virtual-mysql-client, ${misc:Depends}
+Depends: php-mdb2-driver-mysql, mysql-client | virtual-mysql-client, ${misc:Depends}
Suggests: mysql-server
Provides: roundcube-db
Description: metapackage providing MySQL dependencies for RoundCube
Package: roundcube-pgsql
Architecture: all
-Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client, ${misc:Depends}
+Depends: php-mdb2-driver-pgsql, postgresql-client-8.1 | postgresql-client, ${misc:Depends}
Suggests: postgresql-server
Provides: roundcube-db
Description: metapackage providing PostgreSQL dependencies for RoundCube
Package: roundcube-sqlite
Architecture: all
-Depends: php5-sqlite, sqlite, ${misc:Depends}
+Depends: php-mdb2-driver-sqlite, sqlite, ${misc:Depends}
Provides: roundcube-db
Description: metapackage providing sqlite dependencies for RoundCube
This package provides sqlite dependencies for RoundCube Webmail, a
+++ /dev/null
-Fix CVE-2008-5620 which was caused by insufficient input sanitizing for quota bar.
-
-diff --git a/bin/quotaimg.php b/bin/quotaimg.php
-index 354f4eb..4e73c21 100644
---- a/bin/quotaimg.php
-+++ b/bin/quotaimg.php
-@@ -18,10 +18,10 @@
-
- */
-
--$used = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??';
--$quota = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??';
--$width = empty($_GET['w']) ? 100 : (int)$_GET['w'];
--$height = empty($_GET['h']) ? 14 : (int)$_GET['h'];
-+$used = isset($_GET['u']) ? intval($_GET['u']) : '??';
-+$quota = isset($_GET['q']) ? intval($_GET['q']) : '??';
-+$width = empty($_GET['w']) ? 100 : min(300, intval($_GET['w']));
-+$height = empty($_GET['h']) ? 14 : min(50, intval($_GET['h']));
-
- /**
- * Quota display
-@@ -159,7 +159,7 @@ function genQuota($used, $total, $width, $height)
- }
-
- $quota_width = $quota / 100 * $width;
-- imagefilledrectangle($im, $border, 0, $quota, $height-2*$border, $fill);
-+ imagefilledrectangle($im, $border, 0, $quota_width, $height-2*$border, $fill);
-
- $string = $quota . '%';
- $mid = floor(($width-(strlen($string)*imagefontwidth($font)))/2)+1;
-@@ -178,6 +178,12 @@ function genQuota($used, $total, $width, $height)
- imagedestroy($im);
- }
-
--genQuota($used, $quota, $width, $height);
-+if ($width > 1 && $height > 1) {
-+ genQuota($used, $quota, $width, $height);
-+}
-+else {
-+ header("HTTP/1.0 404 Not Found");
-+}
-+
- exit;
- ?>
-\ No newline at end of file
--- /dev/null
+Fix CVE-2009-0413 by handling carefully background attribute.
+--- roundcubemail/CHANGELOG (revision 2242)
++++ roundcubemail/CHANGELOG (revision 2245)
+@@ -1,4 +1,8 @@
+ CHANGELOG RoundCube Webmail
+ ---------------------------
++
++2009/01/20 (thomasb)
++----------
++- Fix XSS vulnerability through background attributes as reported by Julien Cayssol
+
+ 2009/01/18 (alec)
+--- roundcubemail/program/lib/washtml.php (revision 1811)
++++ roundcubemail/program/lib/washtml.php (revision 2245)
+@@ -81,5 +81,5 @@
+
+ /* Allowed HTML attributes */
+- static $html_attribs = array('name', 'class', 'title', 'alt', 'width', 'height', 'align', 'nowrap', 'col', 'row', 'id', 'rowspan', 'colspan', 'cellspacing', 'cellpadding', 'valign', 'bgcolor', 'color', 'border', 'bordercolorlight', 'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', 'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', 'cellborder', 'size', 'lang', 'dir', 'background');
++ static $html_attribs = array('name', 'class', 'title', 'alt', 'width', 'height', 'align', 'nowrap', 'col', 'row', 'id', 'rowspan', 'colspan', 'cellspacing', 'cellpadding', 'valign', 'bgcolor', 'color', 'border', 'bordercolorlight', 'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', 'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', 'cellborder', 'size', 'lang', 'dir');
+
+ /* State for linked objects in HTML */
+@@ -161,13 +161,13 @@
+ $value = $node->getAttribute($key);
+ if(isset($this->_html_attribs[$key]) ||
+- ($key == 'href' && preg_match('/^(http|https|ftp|mailto):.*/i', $value)))
++ ($key == 'href' && preg_match('/^(http|https|ftp|mailto):.+/i', $value)))
+ $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
+ else if($key == 'style' && ($style = $this->wash_style($value)))
+ $t .= ' style="' . $style . '"';
+- else if($key == 'src' && strtolower($node->tagName) == 'img') { //check tagName anyway
++ else if($key == 'background' || ($key == 'src' && strtolower($node->tagName) == 'img')) { //check tagName anyway
+ if($src = $this->config['cid_map'][$value]) {
+ $t .= ' ' . $key . '="' . htmlspecialchars($src, ENT_QUOTES) . '"';
+ }
+- else if(preg_match('/^(http|https|ftp):.*/i', $value)) {
++ else if(preg_match('/^(http|https|ftp):.+/i', $value)) {
+ if($this->config['allow_remote'])
+ $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
+@@ -175,5 +175,5 @@
+ $this->extlinks = true;
+ if ($this->config['blocked_src'])
+- $t .= ' src="' . htmlspecialchars($this->config['blocked_src'], ENT_QUOTES) . '"';
++ $t .= ' ' . $key . '="' . htmlspecialchars($this->config['blocked_src'], ENT_QUOTES) . '"';
+ }
+ }
+++ /dev/null
-Fix a vulnerability due to the use of "e" option of preg_replace.
-
---- roundcube-0.2~alpha/program/lib/html2text.php 2008-04-12 15:54:45.000000000 +0200
-+++ roundcube-0.2~alpha/program/lib/html2text.php 2008-12-13 14:21:44.000000000 +0100
-@@ -99,6 +99,22 @@
- */
- var $width = 70;
-
-+ /**
-+ * List of preg* regular expression patterns to search for
-+ * and replace using callback function.
-+ *
-+ * @var array $callback_search
-+ * @access public
-+ */
-+ var $callback_search = array(
-+ '/<(h)[123456][^>]*>(.*?)<\/h[123456]>/i', // H1 - H3
-+ '/<(b)[^>]*>(.*?)<\/b>/i', // <b>
-+ '/<(strong)[^>]*>(.*?)<\/strong>/i', // <strong>
-+ '/<(a) [^>]*href=("|\')([^"\']+)\2[^>]*>(.*?)<\/a>/i',
-+ // <a href="">
-+ '/<(th)[^>]*>(.*?)<\/th>/i', // <th> and </th>
-+ );
-+
- /**
- * List of preg* regular expression patterns to search for,
- * used in conjunction with $replace.
-@@ -112,12 +128,8 @@
- "/[\n\t]+/", // Newlines and tabs
- '/<script[^>]*>.*?<\/script>/i', // <script>s -- which strip_tags supposedly has problems with
- //'/<!-- .* -->/', // Comments -- which strip_tags might have problem a with
-- '/<a [^>]*href=("|\')([^"\']+)\1[^>]*>(.+?)<\/a>/ie', // <a href="">
-- '/<h[123][^>]*>(.+?)<\/h[123]>/ie', // H1 - H3
-- '/<h[456][^>]*>(.+?)<\/h[456]>/ie', // H4 - H6
- '/<p[^>]*>/i', // <P>
- '/<br[^>]*>/i', // <br>
-- '/<b[^>]*>(.+?)<\/b>/ie', // <b>
- '/<i[^>]*>(.+?)<\/i>/i', // <i>
- '/(<ul[^>]*>|<\/ul>)/i', // <ul> and </ul>
- '/(<ol[^>]*>|<\/ol>)/i', // <ol> and </ol>
-@@ -126,7 +138,6 @@
- '/(<table[^>]*>|<\/table>)/i', // <table> and </table>
- '/(<tr[^>]*>|<\/tr>)/i', // <tr> and </tr>
- '/<td[^>]*>(.+?)<\/td>/i', // <td> and </td>
-- '/<th[^>]*>(.+?)<\/th>/ie', // <th> and </th>
- '/ /i',
- '/"/i',
- '/>/i',
-@@ -161,12 +172,8 @@
- ' ', // Newlines and tabs
- '', // <script>s -- which strip_tags supposedly has problems with
- //'', // Comments -- which strip_tags might have problem a with
-- '$this->_build_link_list("\\2", "\\3")', // <a href="">
-- "strtoupper(\"\n\n\\1\n\n\")", // H1 - H3
-- "ucwords(\"\n\n\\1\n\")", // H4 - H6
- "\n\n", // <P>
- "\n", // <br>
-- 'strtoupper("\\1")', // <b>
- '_\\1_', // <i>
- "\n\n", // <ul> and </ul>
- "\n\n", // <ol> and </ol>
-@@ -175,7 +182,6 @@
- "\n\n", // <table> and </table>
- "\n", // <tr> and </tr>
- "\t\t\\1\n", // <td> and </td>
-- "strtoupper(\"\t\t\\1\n\")", // <th> and </th>
- ' ',
- '"',
- '>',
-@@ -379,6 +385,7 @@
-
- // Run our defined search-and-replace
- $text = preg_replace($this->search, $this->replace, $text);
-+ $text = preg_replace_callback($this->callback_search, array('html2text', '_preg_callback'), $text);
-
- // Strip any other HTML tags
- $text = strip_tags($text, $this->allowed_tags);
-@@ -446,6 +453,44 @@
-
- return $display . ' [' . ($index+1) . ']';
- }
-+
-+ /**
-+ * Callback function for preg_replace_callback use.
-+ *
-+ * @param array PREG matches
-+ * @return string
-+ * @access private
-+ */
-+ function _preg_callback($matches)
-+ {
-+ switch($matches[1])
-+ {
-+ case 'b':
-+ case 'strong':
-+ return $this->_strtoupper($matches[2]);
-+ case 'hr':
-+ return $this->_strtoupper("\t\t". $matches[2] ."\n");
-+ case 'h':
-+ return $this->_strtoupper("\n\n". $matches[2] ."\n\n");
-+ case 'a':
-+ return $this->_build_link_list($matches[3], $matches[4]);
-+ }
-+ }
-+
-+ /**
-+ * Strtoupper multibyte wrapper function
-+ *
-+ * @param string
-+ * @return string
-+ * @access private
-+ */
-+ function _strtoupper($str)
-+ {
-+ if (function_exists('mb_strtoupper'))
-+ return mb_strtoupper($str);
-+ else
-+ return strtoupper($str);
-+ }
- }
-
- ?>
-\ Pas de fin de ligne à la fin du fichier.
+++ /dev/null
-Fix login redirection.
-
---- a/program/include/rcmail.php~ 2008-06-07 21:33:07.000000000 +0200
-+++ a/program/include/rcmail.php 2008-06-22 13:36:57.000000000 +0200
-@@ -474,7 +474,7 @@
- public function autoselect_host()
- {
- $default_host = $this->config->get('default_host');
-- $host = !empty($default_host) ? get_input_value('_host', RCUBE_INPUT_POST) : $default_host;
-+ $host = isset($_POST['_host']) ? get_input_value('_host', RCUBE_INPUT_POST) : $default_host;
-
- if (is_array($host)) {
- list($user, $domain) = explode('@', get_input_value('_user', RCUBE_INPUT_POST));
dbconfig-common_support.patch
correct_install_path.patch
use_packaged_tinymce.patch
-use-db-backend.patch
correct-magic-path.patch
-fix_login.patch
-dont-use-preg-e-option.patch
-cve-2008-5620.patch
+cve-2009-0413.patch
+++ /dev/null
-Use db backend since mdb2 is not yet available in Debian.
-
---- roundcubemail-0.1-dep/config/db.inc.php.dist~ 2008-03-03 22:32:15.000000000 +0100
-+++ roundcubemail-0.1-dep/config/db.inc.php.dist 2008-03-05 21:07:28.000000000 +0100
-@@ -27,7 +27,7 @@
- $rcmail_config['db_dsnr'] = '';
-
- // database backend to use (only db or mdb2 are supported)
--$rcmail_config['db_backend'] = 'mdb2';
-+$rcmail_config['db_backend'] = 'db';
-
- // maximum length of a query in bytes
- $rcmail_config['db_max_length'] = 512000; // 500K
install -m 0644 $(CURDIR)/SQL/mysql.initial.sql $(CURDIR)/debian/roundcube-core/usr/share/dbconfig-common/data/roundcube/install/mysql
install -m 0644 $(CURDIR)/SQL/postgres.initial.sql $(CURDIR)/debian/roundcube-core/usr/share/dbconfig-common/data/roundcube/install/pgsql
install -m 0644 $(CURDIR)/SQL/sqlite.initial.sql $(CURDIR)/debian/roundcube-core/usr/share/dbconfig-common/data/roundcube/install/sqlite
- # Database upgrade from latest versions
- install -m 0644 $(CURDIR)/SQL/postgres.update.sql $(CURDIR)/debian/roundcube-core/usr/share/dbconfig-common/data/roundcube/upgrade/pgsql/0.1.1-1
- install -m 0644 $(CURDIR)/SQL/mysql.update.sql $(CURDIR)/debian/roundcube-core/usr/share/dbconfig-common/data/roundcube/upgrade/mysql/0.1.1-1
- install -m 0644 $(CURDIR)/SQL/sqlite.update.sql $(CURDIR)/debian/roundcube-core/usr/share/dbconfig-common/data/roundcube/upgrade/sqlite/0.1.1-1
# Old database upgrades
cp -r $(CURDIR)/debian/sql/* $(CURDIR)/debian/roundcube-core/usr/share/dbconfig-common/data/roundcube/upgrade/.
--- /dev/null
+-- RoundCube Webmail update script for MySQL databases
+-- Updates from version 0.1-stable to 0.1.1
+
+TRUNCATE TABLE `messages`;
+
+ALTER TABLE `messages`
+ DROP INDEX `idx`,
+ DROP INDEX `uid`;
+
+ALTER TABLE `cache`
+ DROP INDEX `cache_key`,
+ DROP INDEX `session_id`,
+ ADD INDEX `user_cache_index` (`user_id`,`cache_key`);
+
+ALTER TABLE `users`
+ ADD INDEX `username_index` (`username`),
+ ADD INDEX `alias_index` (`alias`);
--- /dev/null
+-- Updates from version 0.1.1
+
+ALTER TABLE `identities`
+ MODIFY `signature` text,
+ MODIFY `bcc` varchar(128) NOT NULL DEFAULT '',
+ MODIFY `reply-to` varchar(128) NOT NULL DEFAULT '',
+ MODIFY `organization` varchar(128) NOT NULL DEFAULT '',
+ MODIFY `name` varchar(128) NOT NULL,
+ MODIFY `email` varchar(128) NOT NULL;
+
--- /dev/null
+-- Updates from version 0.2-alpha
+
+ALTER TABLE `messages`
+ ADD INDEX `created_index` (`created`);
+
+-- Updates from version 0.2-beta (InnoDB only)
+
+ALTER TABLE `cache`
+ DROP `session_id`;
+
+ALTER TABLE `session`
+ ADD INDEX `changed_index` (`changed`);
+
+ALTER TABLE `cache`
+ ADD INDEX `created_index` (`created`);
+
+ALTER TABLE `users`
+ CHANGE `language` `language` varchar(5);
--- /dev/null
+-- RoundCube Webmail update script for Postgres databases
+-- Updates from version 0.1-stable to 0.1.1
+
+CREATE INDEX cache_user_id_idx ON cache (user_id, cache_key);
+CREATE INDEX contacts_user_id_idx ON contacts (user_id);
+CREATE INDEX identities_user_id_idx ON identities (user_id);
+
+CREATE INDEX users_username_id_idx ON users (username);
+CREATE INDEX users_alias_id_idx ON users (alias);
+
+-- added ON DELETE/UPDATE actions
+ALTER TABLE messages DROP CONSTRAINT messages_user_id_fkey;
+ALTER TABLE messages ADD FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE ON UPDATE CASCADE;
+ALTER TABLE identities DROP CONSTRAINT identities_user_id_fkey;
+ALTER TABLE identities ADD FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE ON UPDATE CASCADE;
+ALTER TABLE contacts DROP CONSTRAINT contacts_user_id_fkey;
+ALTER TABLE contacts ADD FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE ON UPDATE CASCADE;
+ALTER TABLE cache DROP CONSTRAINT cache_user_id_fkey;
+ALTER TABLE cache ADD FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE ON UPDATE CASCADE;
+
--- /dev/null
+-- Updates from version 0.2-alpha
+
+CREATE INDEX messages_created_idx ON messages (created);
+
+-- Updates from version 0.2-beta
+
+ALTER TABLE cache DROP session_id;
+
+CREATE INDEX session_changed_idx ON session (changed);
+CREATE INDEX cache_created_idx ON "cache" (created);
+
+ALTER TABLE users ALTER "language" DROP NOT NULL;
+ALTER TABLE users ALTER "language" DROP DEFAULT;
+
+ALTER TABLE identities ALTER del TYPE smallint;
+ALTER TABLE identities ALTER standard TYPE smallint;
+ALTER TABLE contacts ALTER del TYPE smallint;
+ALTER TABLE messages ALTER del TYPE smallint;
--- /dev/null
+-- RoundCube Webmail update script for SQLite databases
+-- Updates from version 0.1-stable to 0.1.1
+
+DROP TABLE messages;
+
+CREATE TABLE messages (
+ message_id integer NOT NULL PRIMARY KEY,
+ user_id integer NOT NULL default '0',
+ del tinyint NOT NULL default '0',
+ cache_key varchar(128) NOT NULL default '',
+ created datetime NOT NULL default '0000-00-00 00:00:00',
+ idx integer NOT NULL default '0',
+ uid integer NOT NULL default '0',
+ subject varchar(255) NOT NULL default '',
+ "from" varchar(255) NOT NULL default '',
+ "to" varchar(255) NOT NULL default '',
+ "cc" varchar(255) NOT NULL default '',
+ "date" datetime NOT NULL default '0000-00-00 00:00:00',
+ size integer NOT NULL default '0',
+ headers text NOT NULL,
+ structure text
+);
+
+CREATE INDEX ix_messages_user_cache_uid ON messages(user_id,cache_key,uid);
+
+CREATE INDEX ix_users_username ON users(username);
+CREATE INDEX ix_users_alias ON users(alias);
+
--- /dev/null
+-- Updates from version 0.2-alpha
+
+CREATE INDEX ix_messages_created ON messages (created);
+
+-- Updates from version 0.2-beta
+
+CREATE INDEX ix_session_changed ON session (changed);
+CREATE INDEX ix_cache_created ON cache (created);