From 5f4f08b22b9e052cd05ea965689c257973c9240b Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Sat, 29 Sep 2012 11:31:25 +0200 Subject: [PATCH] Fix problem with some uuencoded attachments. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Patch from Michał Mirosław. Closes: #686857. --- debian/changelog | 7 +++++++ debian/patches/series | 1 + debian/patches/uuencoded-attachments.patch | 21 +++++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 debian/patches/uuencoded-attachments.patch diff --git a/debian/changelog b/debian/changelog index 3bbc2da..e3c6c4b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +roundcube (0.7.2-5) unstable; urgency=low + + * Fix problem with some uuencoded attachments. Patch from Michał + Mirosław. Closes: #686857. + + -- Vincent Bernat Sat, 29 Sep 2012 11:30:04 +0200 + roundcube (0.7.2-4) unstable; urgency=high * Fix self XSS with plain signatures. CVE-2012-3508. Closes: #685475. diff --git a/debian/patches/series b/debian/patches/series index 0897d82..c6c2e90 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ default-charset-utf8.patch debianize_password_plugin.patch use-debian-jquery-ui.patch cve-2012-3508.patch +uuencoded-attachments.patch diff --git a/debian/patches/uuencoded-attachments.patch b/debian/patches/uuencoded-attachments.patch new file mode 100644 index 0000000..fb48aed --- /dev/null +++ b/debian/patches/uuencoded-attachments.patch @@ -0,0 +1,21 @@ +Roundcube 0.7 doesn't properly recognize uuencoded attachments. Space +(0x20) is a valid character to be found in uuencoded paragraphs while +anything above backquote (0x60) is not valid. + +Source: + http://en.wikipedia.org/wiki/Uuencoding#Formatting_Mechanism + +Patch from Michał Mirosław. + +--- a/program/include/rcube_message.php.orig 2012-01-17 08:50:40.000000000 +0100 ++++ a/program/include/rcube_message.php 2012-09-06 19:54:54.000000000 +0200 +@@ -622,8 +622,7 @@ + $part->body = $this->imap->get_message_part($this->uid, $part->mime_id, $part); + + $parts = array(); +- // FIXME: line length is max.65? +- $uu_regexp = '/begin [0-7]{3,4} ([^\n]+)\n(([\x21-\x7E]{0,65}\n)+)`\nend/s'; ++ $uu_regexp = '/begin [0-7]{3,4} ([^\n]+)\n(([\x20-\x60]{0,65}\n)+)`\nend/s'; + + if (preg_match_all($uu_regexp, $part->body, $matches, PREG_SET_ORDER)) { + // remove attachments bodies from the message body -- 2.39.2