From ddbc1e150db4127e98e59534ca9784899e968c4d Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Sun, 26 Aug 2012 14:20:56 +0200 Subject: [PATCH] Fix self XSS with plain signatures. CVE-2012-3508. Closes: #685475. --- debian/changelog | 6 ++ debian/patches/cve-2012-3508.patch | 126 +++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 133 insertions(+) create mode 100644 debian/patches/cve-2012-3508.patch diff --git a/debian/changelog b/debian/changelog index baca9f3..3bbc2da 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +roundcube (0.7.2-4) unstable; urgency=high + + * Fix self XSS with plain signatures. CVE-2012-3508. Closes: #685475. + + -- Vincent Bernat Sun, 26 Aug 2012 14:20:24 +0200 + roundcube (0.7.2-3) unstable; urgency=low * Remove old Replaces/Breaks for roundcube-core since it is not needed diff --git a/debian/patches/cve-2012-3508.patch b/debian/patches/cve-2012-3508.patch new file mode 100644 index 0000000..07914b1 --- /dev/null +++ b/debian/patches/cve-2012-3508.patch @@ -0,0 +1,126 @@ +Fix CVE-2012-3508. Self XSS with signature. +See: + https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32 + +Index: roundcube/program/js/app.js.src +=================================================================== +--- roundcube.orig/program/js/app.js.src 2012-04-28 10:26:30.133307979 +0200 ++++ roundcube/program/js/app.js.src 2012-08-26 14:19:04.611476200 +0200 +@@ -3183,8 +3183,7 @@ + input_message = $("[name='_message']"), + message = input_message.val(), + is_html = ($("input[name='_is_html']").val() == '1'), +- sig = this.env.identity, +- sig_separator = this.env.sig_above && (this.env.compose_mode == 'reply' || this.env.compose_mode == 'forward') ? '---' : '-- '; ++ sig = this.env.identity; + + // enable manual signature insert + if (this.env.signatures && this.env.signatures[id]) { +@@ -3197,25 +3196,18 @@ + if (!is_html) { + // remove the 'old' signature + if (show_sig && sig && this.env.signatures && this.env.signatures[sig]) { +- +- sig = this.env.signatures[sig].is_html ? this.env.signatures[sig].plain_text : this.env.signatures[sig].text; ++ sig = this.env.signatures[sig].text; + sig = sig.replace(/\r\n/g, '\n'); + +- if (!sig.match(/^--[ -]\n/m)) +- sig = sig_separator + '\n' + sig; +- + p = this.env.sig_above ? message.indexOf(sig) : message.lastIndexOf(sig); + if (p >= 0) + message = message.substring(0, p) + message.substring(p+sig.length, message.length); + } + // add the new signature string + if (show_sig && this.env.signatures && this.env.signatures[id]) { +- sig = this.env.signatures[id]['is_html'] ? this.env.signatures[id]['plain_text'] : this.env.signatures[id]['text']; ++ sig = this.env.signatures[id].text; + sig = sig.replace(/\r\n/g, '\n'); + +- if (!sig.match(/^--[ -]\n/m)) +- sig = sig_separator + '\n' + sig; +- + if (this.env.sig_above) { + if (p >= 0) { // in place of removed signature + message = message.substring(0, p) + sig + message.substring(p, message.length); +@@ -3279,21 +3271,8 @@ + } + } + +- if (this.env.signatures[id]) { +- if (this.env.signatures[id].is_html) { +- sig = this.env.signatures[id].text; +- if (!this.env.signatures[id].plain_text.match(/^--[ -]\r?\n/m)) +- sig = sig_separator + '
' + sig; +- } +- else { +- sig = this.env.signatures[id].text; +- if (!sig.match(/^--[ -]\r?\n/m)) +- sig = sig_separator + '\n' + sig; +- sig = '
' + sig + '
'; +- } +- +- sigElem.innerHTML = sig; +- } ++ if (this.env.signatures[id]) ++ sigElem.innerHTML = this.env.signatures[id].html; + } + + this.env.identity = id; +Index: roundcube/program/steps/mail/compose.inc +=================================================================== +--- roundcube.orig/program/steps/mail/compose.inc 2012-02-04 09:18:15.186795165 +0100 ++++ roundcube/program/steps/mail/compose.inc 2012-08-26 14:19:04.615476279 +0200 +@@ -520,7 +520,7 @@ + + function rcmail_compose_header_from($attrib) + { +- global $MESSAGE, $OUTPUT; ++ global $MESSAGE, $OUTPUT, $RCMAIL, $compose_mode; + + // pass the following attributes to the form class + $field_attrib = array('name' => '_from'); +@@ -531,6 +531,8 @@ + if (count($MESSAGE->identities)) + { + $a_signatures = array(); ++ $separator = $RCMAIL->config->get('sig_above') ++ && ($compose_mode == RCUBE_COMPOSE_REPLY || $compose_mode == RCUBE_COMPOSE_FORWARD) ? '---' : '-- '; + + $field_attrib['onchange'] = JS_OBJECT_NAME.".change_identity(this)"; + $select_from = new html_select($field_attrib); +@@ -544,13 +546,27 @@ + // add signature to array + if (!empty($sql_arr['signature']) && empty($COMPOSE['param']['nosig'])) + { +- $a_signatures[$identity_id]['text'] = $sql_arr['signature']; +- $a_signatures[$identity_id]['is_html'] = ($sql_arr['html_signature'] == 1) ? true : false; +- if ($a_signatures[$identity_id]['is_html']) +- { +- $h2t = new html2text($a_signatures[$identity_id]['text'], false, false); +- $a_signatures[$identity_id]['plain_text'] = trim($h2t->get_text()); ++ $text = $html = $sql_arr['signature']; ++ ++ if ($sql_arr['html_signature']) { ++ $h2t = new html2text($sql_arr['signature'], false, false); ++ $text = trim($h2t->get_text()); ++ } ++ else { ++ $html = htmlentities($html, ENT_NOQUOTES, RCMAIL_CHARSET); ++ } ++ ++ if (!preg_match('/^--[ -]\r?\n/m', $text)) { ++ $text = $separator . "\n" . $text; ++ $html = $separator . "
" . $html; + } ++ ++ if (!$sql_arr['html_signature']) { ++ $html = "
" . $html . "
"; ++ } ++ ++ $a_signatures[$identity_id]['text'] = $text; ++ $a_signatures[$identity_id]['html'] = $html; + } + } + diff --git a/debian/patches/series b/debian/patches/series index 0ffb987..0897d82 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ loginbox-size.patch default-charset-utf8.patch debianize_password_plugin.patch use-debian-jquery-ui.patch +cve-2012-3508.patch -- 2.39.2