Bug 837436 (CVE-2013-5645) - VUL-0: CVE-2013-5645: roundcubemail: XSS vulnerability
Summary: VUL-0: CVE-2013-5645: roundcubemail: XSS vulnerability
Status: RESOLVED FIXED
Alias: CVE-2013-5645
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-29 06:44 UTC by Alexander Bergmann
Modified: 2013-10-17 10:01 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-08-29 06:44:22 UTC 
Public via oss-security:

Date: Wed, 28 Aug 2013 12:59:43 -0400 (EDT)
From: cve-assign@mitre...
Subject: [oss-security] Re: CVE request: roundcube 0.9.3 fixes two XSS flaws


Note: roundcubemail exists only for openSUSE!


>[2] http://trac.roundcube.net/ticket/1489251

The first CVE assignment for this is CVE-2013-5645. The scope of this
CVE includes:

  http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github

  Fix XSS vulnerability when editing a message "as new" or draft

  "rcmail_wash_html($body, array('safe' => 1), $cid_map);"
  added in compose.inc

The scope of this CVE also includes:

  http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github

  Fix XSS vulnerability when saving HTML signatures

  "rcmail_wash_html($save_data['signature']);"
  added in save_identity.inc

to the extent that this can cross privilege boundaries within the
Roundcube webmail product.

All aspects of CVE-2013-5645 were discovered by und3r. These are all
CVE-2013-5645 references:

  http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
  http://trac.roundcube.net/ticket/1489251
  http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
  http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github


The scope of CVE-2013-5645 does not include any additional
exploitation approaches (if any) in Roundcube webmail, or other
products, that are related to:

  'This kind of problem is present in all parts where there is
  the "MCE" editor (or, more specifically, where there is a
  <textarea> with the CSS class "mce_editor").'

That may possibly have other CVE assignments if someone investigates
it at a later time.

-------------------

Additional note:
CVE-2013-5646 (addressbook group vulnerability) affects only version 1.0-git (not version 0.9.2).
Comment 1 Wolfgang Rosenauer 2013-08-29 08:59:34 UTC 
taking.
Is 0.8.6 as shipped in 12.2 and 12.3 affected?
Can we just update to 0.9.3? (Factory update prepared right now)
Comment 2 Wolfgang Rosenauer 2013-08-29 09:11:20 UTC 
patch submitted with version update. If not applicable please decline.
Comment 3 Swamp Workflow Management 2013-08-29 22:00:11 UTC 
bugbot adjusting priority
Comment 4 Marcus Meissner 2013-08-30 07:17:16 UTC 
huyps, wolfi submitted already :)
Comment 5 Swamp Workflow Management 2013-09-09 13:04:33 UTC 
openSUSE-SU-2013:1420-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 803091,837436
CVE References: CVE-2012-6121,CVE-2013-5645
Sources used:
openSUSE 12.3 (src):    roundcubemail-0.9.3-1.8.1
openSUSE 12.2 (src):    roundcubemail-0.9.3-3.16.1
Comment 6 Marcus Meissner 2013-10-06 08:35:31 UTC 
released, thanks!
Comment 7 Bernhard Wiedemann 2013-10-17 10:01:33 UTC 
This is an autogenerated message for OBS integration:
This bug (837436) was mentioned in
https://build.opensuse.org/request/show/203574 13.1 / froxlor
https://build.opensuse.org/request/show/203575 12.3 / froxlor
https://build.opensuse.org/request/show/203576 12.2 / froxlor