915789 – (CVE-2015-1433) VUL-0: CVE-2015-1433: roundcubemail: cross-site scripting in style attribute handling

Bug 915789 (CVE-2015-1433) - VUL-0: CVE-2015-1433: roundcubemail: cross-site scripting in style attribute handling

Summary: VUL-0: CVE-2015-1433: roundcubemail: cross-site scripting in style attribute ...

Status:	RESOLVED FIXED

Alias:	CVE-2015-1433

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 13.1

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Wolfgang Rosenauer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/113426/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-02-02 13:25 UTC by Johannes Segitz
Modified:	2015-07-06 12:00 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2015-02-02 13:25:23 UTC

Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5 version.
http://trac.roundcube.net/ticket/1490227

http://roundcube.net/news/2015/01/24/security-update-1.0.5/
http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5
http://trac.roundcube.net/ticket/1490227
https://bugzilla.redhat.com/show_bug.cgi?id=1188201
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1433

Comment 1 Swamp Workflow Management 2015-02-02 23:00:13 UTC

bugbot adjusting priority

Comment 2 Wolfgang Rosenauer 2015-02-03 09:29:29 UTC

Please advice if upgrade to 1.0.5 is acceptable.

https://build.opensuse.org/request/show/283682

Comment 3 Benjamin Brunner 2015-02-04 16:01:29 UTC

Changed needinfo to our security-team after it fixes a security-issue.

Comment 4 Johannes Segitz 2015-02-04 16:24:07 UTC

(In reply to Wolfgang Rosenauer from comment #2)
As this is openSUSE I think it's okay

Comment 5 Swamp Workflow Management 2015-02-13 15:06:17 UTC

openSUSE-SU-2015:0286-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 863569,915789
CVE References: CVE-2015-1433
Sources used:
openSUSE 13.2 (src):    roundcubemail-1.0.5-8.1
openSUSE 13.1 (src):    roundcubemail-1.0.5-2.18.1

Comment 6 James Carter 2015-03-12 01:25:14 UTC

Today 03-11 on OpenSuSE 13.1 (i586) we installed patch openSUSE-SU-2015:0286-1 from comment #5.  It was not exactly trauma-free.  
    The patch would not apply because it wanted php-pear-Net_Sieve.  SBS has php5-pear-Net_Sieve, and putting this in my local repo allowed roundcubemail-1.0.5-2.18.1.noarch to be installed.  
    After the upgrade, users could log in to Roundcube, but when showing the message list it would show one to three messages and then just sit there with the "Loading..." circulator.  I didn't find any error messages that seemed relevant.  Users gathered outside the bugs office with pitchforks.  
    Now, how are we going to revert?  Fast?  I just installed the old package, but there was considerable mess to clean up.  I didn't document in detail which step caused what problem, but the main issue was that one of the install steps transformed /etc/roundcubemail/main.inc.php and db.inc.php, in particular changing the database URL from 
$config['db_dsnw'] = 'pgsql://webmail:qw%2Ferty@localhost/roundcube';
to
rcmail_config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';
which appears to be the generic configuration for a new installation.  
    I restored the old config files, restored the database (since in the major version upgrade the schema got updated, not likely backward compatible), and it came back to life.  
    Moral: if you're going to install this patch, treat it as a full version upgrade, don't just let zypper install the thing.

Comment 7 Andreas Stieger 2015-07-06 12:00:52 UTC

update released