Bugzilla – Bug 976988
VUL-0: CVE-2016-4069: roundcubemail: XSS issue in SVG image handling and protection for download urls against CSRF
Last modified: 2019-05-01 17:12:55 UTC
> https://github.com/roundcube/roundcubemail/wiki/Changelog > https://github.com/roundcube/roundcubemail/releases > Fix XSS issue in SVG images handling (#4949): > https://github.com/roundcube/roundcubemail/issues/4949 > https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18 > https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0 Use CVE-2015-8864 for the issue that was fixed by these commits. Use CVE-2016-4068 for the remaining SVG XSS issues that were not fixed (i.e., the SVG XSS issues that remain present in versions 1.0.9, 1.1.5, and 1.2-rc), as described in the https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218 comment: > thomascube commented on 40d7342 Jan 6, 2016 > > Good start! Removing script nodes, however, is just the beginning. > XSS code can also be in node attributes like onclick, onmouseover, > href="javascript:, etc. or even in CSS url() as we learned with > HTML messages. > > So traversing the entire DOM is probably necessary to provide > protection that goes beyond the one example we received. > > > Protect download urls against CSRF using unique request tokens (#4957): > https://github.com/roundcube/roundcubemail/issues/4957 > https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5 > https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53 Use CVE-2016-4069. This is not a typical type of impact associated with CSRF; however, it is still probably best to categorize this as a CSRF issue, not an SSRF issue. > https://github.com/roundcube/roundcubemail/wiki/Changelog > https://github.com/roundcube/roundcubemail/releases > > > Fix XSS issue in SVG images handling (#4949): > https://github.com/roundcube/roundcubemail/issues/4949 > https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18 > https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0 Use CVE-2015-8864 for the issue that was fixed by these commits. Use CVE-2016-4068 for the remaining SVG XSS issues that were not fixed (i.e., the SVG XSS issues that remain present in versions 1.0.9, 1.1.5, and 1.2-rc), as described in the https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218 comment: > thomascube commented on 40d7342 Jan 6, 2016 > > Good start! Removing script nodes, however, is just the beginning. > XSS code can also be in node attributes like onclick, onmouseover, > href="javascript:, etc. or even in CSS url() as we learned with > HTML messages. > > So traversing the entire DOM is probably necessary to provide > protection that goes beyond the one example we received. > > > Protect download urls against CSRF using unique request tokens (#4957): > https://github.com/roundcube/roundcubemail/issues/4957 > https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5 > https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53 Use CVE-2016-4069. This is not a typical type of impact associated with CSRF; however, it is still probably best to categorize this as a CSRF issue, not an SSRF issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4068 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8864 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4069 http://seclists.org/oss-sec/2016/q2/137 https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218
Aeneas, could you have a look please. If you do not get around it I could takeover.
bugbot adjusting priority
* server:php:applications -> unaffected 1.2.x * openSUSE:Factory -> unaffected 1.2.x * openSUSE:Leap:42.1/Update, openSUSE:13.2:Update -> mr#418762 contains updates to 1.0.9 reps. 1.1.5 * openSUSE:13.1:Update (Evergreen) -> mr#418761 contains updates to 1.0.9 CVE-2015-8864: fixed with 1.0.9, 1.1.5, 1.2.0 CVE-2016-4069: fixed with 1.1.5, 1.2.0; unknown if 1.0.x was affected CVE-2016-4068: Not mentioned with any commit, could still be open. See https://github.com/roundcube/roundcubemail/issues/5398 All updates also fix [CVE-2015-2181] (Fix security issue in DBMail driver of password plugin).
This is an autogenerated message for OBS integration: This bug (976988) was mentioned in https://build.opensuse.org/request/show/418762 13.2+42.1 / roundcubemail
(In reply to Aeneas Jaißle from comment #3) > * openSUSE:13.1:Update (Evergreen) -> mr#418761 contains updates to 1.0.9 Request changed to mr#418767 for Evergreen
thanks
(In reply to Aeneas Jaißle from comment #3) > CVE-2016-4068: Not mentioned with any commit, could still be open. See > https://github.com/roundcube/roundcubemail/issues/5398 CVE-2016-4068 is not explicitly mentioned, but fixed with the following commits: 1.0.x: ffd5ffc -> contained in 1.0.9 1.1.x: 3e4b7cd -> contained in 1.1.5 1.2.x: a1fdb20 -> contained in 1.2.0 https://github.com/roundcube/roundcubemail/commit/ffd5ffc30a40ae56163d664d36cedff59b54006f https://github.com/roundcube/roundcubemail/commit/3e4b7cd19d1b019f35872d384aeb24f09d035bce https://github.com/roundcube/roundcubemail/commit/a1fdb205f824dee7fd42dda739f207abc85ce158
openSUSE-SU-2016:2108-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 976988 CVE References: CVE-2015-2181,CVE-2015-8864 Sources used: openSUSE 13.2 (src): roundcubemail-1.0.9-20.1
openSUSE-SU-2016:2109-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 976988 CVE References: CVE-2015-2181,CVE-2015-8864,CVE-2016-4069 Sources used: openSUSE Leap 42.1 (src): roundcubemail-1.1.5-9.1
openSUSE-SU-2016:2127-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 976988 CVE References: CVE-2015-2181,CVE-2015-8864 Sources used: openSUSE 13.1 (src): roundcubemail-1.0.9-2.33.1
openSUSE-SU-2016:3038-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001856,1012493,976988,982003 CVE References: CVE-2015-2181,CVE-2016-5103 Sources used: openSUSE Leap 42.2 (src): roundcubemail-1.1.7-15.1 openSUSE Leap 42.1 (src): roundcubemail-1.1.7-15.1
released
roundcube CVE-2015-2180 CVE-2015-2181 were fixed for 13.1 via https://lists.opensuse.org/opensuse-updates/2015-07/msg00032.html