Kolab Groupware OBS

roundcubemail.spec Changed

@@ -43,7 +43,7 @@
 Name:           roundcubemail
 Version: 1.2
 
-Release: 0.20160119.git%{?dist}
+Release: 0.20160119.git1%{?dist}
 
 Summary:        Round Cube Webmail is a browser-based multilingual IMAP client
 
@@ -61,6 +61,8 @@
 Patch201:       ticket-466-changes.patch
 Patch202:       default-configuration.patch
 
+Patch203:       CVE-2016-5103.patch
+
 BuildArch:      noarch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root%(%{__id_u} -n)
 
@@ -1290,6 +1292,7 @@
 
 %patch201 -p1
 %patch202 -p1
+%patch203 -p1
 
 # Remove the results of patching when there's an incidental offset
 find . -type f -name "*.orig" -delete
@@ -3116,6 +3119,9 @@
 %defattr(-,root,root,-)
 
 %changelog
+* Fri May 27 2016 Timotheus Pokorra <tp@tbits.net>
+- apply security patch for XSS vulnerability CVE-2016-5103
+
 * Thu Jan 14 2016 Timotheus Pokorra <tp@tbits.net>
 - /var/log/roundcubemail and /var/lib/roundcubemail should be owned by the webserver (#3678)
 - using now the globals for those directories

CVE-2016-5103.patch Added

@@ -0,0 +1,64 @@
+From 12b7d5f1b5a8be70a34844685993843456db5f46 Mon Sep 17 00:00:00 2001
+From: Aleksander Machniak <alec@alec.pl>
+Date: Fri, 6 May 2016 08:28:15 +0200
+Subject: PATCH Fix XSS issue in href attribute on area tag (#5240, #5241)
+
+---
+ CHANGELOG                               |  1 +
+ program/lib/Roundcube/rcube_washtml.php |  2 +-
+ tests/Framework/Washtml.php             | 17 +++++++++++++++++
+ 3 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 71ac25a..0e41baf 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -14,6 +14,7 @@
+ - Fix PHP7 warning "session_start(): Session callback expects true/false return value" (#1490624)
+ - Fix XSS issue in SVG images handling (#1490625)
+ - Fix missing language name in "Add to Dictionary" request in HTML mode (#1490634)
++- Fix XSS issue in href attribute on area tag (#5240)
+ 
+ RELEASE 1.2-beta
+ ----------------
+diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
+index 5938d9b..d03f04a 100644
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -370,7 +370,7 @@ private function wash_uri($uri, $blocked_source = false)
+      */
+     private function is_link_attribute($tag, $attr)
+     {
+-        return $tag == 'a' && $attr == 'href';
++        return ($tag == 'a' || $tag == 'area') && $attr == 'href';
+     }
+ 
+     /**
+diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
+index 9515f0d..2e68179 100644
+--- a/tests/Framework/Washtml.php
++++ b/tests/Framework/Washtml.php
+@@ -38,6 +38,23 @@ function test_href()
+     }
+ 
+     /**
++     * Test XSS in area's href (#5240)
++     */
++    function test_href_area()
++    {
++        $html = '<p><area href="data:text/html,&lt;script&gt;alert(document.cookie)&lt;/script&gt;">'
++            . '<area href="vbscript:alert(document.cookie)">Internet Explorer</p>'
++            . '<area href="javascript:alert(document.domain)" shape=default>';
++
++        $washer = new rcube_washtml;
++        $washed = $washer->wash($html);
++
++        $this->assertNotRegExp('/data:text/', $washed, "data:text/html in area href");
++        $this->assertNotRegExp('/vbscript:/', $washed, "vbscript: in area href");
++        $this->assertNotRegExp('/javascript:/', $washed, "javascript: in area href");
++    }
++
++    /**
+      * Test handling HTML comments
+      */
+     function test_comments()

debian.changelog Changed

debian.series Changed

roundcubemail.dsc Changed

Changes of Revision 4