Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20130828204752.GZ32641@redhat.com>
Date: Wed, 28 Aug 2013 14:47:52 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Re: CVE request: roundcube 0.9.3 fixes two XSS
 flaws

* [2013-08-28 12:59:43 -0400] cve-assign@...re.org wrote:

Perfect.  Thank you so much for this.

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>>[2] http://trac.roundcube.net/ticket/1489251
>
>The first CVE assignment for this is CVE-2013-5645. The scope of this
>CVE includes:
>
>  http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
>
>  Fix XSS vulnerability when editing a message "as new" or draft
>
>  "rcmail_wash_html($body, array('safe' => 1), $cid_map);"
>  added in compose.inc
>
>The scope of this CVE also includes:
>
>  http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
>
>  Fix XSS vulnerability when saving HTML signatures
>
>  "rcmail_wash_html($save_data['signature']);"
>  added in save_identity.inc
>
>to the extent that this can cross privilege boundaries within the
>Roundcube webmail product.
>
>All aspects of CVE-2013-5645 were discovered by und3r. These are all
>CVE-2013-5645 references:
>
>  http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
>  http://trac.roundcube.net/ticket/1489251
>  http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
>  http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
>
>
>The scope of CVE-2013-5645 does not include any additional
>exploitation approaches (if any) in Roundcube webmail, or other
>products, that are related to:
>
>  'This kind of problem is present in all parts where there is
>  the "MCE" editor (or, more specifically, where there is a
>  <textarea> with the CSS class "mce_editor").'
>
>That may possibly have other CVE assignments if someone investigates
>it at a later time.
>
>
>Finally, there is a separate CVE assignment of CVE-2013-5646 for this
>other issue with different affected versions:
>
>  As far as we can tell from the
>  http://trac.roundcube.net/ticket/1489251 history, the
>  addressbook group vulnerability was discovered by dennis1993
>  and affects only version 1.0-git (not version 0.9.2). There is
>  no direct statement that the addressbook group vulnerability
>  was fixed. It seems likely that the addressbook group
>  vulnerability could cross privilege boundaries if the "click on
>  this group after creation" action were performed by an
>  administrator who was visiting the addressbook of an
>  unprivileged user.
>
>http://trac.roundcube.net/ticket/1489251 is the only CVE-2013-5646
>reference that we know of at the moment.
>
>- --
>CVE assignment team, MITRE CVE Numbering Authority
>M/S M300
>202 Burlington Road, Bedford, MA 01730 USA
>[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.14 (SunOS)
>
>iQEcBAEBAgAGBQJSHif2AAoJEGvefgSNfHMdcrEH/3cAf2Qn9FvArkhmvwGWhPmI
>ddWBmTh0aoPNzuOYsNXT6ZMsBEFzRAFpcbCx4Mf32UvKO3tK/BJeQLC+eEk1XuzQ
>0+59K2KKM5y/l13qwYP3I02RyvbQEDGzKsh1EsHlKwY2vcoPoHoETYutHPtQ6HEP
>v2JgqyCMwaF+NGtqx2hK/eeiR0xBVf339ODHnii296d1KqCpcIAAPyoVGX75YZ3O
>djG9lND36wHZ9S+Huy1APi1rx/SZnPxHjaBdtVU2GGAiGpu26zZpstN3HmVbMI+v
>8jyYNpJstorjmgZqO/GwFoJ+M47YIwnISiMvCeItAClC2EwKKVRd1RLOZmGkeUM=
>=vhpO
>-----END PGP SIGNATURE-----

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.