Bug 1029035 (CVE-2017-6820)

Summary:	VUL-0: CVE-2017-6820: roundcubemail: XSS issue in handling of a style tag inside of an svg element
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Mikhail Kasimov <mikhail.kasimov>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	aj, astieger, cmueller, nix, wolfgang
Version:	unspecified
Target Milestone:	unspecified
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/181581/
Whiteboard:	CVSSv2:NVD:CVE-2017-6820:4.3:(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv3:NVD:CVE-2017-6820:6.1:(AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Mikhail Kasimov 2017-03-12 17:03:57 UTC

Ref: http://seclists.org/oss-sec/2017/q1/583
===============================================
Hi

I have requested a CVE for the following Roundcube issue, wich got
assigned CVE-2017-6820[*].

rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is
susceptible to a cross-site scripting vulnerability via a crafted
Cascading Style Sheets (CSS) token sequence within an SVG element..

https://github.com/roundcube/roundcubemail/releases/tag/1.1.8
https://github.com/roundcube/roundcubemail/releases/tag/1.2.4
https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released

Upstream fix (sequence of two commits):

https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305
https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4

Regards,
Salvatore

 [*] ideally that would be done by the upstream project on it's own
 before publishing an issue in case it was privately reported, since
 it was not immediately clear to me if one was already requested or
 some other vendors/distributors have done it.
===============================================

https://security-tracker.debian.org/tracker/CVE-2017-6820

https://software.opensuse.org/package/roundcubemail

TW: 1.2.3
42.{1,2}: 1.1.7

Comment 2 Aeneas Jaißle 2017-03-16 18:37:50 UTC

TW: https://build.opensuse.org/request/show/480711
42.{1,2}: https://build.opensuse.org/request/show/480709

Comment 3 Andreas Stieger 2017-03-17 12:28:00 UTC

accepted into maintenance

Comment 4 Andreas Stieger 2017-03-19 09:32:36 UTC

release for leap

Comment 5 Swamp Workflow Management 2017-03-19 14:07:52 UTC

openSUSE-SU-2017:0742-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1029035
CVE References: CVE-2017-6820
Sources used:
openSUSE Leap 42.2 (src):    roundcubemail-1.1.8-18.1
openSUSE Leap 42.1 (src):    roundcubemail-1.1.8-18.1