Bug 1029035 (CVE-2017-6820)

Summary: VUL-0: CVE-2017-6820: roundcubemail: XSS issue in handling of a style tag inside of an svg element
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: aj, astieger, cmueller, nix, wolfgang
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/181581/
Whiteboard: CVSSv2:NVD:CVE-2017-6820:4.3:(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv3:NVD:CVE-2017-6820:6.1:(AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Mikhail Kasimov 2017-03-12 17:03:57 UTC
Ref: http://seclists.org/oss-sec/2017/q1/583
===============================================
Hi

I have requested a CVE for the following Roundcube issue, wich got
assigned CVE-2017-6820[*].

rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is
susceptible to a cross-site scripting vulnerability via a crafted
Cascading Style Sheets (CSS) token sequence within an SVG element..

https://github.com/roundcube/roundcubemail/releases/tag/1.1.8
https://github.com/roundcube/roundcubemail/releases/tag/1.2.4
https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released

Upstream fix (sequence of two commits):

https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305
https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4

Regards,
Salvatore

 [*] ideally that would be done by the upstream project on it's own
 before publishing an issue in case it was privately reported, since
 it was not immediately clear to me if one was already requested or
 some other vendors/distributors have done it.
===============================================

https://security-tracker.debian.org/tracker/CVE-2017-6820

https://software.opensuse.org/package/roundcubemail

TW: 1.2.3
42.{1,2}: 1.1.7
Comment 3 Andreas Stieger 2017-03-17 12:28:00 UTC
accepted into maintenance
Comment 4 Andreas Stieger 2017-03-19 09:32:36 UTC
release for leap
Comment 5 Swamp Workflow Management 2017-03-19 14:07:52 UTC
openSUSE-SU-2017:0742-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1029035
CVE References: CVE-2017-6820
Sources used:
openSUSE Leap 42.2 (src):    roundcubemail-1.1.8-18.1
openSUSE Leap 42.1 (src):    roundcubemail-1.1.8-18.1