Bug 976988 - (CVE-2016-4068) VUL-0: CVE-2016-4069: roundcubemail: XSS issue in SVG image handling and protection for download urls against CSRF
(CVE-2016-4068)
VUL-0: CVE-2016-4069: roundcubemail: XSS issue in SVG image handling and prot...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.1
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/168259/
CVSSv2:NVD:CVE-2015-8864:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-25 08:06 UTC by Johannes Segitz
Modified: 2019-05-01 17:12 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-04-25 08:06:30 UTC
>    https://github.com/roundcube/roundcubemail/wiki/Changelog
>    https://github.com/roundcube/roundcubemail/releases

>    Fix XSS issue in SVG images handling (#4949):
>    https://github.com/roundcube/roundcubemail/issues/4949
>    https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18
>    https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0


Use CVE-2015-8864 for the issue that was fixed by these commits. Use
CVE-2016-4068 for the remaining SVG XSS issues that were not fixed
(i.e., the SVG XSS issues that remain present in versions 1.0.9,
1.1.5, and 1.2-rc), as described in the
https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218
comment:

>   thomascube commented on 40d7342 Jan 6, 2016
>
>   Good start! Removing script nodes, however, is just the beginning.
>   XSS code can also be in node attributes like onclick, onmouseover,
>   href="javascript:, etc. or even in CSS url() as we learned with
>   HTML messages.
>
>   So traversing the entire DOM is probably necessary to provide
>   protection that goes beyond the one example we received.
>
>
>    Protect download urls against CSRF using unique request tokens (#4957):
>    https://github.com/roundcube/roundcubemail/issues/4957
>    https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5
>    https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53


Use CVE-2016-4069. This is not a typical type of impact associated
with CSRF; however, it is still probably best to categorize this as a
CSRF issue, not an SSRF issue.

>     https://github.com/roundcube/roundcubemail/wiki/Changelog
>     https://github.com/roundcube/roundcubemail/releases
> 
> 
>     Fix XSS issue in SVG images handling (#4949):
>     https://github.com/roundcube/roundcubemail/issues/4949
>     https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18
>     https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0


Use CVE-2015-8864 for the issue that was fixed by these commits. Use
CVE-2016-4068 for the remaining SVG XSS issues that were not fixed
(i.e., the SVG XSS issues that remain present in versions 1.0.9,
1.1.5, and 1.2-rc), as described in the
https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218
comment:

>   thomascube commented on 40d7342 Jan 6, 2016
>
>   Good start! Removing script nodes, however, is just the beginning.
>   XSS code can also be in node attributes like onclick, onmouseover,
>   href="javascript:, etc. or even in CSS url() as we learned with
>   HTML messages.
>
>   So traversing the entire DOM is probably necessary to provide
>   protection that goes beyond the one example we received.
>
>
>    Protect download urls against CSRF using unique request tokens (#4957):
>    https://github.com/roundcube/roundcubemail/issues/4957
>    https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5
>    https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53


Use CVE-2016-4069. This is not a typical type of impact associated
with CSRF; however, it is still probably best to categorize this as a
CSRF issue, not an SSRF issue.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4068
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8864
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4069
http://seclists.org/oss-sec/2016/q2/137
https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218
Comment 1 Wolfgang Rosenauer 2016-04-25 12:02:01 UTC
Aeneas, could you have a look please. If you do not get around it I could takeover.
Comment 2 Swamp Workflow Management 2016-04-25 22:00:15 UTC
bugbot adjusting priority
Comment 3 Aeneas Jaißle 2016-08-11 17:40:48 UTC
* server:php:applications -> unaffected 1.2.x
* openSUSE:Factory -> unaffected 1.2.x
* openSUSE:Leap:42.1/Update, openSUSE:13.2:Update -> mr#418762 contains updates to 1.0.9 reps. 1.1.5
* openSUSE:13.1:Update (Evergreen) -> mr#418761 contains updates to 1.0.9


CVE-2015-8864: fixed with 1.0.9, 1.1.5, 1.2.0
CVE-2016-4069: fixed with 1.1.5, 1.2.0; unknown if 1.0.x was affected
CVE-2016-4068: Not mentioned with any commit, could still be open. See https://github.com/roundcube/roundcubemail/issues/5398

All updates also fix [CVE-2015-2181] (Fix security issue in DBMail driver of password plugin).
Comment 4 Bernhard Wiedemann 2016-08-11 18:00:48 UTC
This is an autogenerated message for OBS integration:
This bug (976988) was mentioned in
https://build.opensuse.org/request/show/418762 13.2+42.1 / roundcubemail
Comment 5 Aeneas Jaißle 2016-08-11 18:05:33 UTC
(In reply to Aeneas Jaißle from comment #3)
> * openSUSE:13.1:Update (Evergreen) -> mr#418761 contains updates to 1.0.9

Request changed to mr#418767 for Evergreen
Comment 6 Andreas Stieger 2016-08-11 18:48:13 UTC
thanks
Comment 7 Aeneas Jaißle 2016-08-12 13:07:38 UTC
(In reply to Aeneas Jaißle from comment #3)
> CVE-2016-4068: Not mentioned with any commit, could still be open. See
> https://github.com/roundcube/roundcubemail/issues/5398

CVE-2016-4068 is not explicitly mentioned, but fixed with the following commits:
1.0.x: ffd5ffc -> contained in 1.0.9
1.1.x: 3e4b7cd -> contained in 1.1.5
1.2.x: a1fdb20 -> contained in 1.2.0

https://github.com/roundcube/roundcubemail/commit/ffd5ffc30a40ae56163d664d36cedff59b54006f
https://github.com/roundcube/roundcubemail/commit/3e4b7cd19d1b019f35872d384aeb24f09d035bce
https://github.com/roundcube/roundcubemail/commit/a1fdb205f824dee7fd42dda739f207abc85ce158
Comment 8 Swamp Workflow Management 2016-08-19 15:09:07 UTC
openSUSE-SU-2016:2108-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 976988
CVE References: CVE-2015-2181,CVE-2015-8864
Sources used:
openSUSE 13.2 (src):    roundcubemail-1.0.9-20.1
Comment 9 Swamp Workflow Management 2016-08-19 15:09:22 UTC
openSUSE-SU-2016:2109-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 976988
CVE References: CVE-2015-2181,CVE-2015-8864,CVE-2016-4069
Sources used:
openSUSE Leap 42.1 (src):    roundcubemail-1.1.5-9.1
Comment 10 Swamp Workflow Management 2016-08-22 11:10:04 UTC
openSUSE-SU-2016:2127-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 976988
CVE References: CVE-2015-2181,CVE-2015-8864
Sources used:
openSUSE 13.1 (src):    roundcubemail-1.0.9-2.33.1
Comment 11 Swamp Workflow Management 2016-12-07 14:12:15 UTC
openSUSE-SU-2016:3038-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001856,1012493,976988,982003
CVE References: CVE-2015-2181,CVE-2016-5103
Sources used:
openSUSE Leap 42.2 (src):    roundcubemail-1.1.7-15.1
openSUSE Leap 42.1 (src):    roundcubemail-1.1.7-15.1
Comment 12 Marcus Meissner 2016-12-09 08:01:02 UTC
released
Comment 13 Marcus Meissner 2018-02-26 12:25:58 UTC
roundcube CVE-2015-2180 CVE-2015-2181 were fixed for 13.1 via

https://lists.opensuse.org/opensuse-updates/2015-07/msg00032.html