Debian Bug report logs - #1000156
roundcube: XSS vulnerability in handling attachment filename extension in MIME type mismatch warnings

version graph

Package: src:roundcube; Maintainer for src:roundcube is Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>;

Reported by: Guilhem Moulin <guilhem@debian.org>

Date: Thu, 18 Nov 2021 18:27:01 UTC

Severity: important

Tags: security

Found in versions roundcube/1.4.11+dfsg.1-4, roundcube/1.3.16+dfsg.1-1~deb10u1

Fixed in versions roundcube/1.5.0+dfsg.1-1, roundcube/1.4.12+dfsg.1-1~deb11u1, roundcube/1.3.17+dfsg.1-1~deb10u1

Done: Guilhem Moulin <guilhem@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>:
Bug#1000156; Package src:roundcube. (Thu, 18 Nov 2021 18:27:03 GMT) (full text, mbox, link).


Acknowledgement sent to Guilhem Moulin <guilhem@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>. (Thu, 18 Nov 2021 18:27:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Guilhem Moulin <guilhem@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: roundcube: XSS vulnerability in handling attachment filename extension in MIME type mismatch warnings
Date: Thu, 18 Nov 2021 19:25:02 +0100
[Message part 1 (text/plain, inline)]
Source: roundcube
Severity: important
Tags: security
Control: found -1 1.3.16+dfsg.1-1~deb10u1
Control: found -1 1.4.11+dfsg.1-4
Control: fixed -1 1.5.0+dfsg.1-1

In a recent post roundcube webmail upstream has announced the
following security fixes:

 * Fix XSS issue in handling attachment filename extension in mimetype
   mismatch warning
 * Fix possible SQL injection via some session variables

sid/bookworm's 1.5.0+dfsg.1-2 is not affected.  Upstream fixes for LTS
branches:

    1.4.x https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a
          https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
    1.3.x https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7
          https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa

-- 
Guilhem.

[0] https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released
[signature.asc (application/pgp-signature, inline)]

Marked as found in versions roundcube/1.3.16+dfsg.1-1~deb10u1. Request was from Guilhem Moulin <guilhem@debian.org> to submit@bugs.debian.org. (Thu, 18 Nov 2021 18:27:03 GMT) (full text, mbox, link).


Marked as found in versions roundcube/1.4.11+dfsg.1-4. Request was from Guilhem Moulin <guilhem@debian.org> to submit@bugs.debian.org. (Thu, 18 Nov 2021 18:27:04 GMT) (full text, mbox, link).


Marked as fixed in versions roundcube/1.5.0+dfsg.1-1. Request was from Guilhem Moulin <guilhem@debian.org> to submit@bugs.debian.org. (Thu, 18 Nov 2021 18:27:04 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>:
Bug#1000156; Package src:roundcube. (Fri, 19 Nov 2021 07:33:03 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>. (Fri, 19 Nov 2021 07:33:03 GMT) (full text, mbox, link).


Message #16 received at 1000156@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Guilhem Moulin <guilhem@debian.org>, 1000156@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#1000156: roundcube: XSS vulnerability in handling attachment filename extension in MIME type mismatch warnings
Date: Fri, 19 Nov 2021 08:29:59 +0100
Hi,

On Thu, Nov 18, 2021 at 07:25:02PM +0100, Guilhem Moulin wrote:
> Source: roundcube
> Severity: important
> Tags: security
> Control: found -1 1.3.16+dfsg.1-1~deb10u1
> Control: found -1 1.4.11+dfsg.1-4
> Control: fixed -1 1.5.0+dfsg.1-1
> 
> In a recent post roundcube webmail upstream has announced the
> following security fixes:
> 
>  * Fix XSS issue in handling attachment filename extension in mimetype
>    mismatch warning
>  * Fix possible SQL injection via some session variables
> 
> sid/bookworm's 1.5.0+dfsg.1-2 is not affected.  Upstream fixes for LTS
> branches:
> 
>     1.4.x https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a
>           https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
>     1.3.x https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7
>           https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa

CVEs are assigned as follows (by MITRE):

CVE-2021-44025 for th XSS issue

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44025

CVE-2021-44026 for the SQL injection.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44026

Regards,
Salvatore



Reply sent to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility. (Mon, 29 Nov 2021 17:51:10 GMT) (full text, mbox, link).


Notification sent to Guilhem Moulin <guilhem@debian.org>:
Bug acknowledged by developer. (Mon, 29 Nov 2021 17:51:10 GMT) (full text, mbox, link).


Message #21 received at 1000156-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1000156-close@bugs.debian.org
Subject: Bug#1000156: fixed in roundcube 1.4.12+dfsg.1-1~deb11u1
Date: Mon, 29 Nov 2021 17:47:28 +0000
Source: roundcube
Source-Version: 1.4.12+dfsg.1-1~deb11u1
Done: Guilhem Moulin <guilhem@debian.org>

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1000156@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 18 Nov 2021 20:07:03 +0100
Source: roundcube
Architecture: source
Version: 1.4.12+dfsg.1-1~deb11u1
Distribution: bullseye
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1000156
Changes:
 roundcube (1.4.12+dfsg.1-1~deb11u1) bullseye-security; urgency=high
 .
   * New bugfix/security upstream release (closes: #1000156), with fixes for:
     + CVE-2021-44025: XSS issue in handling attachment filename extension in
       mimetype mismatch warning; and
     + CVE-2021-44026: possible SQL injection via some session variables.
   * d/gbp.conf: Rename upstream branch to upstream/release-1.4.
   * d/salsa-ci.yml: Set RELEASE=bullseye.
   * Refresh d/patches.
Checksums-Sha1:
 c33d720d130bedec22e7defb1ffb5156cf95801e 3273 roundcube_1.4.12+dfsg.1-1~deb11u1.dsc
 25701f11c971057a6052d02b264f731d15ae42c0 128880 roundcube_1.4.12+dfsg.1.orig-tinymce-langs.tar.xz
 e6ed8e54e92f75a8101f63b302b42850e980df17 889096 roundcube_1.4.12+dfsg.1.orig-tinymce.tar.xz
 fa176ba23daba11d93f33c19ba032c34964ffa55 2975816 roundcube_1.4.12+dfsg.1.orig.tar.xz
 688b741b08dda371f6560253359a0f79ad402a1f 90680 roundcube_1.4.12+dfsg.1-1~deb11u1.debian.tar.xz
 fb605b4bad52ad2b359a1c0339b0f7c4cbdf40a1 10569 roundcube_1.4.12+dfsg.1-1~deb11u1_amd64.buildinfo
Checksums-Sha256:
 6950c6c5f036491c7cdc4d84d3c9044d66966f0be3d75d8636d6bbde336f54fc 3273 roundcube_1.4.12+dfsg.1-1~deb11u1.dsc
 a6f44d06ba61e74fa384979d1ba619c368c354b9fd0bfc3c29456cfc9c588c8d 128880 roundcube_1.4.12+dfsg.1.orig-tinymce-langs.tar.xz
 2b7e4aba38dcecb8cc7c6d7fa02d9d6b2e2650e9893a66aa3292f84896d1a7e3 889096 roundcube_1.4.12+dfsg.1.orig-tinymce.tar.xz
 dba4dc8f04df07cede2916fd49769c99319b363618c9133971e89c41577ee8ca 2975816 roundcube_1.4.12+dfsg.1.orig.tar.xz
 57cb8f890dd6faef5a977b19717f54743f3e02dc2c12fa5ae5ba408baaa33ba8 90680 roundcube_1.4.12+dfsg.1-1~deb11u1.debian.tar.xz
 667d793f43335c822512dcf5e0d5dca527fe14c98e44c0ab52f5f57f52e91a4c 10569 roundcube_1.4.12+dfsg.1-1~deb11u1_amd64.buildinfo
Files:
 400526b83be62a7e8f0061c3fbc2d98f 3273 web optional roundcube_1.4.12+dfsg.1-1~deb11u1.dsc
 b075acfd823355091c04e2c7b7951d8b 128880 web optional roundcube_1.4.12+dfsg.1.orig-tinymce-langs.tar.xz
 32f04b2b9f2f35d90f6abbfab11562d5 889096 web optional roundcube_1.4.12+dfsg.1.orig-tinymce.tar.xz
 6964008a52cdb08fff4f2de2ec47f98c 2975816 web optional roundcube_1.4.12+dfsg.1.orig.tar.xz
 1675d5af5953c47895f4501b243d995b 90680 web optional roundcube_1.4.12+dfsg.1-1~deb11u1.debian.tar.xz
 f0ec8c5912b42f21896284542162240b 10569 web optional roundcube_1.4.12+dfsg.1-1~deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmGfh7kACgkQ05pJnDwh
pVLjMw//YG/RfMZ4d2bmnVnHIgKGXb2PpCRDfsR7/zSGmU1hiZXL1hinq5aynH8w
6AnbdYumv22HMxFkxDL+BWVNuhMGyEqaZ9j9RggybkyKlavVQjAWqIiC/WVlRQzf
VJFoxb9s4iHCK4WpROVvSSV0pKHXlyhjHPO1kIqFlNh4Kmg1t3MnFI70oU9zzEIU
nPF3Z0/ze6PowWb98m+45paPjU1ywYwG67/xALIYfG+laN0hpqaBli/6Um0pMtHJ
3CVpussv90FzewYMQBGNqHfxfv3kgIRkAYG0b/pEKYeYGSIJ7Jmlq2UbabLdy6NR
yDaI+w7ANufIHvyp/Vsnrz9J4krf98DVs78BQ+FRd2znv1dO8ql9eaImw54tdzOz
A6Aith8a8bQch5idm8jt1rQh4fK3hmH+5namZmDdFFBhb+Bs37DqaUUKAzRQDfHc
i2x2mUjQqYmDRMpoip0bKfajH+trcHDuMDjQt4SjdRG5j9U9JhK8KYElU7k+xXbO
Nw/1JRU2RkKUEovUhgRYWGK9xtrJRr1Llqnrnf/bKzXEHUOg4tEfm4rT2Bd6BcPr
p0w48aN+XxVgkmiFFIU0bwoVC1gktbyKr6178lJ15gawC6OiK1MEL4tLHvpA31jm
3bFvp6oW5AoZHL2YrYXtM0jjf4qcbS8mckOu1BRsqwEaNNYa5OY=
=MK5a
-----END PGP SIGNATURE-----




Reply sent to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility. (Mon, 29 Nov 2021 18:18:03 GMT) (full text, mbox, link).


Notification sent to Guilhem Moulin <guilhem@debian.org>:
Bug acknowledged by developer. (Mon, 29 Nov 2021 18:18:03 GMT) (full text, mbox, link).


Message #26 received at 1000156-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1000156-close@bugs.debian.org
Subject: Bug#1000156: fixed in roundcube 1.3.17+dfsg.1-1~deb10u1
Date: Mon, 29 Nov 2021 18:17:25 +0000
Source: roundcube
Source-Version: 1.3.17+dfsg.1-1~deb10u1
Done: Guilhem Moulin <guilhem@debian.org>

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1000156@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 18 Nov 2021 19:52:34 +0100
Source: roundcube
Architecture: source
Version: 1.3.17+dfsg.1-1~deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1000156
Changes:
 roundcube (1.3.17+dfsg.1-1~deb10u1) buster-security; urgency=high
 .
   * New bugfix/security upstream release (closes: #1000156), with fixes for:
     + CVE-2021-44025: XSS issue in handling attachment filename extension in
       mimetype mismatch warning; and
     + CVE-2021-44026: possible SQL injection via some session variables.
   * Refresh d/patches.
   * Refresh d/upstream/signing-key.asc.
   * d/gbp.conf: Rename upstream branch to upstream/release-1.3.
Checksums-Sha1:
 60dec2e7f716f676620b39092d0542ee6896c35c 2487 roundcube_1.3.17+dfsg.1-1~deb10u1.dsc
 049b02152dc5e7a640fbc5e9ea59ac374c235298 2186304 roundcube_1.3.17+dfsg.1.orig.tar.xz
 ed2717075cda99eb7383cd84d64e43fcf8c6bbb7 3054684 roundcube_1.3.17+dfsg.1-1~deb10u1.debian.tar.xz
 a1d08aa29bd5515a5688297a00059b1e32504422 9339 roundcube_1.3.17+dfsg.1-1~deb10u1_amd64.buildinfo
Checksums-Sha256:
 07d4b520e36900c5ac213da5f93aa44c81e7c02a340a0f2a0c940db33242be4b 2487 roundcube_1.3.17+dfsg.1-1~deb10u1.dsc
 de5fa96b2e5fb9c6584e06c7dea6f959dcd5f24950cf22f2125f1da1450ef3cb 2186304 roundcube_1.3.17+dfsg.1.orig.tar.xz
 f72cd55bc0e6f822350e5635d96d881764886b601c2857172ddea852d1306e92 3054684 roundcube_1.3.17+dfsg.1-1~deb10u1.debian.tar.xz
 149a1612336afa7b5db1f0a5ca929e13376ce38f6b26edd9a6731ed762c11ded 9339 roundcube_1.3.17+dfsg.1-1~deb10u1_amd64.buildinfo
Files:
 430dddff4b3c764ed7593f2fc8833a81 2487 web optional roundcube_1.3.17+dfsg.1-1~deb10u1.dsc
 d6e1afb06f95297460a0cecc43c5ec17 2186304 web optional roundcube_1.3.17+dfsg.1.orig.tar.xz
 1f087b1bf713c6a294ecefc415573da8 3054684 web optional roundcube_1.3.17+dfsg.1-1~deb10u1.debian.tar.xz
 2981ccd2e0122d64ae97b5e463af43c3 9339 web optional roundcube_1.3.17+dfsg.1-1~deb10u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmGfucEACgkQ05pJnDwh
pVKvYhAAoXcJbkpR9yda6luqrsJmavzv305C/Oqd878dO4fig1wX6NL+/76S2jyW
l9bH+AHmLZp3AYuWpSHeTwXcyz6is9rlMQao9zSMyqlJiJqVcAyaOLvVX3CTrtB5
1Oez7T7f5bBAW46hgzzfSrPQB+PCxpmaOYxHtcbW8sLFzpV/Lxwk4iiM31cv7gQ2
Ljvk3nKSxPrkfGtPsGGaXjGRUZ+fl3lodNbc3oUuvEm6K4gEPkwO7xYEOfHtyBU2
pihXdzNJUtdRgHyw7gftZMxgxcdcFrvxA58ZpEDdSvRlbLIYZ9o5sAkKXnJxJk9e
DJcPFJYsZFOlmUwWbU1uPQ/0bUe1bUZCHliTOOJ5hSiKXARNVP5Bd3iHEhaWQbUS
JPoYzBaYIeMNeLNzInGozkiJaEVZIvZSQROdd/wbQNvfKF9YvLA1iQLReZFOJdJx
9RDdVxbJtC0iFYBOc+mGXnovM4k2L6e31nJ3bZoFFNQZIrlwYTPwB3GePasIiXvL
7or2NK0juZyMaWi6lqnmPKKN1GMOL6ZhAt2xbrihQW05zuuk9Zt0Hy4nnjMt19vF
37ae4uELptZaC0rCLroCy7orfV1vMMCL05IXiXSSsAMA7U10AHiDC48Ywh7yhukq
hsbCaHLsuaCvtpXjD5aNmkNykVCcCVPTe270U67U4nGA+jVXvq4=
=POFN
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 04 Jan 2022 07:26:55 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 23:59:05 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.