Version in base suite: 1.6.3+dfsg-1~deb12u1 Base version: roundcube_1.6.3+dfsg-1~deb12u1 Target version: roundcube_1.6.4+dfsg-1~deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/roundcube/roundcube_1.6.3+dfsg-1~deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/roundcube/roundcube_1.6.4+dfsg-1~deb12u1.dsc CHANGELOG.md | 7 +++++ Makefile | 2 - debian/changelog | 15 ++++++++++++ debian/patches/update-script.patch | 2 - debian/rules | 7 +++++ debian/salsa-ci.yml | 2 + debian/tests/check-upstream-version-number | 30 +++++++++++++++++++++++++ debian/tests/control | 4 +++ installer/test.php | 6 ++--- plugins/managesieve/Changelog | 1 plugins/managesieve/managesieve.js | 12 ++++++---- program/include/rcmail.php | 2 - program/include/rcmail_install.php | 5 +--- program/lib/Roundcube/rcube_mime.php | 2 - program/lib/Roundcube/rcube_washtml.php | 11 +++++---- program/localization/es_ES/labels.inc | 2 - public_html/plugins/managesieve/Changelog | 1 public_html/plugins/managesieve/managesieve.js | 12 ++++++---- tests/Framework/Washtml.php | 18 +++++++++++++++ 19 files changed, 116 insertions(+), 25 deletions(-) diff -Nru roundcube-1.6.3+dfsg/CHANGELOG.md roundcube-1.6.4+dfsg/CHANGELOG.md --- roundcube-1.6.3+dfsg/CHANGELOG.md 2023-09-14 08:09:46.000000000 +0000 +++ roundcube-1.6.4+dfsg/CHANGELOG.md 2023-10-14 16:17:17.000000000 +0000 @@ -2,6 +2,13 @@ ## Unreleased +- Fix PHP8 warnings (#9142, #9160) +- Fix default 'mime.types' path on Windows (#9113) +- Managesieve: Fix javascript error when relational or spamtest extension is not enabled (#9139) +- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) + +## Release 1.6.3 + - Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file (#9051) - Update jQuery-UI to version 1.13.2 (#9041) - Fix regression that broke use_secure_urls feature (#9052) diff -Nru roundcube-1.6.3+dfsg/Makefile roundcube-1.6.4+dfsg/Makefile --- roundcube-1.6.3+dfsg/Makefile 2023-09-14 08:09:46.000000000 +0000 +++ roundcube-1.6.4+dfsg/Makefile 2023-10-14 16:17:17.000000000 +0000 @@ -7,13 +7,11 @@ GPGKEY=devs@roundcube.net VERSION=1.6-git SEDI=sed -i -WHICH=which PHP_VERSION=7.3 UNAME_S := $(shell uname -s) ifeq ($(UNAME_S),Darwin) SEDI=sed -i '' - WHICH=which -s endif all: clean complete dependent framework diff -Nru roundcube-1.6.3+dfsg/debian/changelog roundcube-1.6.4+dfsg/debian/changelog --- roundcube-1.6.3+dfsg/debian/changelog 2023-09-25 12:22:10.000000000 +0000 +++ roundcube-1.6.4+dfsg/debian/changelog 2023-10-18 22:20:52.000000000 +0000 @@ -1,3 +1,18 @@ +roundcube (1.6.4+dfsg-1~deb12u1) bookworm-security; urgency=high + + * New upstream security and bugfix release: + + Fix CVE-2023-5631: Cross-site scripting (XSS) vulnerability in handling + of SVG in HTML messages. (Closes: #1054079) + + Managesieve plugin: Fix javascript error when relational or spamtest + extension is not enabled. + + Fix PHP8 warnings. + * Replace upstream release “version” 1.6-git with the actual tagged version. + * Add DEP-8 test to check RCMAIL_VERSION against d/changelog. + * Salsa CI: Disable lintian and reprotest jobs. + * Refresh patches. + + -- Guilhem Moulin Thu, 19 Oct 2023 00:20:52 +0200 + roundcube (1.6.3+dfsg-1~deb12u1) bookworm; urgency=medium * Rebuild for bookworm. diff -Nru roundcube-1.6.3+dfsg/debian/patches/update-script.patch roundcube-1.6.4+dfsg/debian/patches/update-script.patch --- roundcube-1.6.3+dfsg/debian/patches/update-script.patch 2023-09-25 12:22:10.000000000 +0000 +++ roundcube-1.6.4+dfsg/debian/patches/update-script.patch 2023-10-18 22:20:52.000000000 +0000 @@ -67,7 +67,7 @@ $success = rcmail_utils::db_update(INSTALL_PATH . 'SQL', 'roundcube', $opts['version'], ['errors' => true]); } diff --git a/program/include/rcmail_install.php b/program/include/rcmail_install.php -index 13fd40e..e8278f8 100644 +index e584de6..68037e7 100644 --- a/program/include/rcmail_install.php +++ b/program/include/rcmail_install.php @@ -18,6 +18,9 @@ diff -Nru roundcube-1.6.3+dfsg/debian/rules roundcube-1.6.4+dfsg/debian/rules --- roundcube-1.6.3+dfsg/debian/rules 2023-09-25 12:22:10.000000000 +0000 +++ roundcube-1.6.4+dfsg/debian/rules 2023-10-18 22:20:52.000000000 +0000 @@ -1,5 +1,9 @@ #!/usr/bin/make -f +include /usr/share/dpkg/pkg-info.mk +DEB_VERSION_UPSTREAM_MINOR = $(shell echo "$(DEB_VERSION_UPSTREAM)" | sed -r 's/\+dfsg(\.[0-9])?[0-9]*$$//') +DEB_VERSION_UPSTREAM_BRANCH = $(shell echo "$(DEB_VERSION_UPSTREAM_MINOR)" | sed -r 's/\.[0-9]+$$/-git/') + SRC_FILES := $(shell find program skins plugins -path program/js/tinymce -prune -o -type f -print) PLUGINS := $(patsubst plugins/%/composer.json,%,$(wildcard plugins/*/composer.json)) SKINS := $(patsubst skins/%/meta.json,%,$(wildcard skins/*/meta.json)) @@ -90,6 +94,9 @@ @rm -rf -- program/js/tinymce override_dh_auto_build: $(GENERATED_FILES) ; + sed -ri 's/^(#+\s+)Unreleased(\s|$$)/\1Release $(DEB_VERSION_UPSTREAM_MINOR)\2/' CHANGELOG.md + sed -ri 's/\<$(DEB_VERSION_UPSTREAM_BRANCH)\>/$(DEB_VERSION_UPSTREAM_MINOR)/' \ + index.php public_html/index.php program/include/iniset.php program/lib/Roundcube/bootstrap.php .SECONDARY: PHPUNIT_EXCLUDE_GROUPS = flaky diff -Nru roundcube-1.6.3+dfsg/debian/salsa-ci.yml roundcube-1.6.4+dfsg/debian/salsa-ci.yml --- roundcube-1.6.3+dfsg/debian/salsa-ci.yml 2023-09-25 12:22:10.000000000 +0000 +++ roundcube-1.6.4+dfsg/debian/salsa-ci.yml 2023-10-18 22:20:52.000000000 +0000 @@ -4,5 +4,7 @@ variables: RELEASE: 'bookworm' + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_LINTIAN: 1 # install suitable RDBMS before running piuparts (workaround for #1015732) SALSA_CI_PIUPARTS_PRE_INSTALL_SCRIPT: 'debian/salsa-ci/pre_install_database-server' diff -Nru roundcube-1.6.3+dfsg/debian/tests/check-upstream-version-number roundcube-1.6.4+dfsg/debian/tests/check-upstream-version-number --- roundcube-1.6.3+dfsg/debian/tests/check-upstream-version-number 1970-01-01 00:00:00.000000000 +0000 +++ roundcube-1.6.4+dfsg/debian/tests/check-upstream-version-number 2023-10-18 22:20:52.000000000 +0000 @@ -0,0 +1,30 @@ +#!/bin/sh + +set -eu +PATH="/usr/bin:/bin" +export PATH + +UPSTREAM_VERSION="$(dpkg-query -f '${source:Upstream-Version}' -W 'roundcube-core')" +if [ "${UPSTREAM_VERSION%+ds*}" != "$UPSTREAM_VERSION" ]; then + UPSTREAM_VERSION="${UPSTREAM_VERSION%+ds*}" +else + UPSTREAM_VERSION="${UPSTREAM_VERSION%+dfsg*}" +fi + +RV=0 +check_version() { + local var="$1" path="$2" v str + str="include_once(\"$path\"); echo($var);" + if ! v="$(php -r "$str")"; then + echo "ERROR: \`php -r \"$str\"\` failed" >&2 + RV=1 + elif [ "$v" != "$UPSTREAM_VERSION" ]; then + echo "ERROR: Got $var=$v (expected $UPSTREAM_VERSION)" >&2 + RV=1 + fi +} + +check_version RCMAIL_VERSION /usr/share/roundcube/program/include/iniset.php +check_version RCUBE_VERSION /usr/share/roundcube/program/lib/Roundcube/bootstrap.php + +exit $RV diff -Nru roundcube-1.6.3+dfsg/debian/tests/control roundcube-1.6.4+dfsg/debian/tests/control --- roundcube-1.6.3+dfsg/debian/tests/control 2023-09-25 12:22:10.000000000 +0000 +++ roundcube-1.6.4+dfsg/debian/tests/control 2023-10-18 22:20:52.000000000 +0000 @@ -22,6 +22,10 @@ # XXX for better coverage (Browser tests) we would need Laravel Dusk, see .github/run.sh and tests/Browser/README.md Restrictions: superficial, needs-root, rw-build-tree +Tests: check-upstream-version-number +Depends: roundcube-sqlite3, roundcube-core +Restrictions: superficial + # out of the box deployment with default HTTPd Tests: apache2, cleanup, installer-checks Depends: apache2, default-mysql-server, roundcube, curl diff -Nru roundcube-1.6.3+dfsg/installer/test.php roundcube-1.6.4+dfsg/installer/test.php --- roundcube-1.6.3+dfsg/installer/test.php 2023-09-14 08:09:46.000000000 +0000 +++ roundcube-1.6.4+dfsg/installer/test.php 2023-10-14 16:17:17.000000000 +0000 @@ -53,7 +53,7 @@ echo '
'; if ($RCI->configured && ($messages = $RCI->check_config())) { - if (is_array($messages['replaced'])) { + if (!empty($messages['replaced'])) { echo '

Replaced config options

'; echo '

The following config options have been replaced or renamed. '; echo 'Please update them accordingly in your config files.

'; @@ -66,7 +66,7 @@ echo ''; } - if (is_array($messages['obsolete'])) { + if (!empty($messages['obsolete'])) { echo '

Obsolete config options

'; echo '

You still have some obsolete or inexistent properties set. This isn\'t a problem but should be noticed.

'; @@ -82,7 +82,7 @@ echo html::a(['href' => './?_mergeconfig=1'], 'config.inc.php') . '  '; echo "

"; - if (is_array($messages['dependencies'])) { + if (!empty($messages['dependencies'])) { echo '

Dependency check failed

'; echo '

Some of your configuration settings require other options to be configured or additional PHP modules to be installed

'; diff -Nru roundcube-1.6.3+dfsg/plugins/managesieve/Changelog roundcube-1.6.4+dfsg/plugins/managesieve/Changelog --- roundcube-1.6.3+dfsg/plugins/managesieve/Changelog 2023-09-14 08:09:46.000000000 +0000 +++ roundcube-1.6.4+dfsg/plugins/managesieve/Changelog 2023-10-14 16:17:17.000000000 +0000 @@ -1,3 +1,4 @@ +- Fix javascript error when relational or spamtest extension is not enabled (#9139) - Removed managesieve_usetls option (in favor of the scheme prefix in managesieve_host) - Plugin API: Removed `port` parameter in `managesieve_connect` hook - Plugin API: Removed `usetls` parameter in `managesieve_connect` hook diff -Nru roundcube-1.6.3+dfsg/plugins/managesieve/managesieve.js roundcube-1.6.4+dfsg/plugins/managesieve/managesieve.js --- roundcube-1.6.3+dfsg/plugins/managesieve/managesieve.js 2023-09-14 08:09:46.000000000 +0000 +++ roundcube-1.6.4+dfsg/plugins/managesieve/managesieve.js 2023-10-14 16:17:17.000000000 +0000 @@ -647,13 +647,15 @@ if (h == 'size') { if (msg) set.push(msg); $.each(set, function() { if (this != window) this.style.display = 'none'; }); - spamtest.style.display = 'none'; + if (spamtest) + spamtest.style.display = 'none'; size.style.display = ''; } else if (h == 'spamtest') { if (msg) set.push(msg); $.each(set, function() { if (this != window) this.style.display = 'none'; }); - spamtest.style.display = ''; + if (spamtest) + spamtest.style.display = ''; size.style.display = 'none'; } else if (h == 'message' && msg) { @@ -665,11 +667,12 @@ header.style.display = h != '...' ? 'none' : ''; custstr.style.display = h != 'string' ? 'none' : ''; size.style.display = 'none'; - spamtest.style.display = 'none'; op.style.display = ''; comp.style.display = ''; mod.style.display = is_header ? '' : 'none'; trans.style.display = h == 'body' ? '' : 'none'; + if (spamtest) + spamtest.style.display = 'none'; if (mime) mime.style.display = is_header ? '' : 'none'; if (mime_part) @@ -690,7 +693,8 @@ rule_op_select(op, id, h); rule_mod_select(id, h, !is_header); rule_mime_select(id); - rule_spamtest_select(id); + if (spamtest) + rule_spamtest_select(id); obj.style.width = h == '...' ? '40px' : ''; }; diff -Nru roundcube-1.6.3+dfsg/program/include/rcmail.php roundcube-1.6.4+dfsg/program/include/rcmail.php --- roundcube-1.6.3+dfsg/program/include/rcmail.php 2023-09-14 08:09:46.000000000 +0000 +++ roundcube-1.6.4+dfsg/program/include/rcmail.php 2023-10-14 16:17:17.000000000 +0000 @@ -968,7 +968,7 @@ list(, $domain) = rcube_utils::explode('@', $post_user); // direct match in default_host array - if ($default_host[$post_host] || in_array($post_host, array_values($default_host))) { + if (!empty($default_host[$post_host]) || in_array($post_host, array_values($default_host))) { $host = $post_host; } // try to select host by mail domain diff -Nru roundcube-1.6.3+dfsg/program/include/rcmail_install.php roundcube-1.6.4+dfsg/program/include/rcmail_install.php --- roundcube-1.6.3+dfsg/program/include/rcmail_install.php 2023-09-14 08:09:46.000000000 +0000 +++ roundcube-1.6.4+dfsg/program/include/rcmail_install.php 2023-10-14 16:17:17.000000000 +0000 @@ -332,7 +332,8 @@ return; } - $out = $seen = []; + $seen = []; + $out = ['defaults' => [], 'obsolete' => [], 'replaced' => [], 'dependencies' => [], 'missing' => []]; // iterate over the current configuration foreach (array_keys($this->config) as $prop) { @@ -405,8 +406,6 @@ } if ($version) { - $out['defaults'] = []; - foreach ($this->defaults_changes as $v => $opts) { if (version_compare($v, $version, '>')) { $out['defaults'] = array_merge($out['defaults'], $opts); diff -Nru roundcube-1.6.3+dfsg/program/lib/Roundcube/rcube_mime.php roundcube-1.6.4+dfsg/program/lib/Roundcube/rcube_mime.php --- roundcube-1.6.3+dfsg/program/lib/Roundcube/rcube_mime.php 2023-09-14 08:09:46.000000000 +0000 +++ roundcube-1.6.4+dfsg/program/lib/Roundcube/rcube_mime.php 2023-10-14 16:17:17.000000000 +0000 @@ -832,7 +832,7 @@ // try common locations if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') { - $file_paths[] = 'C:/xampp/apache/conf/mime.types.'; + $file_paths[] = 'C:/xampp/apache/conf/mime.types'; } else { $file_paths[] = '/etc/mime.types'; diff -Nru roundcube-1.6.3+dfsg/program/lib/Roundcube/rcube_washtml.php roundcube-1.6.4+dfsg/program/lib/Roundcube/rcube_washtml.php --- roundcube-1.6.3+dfsg/program/lib/Roundcube/rcube_washtml.php 2023-09-14 08:09:46.000000000 +0000 +++ roundcube-1.6.4+dfsg/program/lib/Roundcube/rcube_washtml.php 2023-10-14 16:17:17.000000000 +0000 @@ -428,16 +428,17 @@ } } else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/is', $uri, $matches)) { // RFC2397 + $type = preg_replace('/\s/', '', $matches[1]); + // svg images can be insecure, we'll sanitize them - if (stripos($matches[1], 'svg') !== false) { + if (stripos($type, 'svg') !== false) { $svg = $matches[2]; - if (stripos($matches[1], ';base64') !== false) { - $svg = base64_decode($svg); - $type = $matches[1]; + if (stripos($type, ';base64') !== false) { + $svg = base64_decode($svg); } else { - $type = $matches[1] . ';base64'; + $type .= ';base64'; } $washer = new self($this->config); diff -Nru roundcube-1.6.3+dfsg/program/localization/es_ES/labels.inc roundcube-1.6.4+dfsg/program/localization/es_ES/labels.inc --- roundcube-1.6.3+dfsg/program/localization/es_ES/labels.inc 2023-09-14 08:09:46.000000000 +0000 +++ roundcube-1.6.4+dfsg/program/localization/es_ES/labels.inc 2023-10-14 16:17:17.000000000 +0000 @@ -231,7 +231,7 @@ $labels['searchinterval-1Y'] = 'más antiguo que un año'; $labels['searchinterval1W'] = 'más reciente que una semana'; $labels['searchinterval1M'] = 'más reciente que un mes'; -$labels['searchinterval1Y'] = 'más reciente que un mes'; +$labels['searchinterval1Y'] = 'más reciente que un año'; $labels['openinextwin'] = 'Abrir en nueva ventana'; $labels['emlsave'] = 'Descargar (.eml)'; $labels['changeformattext'] = 'Mostrar en formato de texto simple'; diff -Nru roundcube-1.6.3+dfsg/public_html/plugins/managesieve/Changelog roundcube-1.6.4+dfsg/public_html/plugins/managesieve/Changelog --- roundcube-1.6.3+dfsg/public_html/plugins/managesieve/Changelog 2023-09-14 08:09:46.000000000 +0000 +++ roundcube-1.6.4+dfsg/public_html/plugins/managesieve/Changelog 2023-10-14 16:17:17.000000000 +0000 @@ -1,3 +1,4 @@ +- Fix javascript error when relational or spamtest extension is not enabled (#9139) - Removed managesieve_usetls option (in favor of the scheme prefix in managesieve_host) - Plugin API: Removed `port` parameter in `managesieve_connect` hook - Plugin API: Removed `usetls` parameter in `managesieve_connect` hook diff -Nru roundcube-1.6.3+dfsg/public_html/plugins/managesieve/managesieve.js roundcube-1.6.4+dfsg/public_html/plugins/managesieve/managesieve.js --- roundcube-1.6.3+dfsg/public_html/plugins/managesieve/managesieve.js 2023-09-14 08:09:46.000000000 +0000 +++ roundcube-1.6.4+dfsg/public_html/plugins/managesieve/managesieve.js 2023-10-14 16:17:17.000000000 +0000 @@ -647,13 +647,15 @@ if (h == 'size') { if (msg) set.push(msg); $.each(set, function() { if (this != window) this.style.display = 'none'; }); - spamtest.style.display = 'none'; + if (spamtest) + spamtest.style.display = 'none'; size.style.display = ''; } else if (h == 'spamtest') { if (msg) set.push(msg); $.each(set, function() { if (this != window) this.style.display = 'none'; }); - spamtest.style.display = ''; + if (spamtest) + spamtest.style.display = ''; size.style.display = 'none'; } else if (h == 'message' && msg) { @@ -665,11 +667,12 @@ header.style.display = h != '...' ? 'none' : ''; custstr.style.display = h != 'string' ? 'none' : ''; size.style.display = 'none'; - spamtest.style.display = 'none'; op.style.display = ''; comp.style.display = ''; mod.style.display = is_header ? '' : 'none'; trans.style.display = h == 'body' ? '' : 'none'; + if (spamtest) + spamtest.style.display = 'none'; if (mime) mime.style.display = is_header ? '' : 'none'; if (mime_part) @@ -690,7 +693,8 @@ rule_op_select(op, id, h); rule_mod_select(id, h, !is_header); rule_mime_select(id); - rule_spamtest_select(id); + if (spamtest) + rule_spamtest_select(id); obj.style.width = h == '...' ? '40px' : ''; }; diff -Nru roundcube-1.6.3+dfsg/tests/Framework/Washtml.php roundcube-1.6.4+dfsg/tests/Framework/Washtml.php --- roundcube-1.6.3+dfsg/tests/Framework/Washtml.php 2023-09-14 08:09:46.000000000 +0000 +++ roundcube-1.6.4+dfsg/tests/Framework/Washtml.php 2023-10-14 16:17:17.000000000 +0000 @@ -455,6 +455,24 @@ 'XSS', 'XSS' ], + [ + '', + '' + ], + [ + '', + '' + ], + [ + '', + '' + ], ]; }