Version in base suite: 1.6.5+dfsg-1+deb12u4 Base version: roundcube_1.6.5+dfsg-1+deb12u4 Target version: roundcube_1.6.5+dfsg-1+deb12u5 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/roundcube/roundcube_1.6.5+dfsg-1+deb12u4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/roundcube/roundcube_1.6.5+dfsg-1+deb12u5.dsc changelog | 9 + patches/CVE-2025-49113.patch | 89 ++++++++++ patches/Fix-regression-where-HTML-messages-were-displayed-unstyle.patch | 54 ++++++ patches/series | 2 4 files changed, 154 insertions(+) diff -Nru roundcube-1.6.5+dfsg/debian/changelog roundcube-1.6.5+dfsg/debian/changelog --- roundcube-1.6.5+dfsg/debian/changelog 2024-08-12 12:59:59.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/changelog 2025-06-02 08:01:44.000000000 +0000 @@ -1,3 +1,12 @@ +roundcube (1.6.5+dfsg-1+deb12u5) bookworm-security; urgency=high + + * Fix CVE-2025-49113: Post-Auth RCE via PHP Object Deserialization. + (Closes: #1107073) + * Regression fix: CVE-2024-42009.patch from 1.6.5+dfsg-1+deb12u3 and + 1.6.5+dfsg-1+deb12u4 caused some HTML messages to be displayed unstyled. + + -- Guilhem Moulin Mon, 02 Jun 2025 10:01:44 +0200 + roundcube (1.6.5+dfsg-1+deb12u4) bookworm-security; urgency=medium * Regression fix: The original fix for CVE-2024-42008 broke printing and diff -Nru roundcube-1.6.5+dfsg/debian/patches/CVE-2025-49113.patch roundcube-1.6.5+dfsg/debian/patches/CVE-2025-49113.patch --- roundcube-1.6.5+dfsg/debian/patches/CVE-2025-49113.patch 1970-01-01 00:00:00.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/patches/CVE-2025-49113.patch 2025-06-02 08:01:44.000000000 +0000 @@ -0,0 +1,89 @@ +From: Pablo Zmdl <57864086+pabzm@users.noreply.github.com> +Date: Sun, 1 Jun 2025 09:18:54 +0200 +Subject: Validate URL parameter in upload code + +Origin: https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d +Bug: https://github.com/roundcube/roundcubemail/pull/9865 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-49113 +Bug-Debian: https://bugs.debian.org/1107073 +--- + program/actions/settings/upload.php | 7 +++++++ + program/lib/Roundcube/rcube_utils.php | 16 ++++++++++++++++ + tests/Framework/Utils.php | 19 +++++++++++++++++++ + 3 files changed, 42 insertions(+) + +diff --git a/program/actions/settings/upload.php b/program/actions/settings/upload.php +index d1cbbdc..513e5d1 100644 +--- a/program/actions/settings/upload.php ++++ b/program/actions/settings/upload.php +@@ -32,6 +32,13 @@ class rcmail_action_settings_upload extends rcmail_action + $from = rcube_utils::get_input_string('_from', rcube_utils::INPUT_GET); + $type = preg_replace('/(add|edit)-/', '', $from); + ++ // Validate URL input. ++ if (!rcube_utils::is_simple_string($type)) { ++ rcmail::write_log('errors', 'The URL parameter "_from" contains disallowed characters and the request is thus rejected.'); ++ $rcmail->output->command('display_message', 'Invalid input', 'error'); ++ $rcmail->output->send('iframe'); ++ } ++ + // Plugins in Settings may use this file for some uploads (#5694) + // Make sure it does not contain a dot, which is a special character + // when using rcube_session::append() below +diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php +index 6811553..b5f8606 100644 +--- a/program/lib/Roundcube/rcube_utils.php ++++ b/program/lib/Roundcube/rcube_utils.php +@@ -285,6 +285,22 @@ class rcube_utils + return is_string($value) ? $value : ''; + } + ++ /** ++ * Check if input value is a "simple" string. ++ * "Simple" is defined as a non-empty string containing only ++ * - "word" characters (alphanumeric plus underscore), ++ * - dots, ++ * - dashes. ++ * ++ * @param string $input The string to test ++ * ++ * @return bool ++ */ ++ public static function is_simple_string($input) ++ { ++ return is_string($input) && !!preg_match('/^[\w.-]+$/i', $input); ++ } ++ + /** + * Read request parameter value and convert it for internal use + * Performs stripslashes() and charset conversion if necessary +diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php +index 4cd2750..019895b 100644 +--- a/tests/Framework/Utils.php ++++ b/tests/Framework/Utils.php +@@ -503,6 +503,25 @@ class Framework_Utils extends PHPUnit\Framework\TestCase + $this->assertSame('', rcube_utils::get_input_string('test', rcube_utils::INPUT_GET)); + } + ++ /** ++ * rcube_utils::is_simple_string() ++ */ ++ function test_is_simple_string() ++ { ++ $this->assertTrue(rcube_utils::is_simple_string('some-thing.123_')); ++ $this->assertFalse(rcube_utils::is_simple_string('')); ++ $this->assertFalse(rcube_utils::is_simple_string(' ')); ++ $this->assertFalse(rcube_utils::is_simple_string('some–thing')); ++ $this->assertFalse(rcube_utils::is_simple_string('some=thing')); ++ $this->assertFalse(rcube_utils::is_simple_string('some thing')); ++ $this->assertFalse(rcube_utils::is_simple_string('some!thing')); ++ $this->assertFalse(rcube_utils::is_simple_string('%20')); ++ $this->assertFalse(rcube_utils::is_simple_string('\0000')); ++ $this->assertFalse(rcube_utils::is_simple_string(1)); ++ $this->assertFalse(rcube_utils::is_simple_string(new stdClass())); ++ $this->assertFalse(rcube_utils::is_simple_string(null)); ++ } ++ + /** + * rcube:utils::file2class() + */ diff -Nru roundcube-1.6.5+dfsg/debian/patches/Fix-regression-where-HTML-messages-were-displayed-unstyle.patch roundcube-1.6.5+dfsg/debian/patches/Fix-regression-where-HTML-messages-were-displayed-unstyle.patch --- roundcube-1.6.5+dfsg/debian/patches/Fix-regression-where-HTML-messages-were-displayed-unstyle.patch 1970-01-01 00:00:00.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/patches/Fix-regression-where-HTML-messages-were-displayed-unstyle.patch 2025-06-02 08:01:44.000000000 +0000 @@ -0,0 +1,54 @@ +From: Aleksander Machniak +Date: Fri, 16 Aug 2024 19:56:51 +0200 +Subject: Fix regression where HTML messages were displayed unstyled + +Origin: https://github.com/roundcube/roundcubemail/commit/f343ecea09f8968d0655ff97fb7cea7a6d873a79 +Bug: https://github.com/roundcube/roundcubemail/issues/9586 +--- + program/lib/Roundcube/rcube_washtml.php | 6 ++++++ + tests/Actions/Mail/Index.php | 15 +++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php +index e9dcea4..281d369 100644 +--- a/program/lib/Roundcube/rcube_washtml.php ++++ b/program/lib/Roundcube/rcube_washtml.php +@@ -709,6 +709,12 @@ class rcube_washtml + */ + public function get_config($prop) + { ++ $config_props = ['html_elements', 'html_attribs', 'ignore_elements', 'void_elements', 'css_prefix']; ++ ++ if (in_array($prop, $config_props)) { ++ return $this->{"_{$prop}"}; ++ } ++ + return $this->config[$prop] ?? null; + } + +diff --git a/tests/Actions/Mail/Index.php b/tests/Actions/Mail/Index.php +index b3ae049..d3fcca2 100644 +--- a/tests/Actions/Mail/Index.php ++++ b/tests/Actions/Mail/Index.php +@@ -422,6 +422,21 @@ class Actions_Mail_Index extends ActionTestCase + $this->assertSame('' . $part->body . '', $washed); + } + ++ /** ++ * Test handling css style in HTML in wash_html() method ++ */ ++ public function test_wash_html() ++ { ++ $html = '
Test
' ++ . ''; ++ $opts = ['safe' => false, 'css_prefix' => 'v1', 'add_comments' => false]; ++ ++ $washed = \rcmail_action_mail_index::wash_html($html, $opts); ++ ++ $this->assertStringContainsString('
', $washed); ++ $this->assertStringContainsString('', $washed); ++ } ++ + /** + * Test handling of body style attributes + */ diff -Nru roundcube-1.6.5+dfsg/debian/patches/series roundcube-1.6.5+dfsg/debian/patches/series --- roundcube-1.6.5+dfsg/debian/patches/series 2024-08-12 12:59:59.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/patches/series 2025-06-02 08:01:44.000000000 +0000 @@ -26,3 +26,5 @@ CVE-2024-42008.patch Fix-regression-where-printing-scaling-rotating-image-atta.patch CVE-2024-42010.patch +Fix-regression-where-HTML-messages-were-displayed-unstyle.patch +CVE-2025-49113.patch