Version in base suite: 1.6.5+dfsg-1+deb12u5 Base version: roundcube_1.6.5+dfsg-1+deb12u5 Target version: roundcube_1.6.5+dfsg-1+deb12u6 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/roundcube/roundcube_1.6.5+dfsg-1+deb12u5.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/roundcube/roundcube_1.6.5+dfsg-1+deb12u6.dsc changelog | 12 +++++ patches/CVE-2025-68460.patch | 64 ++++++++++++++++++++++++++++++ patches/CVE-2025-68461.patch | 91 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 2 4 files changed, 168 insertions(+), 1 deletion(-) diff -Nru roundcube-1.6.5+dfsg/debian/changelog roundcube-1.6.5+dfsg/debian/changelog --- roundcube-1.6.5+dfsg/debian/changelog 2025-06-02 08:01:44.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/changelog 2025-12-16 08:10:17.000000000 +0000 @@ -1,8 +1,18 @@ +roundcube (1.6.5+dfsg-1+deb12u6) bookworm-security; urgency=high + + * Cherry pick upstream security fixes from v1.6.12 (closes: #1122899): + + Fix CVE-2025-68461: Cross-Site-Scripting vulnerability via SVG's animate + tag. + + Fix CVE-2025-68460: Information Disclosure vulnerability in the HTML + style sanitizer. + + -- Guilhem Moulin Tue, 16 Dec 2025 09:10:17 +0100 + roundcube (1.6.5+dfsg-1+deb12u5) bookworm-security; urgency=high * Fix CVE-2025-49113: Post-Auth RCE via PHP Object Deserialization. (Closes: #1107073) - * Regression fix: CVE-2024-42009.patch from 1.6.5+dfsg-1+deb12u3 and + * Regression fix: CVE-2024-42010.patch from 1.6.5+dfsg-1+deb12u3 and 1.6.5+dfsg-1+deb12u4 caused some HTML messages to be displayed unstyled. -- Guilhem Moulin Mon, 02 Jun 2025 10:01:44 +0200 diff -Nru roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460.patch roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460.patch --- roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460.patch 1970-01-01 00:00:00.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460.patch 2025-12-16 08:10:17.000000000 +0000 @@ -0,0 +1,64 @@ +From: Aleksander Machniak +Date: Sun, 14 Dec 2025 09:02:25 +0100 +Subject: Fix Information Disclosure vulnerability in the HTML style sanitizer + +reported by somerandomdev + +Origin: https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571 +Bug: https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 +Bug-Debian: https://bugs.debian.org/1122899 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-68460 +--- + program/lib/Roundcube/rcube_utils.php | 3 +++ + tests/Framework/Utils.php | 4 ++-- + tests/Framework/Washtml.php | 7 +++++++ + 3 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php +index b5f8606..1110905 100644 +--- a/program/lib/Roundcube/rcube_utils.php ++++ b/program/lib/Roundcube/rcube_utils.php +@@ -559,6 +559,9 @@ class rcube_utils + $value .= ' url(' . $url . ')'; + } + } ++ } elseif (preg_match('/;.*/', $val)) { ++ // Invalid or evil content, ignore ++ continue; + } else { + // whitelist ? + $value .= ' ' . $val; +diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php +index 019895b..4b43758 100644 +--- a/tests/Framework/Utils.php ++++ b/tests/Framework/Utils.php +@@ -291,9 +291,9 @@ class Framework_Utils extends PHPUnit\Framework\TestCase + $mod = rcube_utils::mod_css_styles($style, 'rcmbody', true); + $this->assertSame("#rcmbody { content: ''; color: red; }", $mod); + +- $style = "body { content: '< page: ;/style>< page: ;img src onerror=\"alert(\'hello\');\">'; color: red; }"; ++ $style = "body { content: '< page: ;/style>< page: ;img src onerror=\"alert(\\'hello\\');\">'; color: red; }"; + $mod = rcube_utils::mod_css_styles($style, 'rcmbody', true); +- $this->assertSame("#rcmbody { content: '< page: ;/style>< page: ;img src onerror=\"alert('hello');\">'; color: red; }", $mod); ++ $this->assertSame("#rcmbody { color: red; }", $mod); + + // Removing page: property + $style = "body { page: test; color: red }"; +diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php +index ace4716..0b9e1e9 100644 +--- a/tests/Framework/Washtml.php ++++ b/tests/Framework/Washtml.php +@@ -312,6 +312,13 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase + $washed = $washer->wash($html); + + $this->assertTrue(strpos($washed, $exp) !== false, "Style quotes XSS issue (#1490227)"); ++ ++ $html = '
test
'; ++ ++ $washer = new \rcube_washtml(); ++ $washed = $washer->wash($html); ++ ++ $this->assertTrue(strpos($washed, '
test
') !== false); + } + + /** diff -Nru roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68461.patch roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68461.patch --- roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68461.patch 1970-01-01 00:00:00.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68461.patch 2025-12-16 08:10:17.000000000 +0000 @@ -0,0 +1,91 @@ +From: Aleksander Machniak +Date: Sun, 14 Dec 2025 09:01:26 +0100 +Subject: Fix Cross-Site-Scripting vulnerability via SVG's animate tag + +reported by Valentin T., CrowdStrike + +Origin: https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb +Bug: https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 +Bug-Debian: https://bugs.debian.org/1122899 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-68461 +--- + program/lib/Roundcube/rcube_washtml.php | 13 +++++++++---- + tests/Framework/Washtml.php | 10 +++++++++- + 2 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php +index 281d369..85972f0 100644 +--- a/program/lib/Roundcube/rcube_washtml.php ++++ b/program/lib/Roundcube/rcube_washtml.php +@@ -303,7 +303,8 @@ class rcube_washtml + + // in SVG to/from attribs may contain anything, including URIs + if ($key == 'to' || $key == 'from') { +- $key = strtolower($node->getAttribute('attributeName')); ++ $key = strtolower((string) $node->getAttribute('attributeName')); ++ $key = trim(preg_replace('/^.*:/', '', $key)); + if ($key && !isset($this->_html_attribs[$key])) { + $key = null; + } +@@ -512,10 +513,14 @@ class rcube_washtml + private static function attribute_value($node, $attr_name, $attr_value) + { + $attr_name = strtolower($attr_name); ++ $attr_value = strtolower($attr_value); + + foreach ($node->attributes as $name => $attr) { + if (strtolower($name) === $attr_name) { +- if (strtolower($attr_value) === strtolower(trim($attr->nodeValue))) { ++ // Read the attribute name, remove the namespace (e.g. xlink:href => href) ++ $val = strtolower(trim($attr->nodeValue)); ++ $val = trim(preg_replace('/^.*:/', '', $val)); ++ if ($attr_value === $val) { + return true; + } + } +@@ -734,6 +739,7 @@ class rcube_washtml + // space(s) between + '/(<\/nobr>)(\s+)()/i', + // PHP bug #32547 workaround: remove title tag ++ // TODO: This is an old libxml2 bug, maybe we could drop this at some point + '/]*>.*<\/title>/iU', + // remove before BOM (#1490291) + '/<\!doctype[^>]+>[^<]*/im', +@@ -741,8 +747,7 @@ class rcube_washtml + '/^(\0\0\xFE\xFF|\xFF\xFE\0\0|\xFE\xFF|\xFF\xFE|\xEF\xBB\xBF)/', + // washtml/DOMDocument cannot handle xml namespaces + '/]+>/i', +- // washtml/DOMDocument cannot handle xml namespaces +- // HTML5 parser cannot handler ]*>/i', + ]; + +diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php +index 4fdae1a..ace4716 100644 +--- a/tests/Framework/Washtml.php ++++ b/tests/Framework/Washtml.php +@@ -362,7 +362,7 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase + + + +- ++ + '; + + $washer = new rcube_washtml; +@@ -431,6 +431,14 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase + . 'XSS', + 'XSS', + ], ++ [ ++ '', ++ '', ++ ], ++ [ ++ '<html><head><meta><body>', ++ '', ++ ], + [ + '' + . 'XSS', diff -Nru roundcube-1.6.5+dfsg/debian/patches/series roundcube-1.6.5+dfsg/debian/patches/series --- roundcube-1.6.5+dfsg/debian/patches/series 2025-06-02 08:01:44.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/patches/series 2025-12-16 08:10:17.000000000 +0000 @@ -28,3 +28,5 @@ CVE-2024-42010.patch Fix-regression-where-HTML-messages-were-displayed-unstyle.patch CVE-2025-49113.patch +CVE-2025-68461.patch +CVE-2025-68460.patch