Version in base suite: 1.6.5+dfsg-1+deb12u6 Base version: roundcube_1.6.5+dfsg-1+deb12u6 Target version: roundcube_1.6.5+dfsg-1+deb12u7 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/roundcube/roundcube_1.6.5+dfsg-1+deb12u6.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/roundcube/roundcube_1.6.5+dfsg-1+deb12u7.dsc changelog | 9 + patches/CVE-2025-68460.patch | 64 ------------- patches/CVE-2025-68460/01-08de250fb.patch | 64 +++++++++++++ patches/CVE-2025-68460/02-a7349a4e2.patch | 25 +++++ patches/CVE-2026-25916/01-036e851b6.patch | 48 +++++++++ patches/CVE-2026-25916/02-2b5625f1d.patch | 31 ++++++ patches/CVE-2026-26079/01-1f4c3a5af.patch | 145 ++++++++++++++++++++++++++++++ patches/CVE-2026-26079/02-2b5625f1d.patch | 25 +++++ patches/CVE-2026-26079/03-53d75d5df.patch | 42 ++++++++ patches/series | 8 + 10 files changed, 396 insertions(+), 65 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpjvrk65p4/roundcube_1.6.5+dfsg-1+deb12u6.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpjvrk65p4/roundcube_1.6.5+dfsg-1+deb12u7.dsc: no acceptable signature found diff -Nru roundcube-1.6.5+dfsg/debian/changelog roundcube-1.6.5+dfsg/debian/changelog --- roundcube-1.6.5+dfsg/debian/changelog 2025-12-16 08:10:17.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/changelog 2026-02-11 11:05:21.000000000 +0000 @@ -1,3 +1,12 @@ +roundcube (1.6.5+dfsg-1+deb12u7) bookworm-security; urgency=high + + * Cherry pick upstream security fixes from v1.6.13 (closes: #1127447): + + Fix CVE-2026-26079: CSS injection vulnerability. + + Fix CVE-2026-25916: Remote image blocking bypass via SVG content. + + Improve fix for CVE-2025-68460. + + -- Guilhem Moulin Wed, 11 Feb 2026 12:05:21 +0100 + roundcube (1.6.5+dfsg-1+deb12u6) bookworm-security; urgency=high * Cherry pick upstream security fixes from v1.6.12 (closes: #1122899): diff -Nru roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460/01-08de250fb.patch roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460/01-08de250fb.patch --- roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460/01-08de250fb.patch 1970-01-01 00:00:00.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460/01-08de250fb.patch 2026-02-11 11:05:21.000000000 +0000 @@ -0,0 +1,64 @@ +From: Aleksander Machniak +Date: Sun, 14 Dec 2025 09:02:25 +0100 +Subject: Fix Information Disclosure vulnerability in the HTML style sanitizer + +reported by somerandomdev + +Origin: https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571 +Bug: https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 +Bug-Debian: https://bugs.debian.org/1122899 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-68460 +--- + program/lib/Roundcube/rcube_utils.php | 3 +++ + tests/Framework/Utils.php | 4 ++-- + tests/Framework/Washtml.php | 7 +++++++ + 3 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php +index b5f8606..1110905 100644 +--- a/program/lib/Roundcube/rcube_utils.php ++++ b/program/lib/Roundcube/rcube_utils.php +@@ -559,6 +559,9 @@ class rcube_utils + $value .= ' url(' . $url . ')'; + } + } ++ } elseif (preg_match('/;.*/', $val)) { ++ // Invalid or evil content, ignore ++ continue; + } else { + // whitelist ? + $value .= ' ' . $val; +diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php +index 019895b..4b43758 100644 +--- a/tests/Framework/Utils.php ++++ b/tests/Framework/Utils.php +@@ -291,9 +291,9 @@ class Framework_Utils extends PHPUnit\Framework\TestCase + $mod = rcube_utils::mod_css_styles($style, 'rcmbody', true); + $this->assertSame("#rcmbody { content: ''; color: red; }", $mod); + +- $style = "body { content: '< page: ;/style>< page: ;img src onerror=\"alert(\'hello\');\">'; color: red; }"; ++ $style = "body { content: '< page: ;/style>< page: ;img src onerror=\"alert(\\'hello\\');\">'; color: red; }"; + $mod = rcube_utils::mod_css_styles($style, 'rcmbody', true); +- $this->assertSame("#rcmbody { content: '< page: ;/style>< page: ;img src onerror=\"alert('hello');\">'; color: red; }", $mod); ++ $this->assertSame("#rcmbody { color: red; }", $mod); + + // Removing page: property + $style = "body { page: test; color: red }"; +diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php +index ace4716..0b9e1e9 100644 +--- a/tests/Framework/Washtml.php ++++ b/tests/Framework/Washtml.php +@@ -312,6 +312,13 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase + $washed = $washer->wash($html); + + $this->assertTrue(strpos($washed, $exp) !== false, "Style quotes XSS issue (#1490227)"); ++ ++ $html = '
test
'; ++ ++ $washer = new \rcube_washtml(); ++ $washed = $washer->wash($html); ++ ++ $this->assertTrue(strpos($washed, '
test
') !== false); + } + + /** diff -Nru roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460/02-a7349a4e2.patch roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460/02-a7349a4e2.patch --- roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460/02-a7349a4e2.patch 1970-01-01 00:00:00.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460/02-a7349a4e2.patch 2026-02-11 11:05:21.000000000 +0000 @@ -0,0 +1,25 @@ +From: Aleksander Machniak +Date: Mon, 15 Dec 2025 11:36:05 +0100 +Subject: Fix the regexp so it will produce less false-positives + +Origin: https://github.com/roundcube/roundcubemail/commit/a7349a4e21d27e0a3786139e4c879f236cafe4b1 +Bug: https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 +Bug-Debian: https://bugs.debian.org/1122899 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-68460 +--- + program/lib/Roundcube/rcube_utils.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php +index 1110905..13f1915 100644 +--- a/program/lib/Roundcube/rcube_utils.php ++++ b/program/lib/Roundcube/rcube_utils.php +@@ -559,7 +559,7 @@ class rcube_utils + $value .= ' url(' . $url . ')'; + } + } +- } elseif (preg_match('/;.*/', $val)) { ++ } elseif (preg_match('/;.+/', $val)) { + // Invalid or evil content, ignore + continue; + } else { diff -Nru roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460.patch roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460.patch --- roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460.patch 2025-12-16 08:10:17.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/patches/CVE-2025-68460.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -From: Aleksander Machniak -Date: Sun, 14 Dec 2025 09:02:25 +0100 -Subject: Fix Information Disclosure vulnerability in the HTML style sanitizer - -reported by somerandomdev - -Origin: https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571 -Bug: https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 -Bug-Debian: https://bugs.debian.org/1122899 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-68460 ---- - program/lib/Roundcube/rcube_utils.php | 3 +++ - tests/Framework/Utils.php | 4 ++-- - tests/Framework/Washtml.php | 7 +++++++ - 3 files changed, 12 insertions(+), 2 deletions(-) - -diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php -index b5f8606..1110905 100644 ---- a/program/lib/Roundcube/rcube_utils.php -+++ b/program/lib/Roundcube/rcube_utils.php -@@ -559,6 +559,9 @@ class rcube_utils - $value .= ' url(' . $url . ')'; - } - } -+ } elseif (preg_match('/;.*/', $val)) { -+ // Invalid or evil content, ignore -+ continue; - } else { - // whitelist ? - $value .= ' ' . $val; -diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php -index 019895b..4b43758 100644 ---- a/tests/Framework/Utils.php -+++ b/tests/Framework/Utils.php -@@ -291,9 +291,9 @@ class Framework_Utils extends PHPUnit\Framework\TestCase - $mod = rcube_utils::mod_css_styles($style, 'rcmbody', true); - $this->assertSame("#rcmbody { content: ''; color: red; }", $mod); - -- $style = "body { content: '< page: ;/style>< page: ;img src onerror=\"alert(\'hello\');\">'; color: red; }"; -+ $style = "body { content: '< page: ;/style>< page: ;img src onerror=\"alert(\\'hello\\');\">'; color: red; }"; - $mod = rcube_utils::mod_css_styles($style, 'rcmbody', true); -- $this->assertSame("#rcmbody { content: '< page: ;/style>< page: ;img src onerror=\"alert('hello');\">'; color: red; }", $mod); -+ $this->assertSame("#rcmbody { color: red; }", $mod); - - // Removing page: property - $style = "body { page: test; color: red }"; -diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php -index ace4716..0b9e1e9 100644 ---- a/tests/Framework/Washtml.php -+++ b/tests/Framework/Washtml.php -@@ -312,6 +312,13 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase - $washed = $washer->wash($html); - - $this->assertTrue(strpos($washed, $exp) !== false, "Style quotes XSS issue (#1490227)"); -+ -+ $html = '
test
'; -+ -+ $washer = new \rcube_washtml(); -+ $washed = $washer->wash($html); -+ -+ $this->assertTrue(strpos($washed, '
test
') !== false); - } - - /** diff -Nru roundcube-1.6.5+dfsg/debian/patches/CVE-2026-25916/01-036e851b6.patch roundcube-1.6.5+dfsg/debian/patches/CVE-2026-25916/01-036e851b6.patch --- roundcube-1.6.5+dfsg/debian/patches/CVE-2026-25916/01-036e851b6.patch 1970-01-01 00:00:00.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/patches/CVE-2026-25916/01-036e851b6.patch 2026-02-11 11:05:21.000000000 +0000 @@ -0,0 +1,48 @@ +From: Aleksander Machniak +Date: Sun, 8 Feb 2026 09:21:34 +0100 +Subject: Fix remote image blocking bypass via SVG content reported by + nullcathedral + +Origin: https://github.com/roundcube/roundcubemail/commit/036e851b683333205813f70acda2dc047b4891c8 +Bug: https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13 +Bug: https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/ +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-25916 +Bug-Debian: https://bugs.debian.org/1127447 +--- + program/lib/Roundcube/rcube_washtml.php | 3 +-- + tests/Framework/Washtml.php | 8 ++++++++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php +index 85972f0..8721fe7 100644 +--- a/program/lib/Roundcube/rcube_washtml.php ++++ b/program/lib/Roundcube/rcube_washtml.php +@@ -482,8 +482,7 @@ class rcube_washtml + || $attr == 'color-profile' // SVG + || ($attr == 'poster' && $tag == 'video') + || ($attr == 'src' && preg_match('/^(img|image|source|input|video|audio)$/i', $tag)) +- || ($tag == 'use' && $attr == 'href') // SVG +- || ($tag == 'image' && $attr == 'href'); // SVG ++ || ($attr == 'href' && preg_match('/^(feimage|image|use)$/i', $tag)); // SVG + } + + /** +diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php +index 0b9e1e9..be404af 100644 +--- a/tests/Framework/Washtml.php ++++ b/tests/Framework/Washtml.php +@@ -492,6 +492,14 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase + '', + '', + ], ++ [ ++ '', ++ '', ++ ], ++ [ ++ '', ++ '', ++ ], + ]; + } + diff -Nru roundcube-1.6.5+dfsg/debian/patches/CVE-2026-25916/02-2b5625f1d.patch roundcube-1.6.5+dfsg/debian/patches/CVE-2026-25916/02-2b5625f1d.patch --- roundcube-1.6.5+dfsg/debian/patches/CVE-2026-25916/02-2b5625f1d.patch 1970-01-01 00:00:00.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/patches/CVE-2026-25916/02-2b5625f1d.patch 2026-02-11 11:05:21.000000000 +0000 @@ -0,0 +1,31 @@ +From: Aleksander Machniak +Date: Sun, 8 Feb 2026 10:13:39 +0100 +Subject: Fix regression + +Origin: https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447#diff-458653d23200a96c6f32ce2835e5d77128018494e800b9ead6d9542b778ff88e +Bug: https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13 +Bug: https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/ +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-25916 +Bug-Debian: https://bugs.debian.org/1127447 +--- + tests/Framework/Washtml.php | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php +index be404af..ef324f8 100644 +--- a/tests/Framework/Washtml.php ++++ b/tests/Framework/Washtml.php +@@ -494,11 +494,11 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase + ], + [ + '', +- '', ++ '', + ], + [ + '', +- '', ++ '', + ], + ]; + } diff -Nru roundcube-1.6.5+dfsg/debian/patches/CVE-2026-26079/01-1f4c3a5af.patch roundcube-1.6.5+dfsg/debian/patches/CVE-2026-26079/01-1f4c3a5af.patch --- roundcube-1.6.5+dfsg/debian/patches/CVE-2026-26079/01-1f4c3a5af.patch 1970-01-01 00:00:00.000000000 +0000 +++ roundcube-1.6.5+dfsg/debian/patches/CVE-2026-26079/01-1f4c3a5af.patch 2026-02-11 11:05:21.000000000 +0000 @@ -0,0 +1,145 @@ +From: Aleksander Machniak +Date: Sun, 8 Feb 2026 09:24:29 +0100 +Subject: Fix CSS injection vulnerability reported by CERT Polska + +Origin: https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816 +Bug: https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-26079 +Bug-Debian: https://bugs.debian.org/1127447 +--- + program/lib/Roundcube/rcube_utils.php | 59 +++++++++++++++++++++++++---------- + tests/Framework/Utils.php | 16 ++++++++-- + 2 files changed, 55 insertions(+), 20 deletions(-) + +diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php +index 13f1915..51f5bb7 100644 +--- a/program/lib/Roundcube/rcube_utils.php ++++ b/program/lib/Roundcube/rcube_utils.php +@@ -445,6 +445,10 @@ class rcube_utils + return '/* invalid! */'; + } + ++ // remove html and css comments ++ $source = preg_replace('/(^\s*<\!--)|(-->\s*$)/m', '', $source); ++ $source = self::remove_css_comments($source); ++ + // To prevent from a double-escaping tricks we consider a script with + // any escape sequences (after de-escaping them above) an evil script. + // This probably catches many valid scripts, but we\'re on the safe side. +@@ -452,8 +456,10 @@ class rcube_utils + return '/* evil! */'; + } + +- // remove html comments +- $source = preg_replace('/(^\s*<\!--)|(-->\s*$)/m', '', $source); ++ // If after removing comments there are still comments it's most likely a hack ++ if (strpos('/*', $source) !== false || strpos('\s*$)/m', '', $source); +- $source = self::remove_css_comments($source); + + // To prevent from a double-escaping tricks we consider a script with + // any escape sequences (after de-escaping them above) an evil script. +@@ -457,6 +456,8 @@ class rcube_utils + } + + // If after removing comments there are still comments it's most likely a hack ++ // Note: In <=1.6 comments are being removed by xss_entity_decode() above ++ // $source = self::remove_css_comments($source); + if (strpos($source, '/*') !== false || strpos($source, '