rpms/roundcubemail/devel roundcubemail-0.2-CVE-2009-0413.patch, NONE, 1.1 roundcubemail.spec, 1.18, 1.19

Wed Feb 4 16:22:39 UTC 2009

Author: limb

Update of /cvs/pkgs/rpms/roundcubemail/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6620

Modified Files:
	roundcubemail.spec 
Added Files:
	roundcubemail-0.2-CVE-2009-0413.patch 
Log Message:
Patch for CVE-2009-0413, BZ 484052


roundcubemail-0.2-CVE-2009-0413.patch:

--- NEW FILE roundcubemail-0.2-CVE-2009-0413.patch ---
--- CHANGELOG~	2009-02-04 09:58:46.000000000 -0600
+++ CHANGELOG	2009-02-04 09:58:46.000000000 -0600
@@ -3,0 +4,4 @@
+2009/01/20 (thomasb)
+----------
+- Fix XSS vulnerability through background attributes as reported by Julien Cayssol
+
--- program/lib/washtml.php~	2009-02-04 10:01:02.000000000 -0600
+++ program/lib/washtml.php	2009-02-04 10:01:02.000000000 -0600
@@ -83 +83 @@
-  static $html_attribs = array('name', 'class', 'title', 'alt', 'width', 'height', 'align', 'nowrap', 'col', 'row', 'id', 'rowspan', 'colspan', 'cellspacing', 'cellpadding', 'valign', 'bgcolor', 'color', 'border', 'bordercolorlight', 'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', 'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', 'cellborder', 'size', 'lang', 'dir', 'background');  
+  static $html_attribs = array('name', 'class', 'title', 'alt', 'width', 'height', 'align', 'nowrap', 'col', 'row', 'id', 'rowspan', 'colspan', 'cellspacing', 'cellpadding', 'valign', 'bgcolor', 'color', 'border', 'bordercolorlight', 'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', 'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', 'cellborder', 'size', 'lang', 'dir');  
@@ -163 +163 @@
-         ($key == 'href' && preg_match('/^(http|https|ftp|mailto):.*/i', $value)))
+         ($key == 'href' && preg_match('/^(http|https|ftp|mailto):.+/i', $value)))
@@ -167 +167 @@
-      else if($key == 'src' && strtolower($node->tagName) == 'img') { //check tagName anyway
+      else if($key == 'background' || ($key == 'src' && strtolower($node->tagName) == 'img')) { //check tagName anyway
@@ -171 +171 @@
-        else if(preg_match('/^(http|https|ftp):.*/i', $value)) {
+        else if(preg_match('/^(http|https|ftp):.+/i', $value)) {
@@ -177 +177 @@
-              $t .= ' src="' . htmlspecialchars($this->config['blocked_src'], ENT_QUOTES) . '"';
+              $t .= ' ' . $key . '="' . htmlspecialchars($this->config['blocked_src'], ENT_QUOTES) . '"';


Index: roundcubemail.spec
===================================================================
RCS file: /cvs/pkgs/rpms/roundcubemail/devel/roundcubemail.spec,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- roundcubemail.spec	7 Jan 2009 13:40:57 -0000	1.18
+++ roundcubemail.spec	4 Feb 2009 16:22:09 -0000	1.19
@@ -1,7 +1,7 @@
 %define roundcubedir %{_datadir}/roundcubemail
 Name: roundcubemail
 Version:  0.2
-Release:  6.stable%{?dist}
+Release:  7.stable%{?dist}
 Summary: Round Cube Webmail is a browser-based multilingual IMAP client
 
 Group: Applications/System         
@@ -16,6 +16,7 @@
 #Patch1: roundcubemail-0.2-beta-html2text.patch
 # From upstream, not in a release yet, BZ 476830.
 #Patch2: roundcubemail-0.2-beta-CVE-2008-5620.patch
+Patch3: roundcubemail-0.2-CVE-2009-0413.patch
 
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root%(%{__id_u} -n)
@@ -48,6 +49,7 @@
 %patch0 -p0
 #%patch1 -p0
 #%patch2 -p0
+%patch3 -p0
 
 # fix permissions and remove any .htaccess files
 find . -type f -print | xargs chmod a-x
@@ -135,6 +137,9 @@
 %config(noreplace) %{_sysconfdir}/logrotate.d/roundcubemail
 
 %changelog
+* Wed Feb 04 2009 Jon Ciesla <limb at jcomserv.net> = 0.2-7.stable
+- Patch for CVE-2009-0413, BZ 484052.
+
 * Mon Jan 05 2009 Jon Ciesla <limb at jcomserv.net> = 0.2-6.stable
 - New upstream.
 - Dropped two most recent patches, applied upstream.


