263749 – mail/rainloop mail/rainloop-community: affected by CVE-2022-29360

Bug 263749 - mail/rainloop mail/rainloop-community: affected by CVE-2022-29360

Summary: mail/rainloop mail/rainloop-community: affected by CVE-2022-29360

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Yasuhiro Kimura

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-05-03 08:17 UTC by Lapo Luchini
Modified:	2022-05-31 10:20 UTC (History)
CC List:	0 users

See Also:

Flags:	yasu: maintainer-feedback+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lapo Luchini 2022-05-03 08:17:43 UTC

Cfr. 
https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw
https://github.com/RainLoop/rainloop-webmail/issues/2142

Unfortunately I don't have a time for a patch at the moment, but it could make sense to either:
- add CVE indication to `pkg audit`
- add SonarSource-produced unofficial patch to this port
- add SnappyMail in the Ports

Comment 1 commit-hook freebsd_committer

2022-05-03 10:15:15 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f9f524f160cb67555ffab240926b693d090ebd20

commit f9f524f160cb67555ffab240926b693d090ebd20
Author:     Yasuhiro Kimura <yasu@FreeBSD.org>
AuthorDate: 2022-05-03 10:06:33 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2022-05-03 10:12:56 +0000

    mail/rainloop: Add patch to fix cross-site-scripting (XSS) vulnerability

    PR:             263749
    Reported by:    Lapo Luchini
    Obtained from:  https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw
    MFH:            2022Q2
    Security:       a8118db0-cac2-11ec-9288-0800270512f4

 mail/rainloop/Makefile                              |  2 +-
 ....0_app_libraries_MailSo_Base_HtmlUtils.php (new) | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

Comment 2 commit-hook freebsd_committer

2022-05-03 10:16:16 UTC

A commit in branch 2022Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=365d267c54be8e7a985ed58360621924325187dc

commit 365d267c54be8e7a985ed58360621924325187dc
Author:     Yasuhiro Kimura <yasu@FreeBSD.org>
AuthorDate: 2022-05-03 10:06:33 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2022-05-03 10:15:08 +0000

    mail/rainloop: Add patch to fix cross-site-scripting (XSS) vulnerability

    PR:             263749
    Reported by:    Lapo Luchini
    Obtained from:  https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw
    MFH:            2022Q2
    Security:       a8118db0-cac2-11ec-9288-0800270512f4

    (cherry picked from commit f9f524f160cb67555ffab240926b693d090ebd20)

 mail/rainloop/Makefile                              |  2 +-
 ....0_app_libraries_MailSo_Base_HtmlUtils.php (new) | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

Comment 3 Yasuhiro Kimura freebsd_committer

2022-05-03 10:19:33 UTC

(In reply to Lapo Luchini from comment #0)

Thanks for reporting. Fixed vulnerability by applying patch proposed by reporter.

Comment 4 Lapo Luchini 2022-05-31 10:09:21 UTC

PS: should this be applied to rainloop-community as well?

Comment 5 Yasuhiro Kimura freebsd_committer

2022-05-31 10:20:12 UTC

(In reply to Lapo Luchini from comment #4)

Since mail/rainloop-community is slave port of mail/rainloop, ports f9f524f160cb also affects to it.