Bug 209841

Summary: mail/roundcube: 1.1.5 vulnerable to CVE-2016-5103
Product: Ports & Packages Reporter: VK <vlad-fbsd>
Component: Individual Port(s)Assignee: Alex Dupre <ale>
Status: Closed FIXED    
Severity: Affects Only Me CC: ale, junovitch, ports-secteam
Priority: --- Keywords: patch, security
Version: LatestFlags: bugzilla: maintainer-feedback? (ale)
junovitch: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://github.com/roundcube/roundcubemail/issues/5240
Attachments:
Description Flags
Patch roundcube against CVE-2016-5103 vlad-fbsd: maintainer-approval? (ale)

Description VK 2016-05-29 19:44:28 UTC 
Created attachment 170808 [details]
Patch roundcube against CVE-2016-5103

The current version of Roundcube, v1.1.5, is vulnerable to CVE-2016-5103.

* Upstream Issue: https://github.com/roundcube/roundcubemail/issues/5240
* CVE assignment: http://seclists.org/oss-sec/2016/q2/414

The upstream has not yet released a version that would include the fix.

I don't know what changes against vuxml should be done in order to submit a patch myself.

I've attached a patch for Roundcube, in case the maintainer wants to apply it until the upstream releases a new version. Portlint pass. port test pass. Testing in production right now.
Comment 1 VK 2016-05-29 19:47:18 UTC 
CC ports-secteam@
Comment 2 VK 2016-06-09 09:02:55 UTC 
Seriously? No reply from anyone? Not even a vuxml entry? Is CC'ed secteam even receiving this?
Comment 3 Jason Unovitch freebsd_committer freebsd_triage 2016-06-09 10:47:33 UTC 
(In reply to Vladimir Krstulja from comment #2)
If the maintainer doesn't take action by tonight this will get updated under the secteam override.
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-06-10 01:15:17 UTC 
A commit references this bug:

Author: junovitch
Date: Fri Jun 10 01:15:08 UTC 2016
New revision: 416647
URL: https://svnweb.freebsd.org/changeset/ports/416647

Log:
  Document cross-site scripting CVE in Roundcube

  PR:		209841
  Reported by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Security:	CVE-2016-5103
  Security:	https://vuxml.FreeBSD.org/freebsd/97e86d10-2ea7-11e6-ae88-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-06-10 01:16:19 UTC 
A commit references this bug:

Author: junovitch
Date: Fri Jun 10 01:15:58 UTC 2016
New revision: 416648
URL: https://svnweb.freebsd.org/changeset/ports/416648

Log:
  Apply patch from upstream for cross-site scripting vulnerability

  PR:		209841
  Reported by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Approved by:	maintainer timeout (2 weeks)
  Security:	CVE-2016-5103
  Security:	https://vuxml.FreeBSD.org/freebsd/97e86d10-2ea7-11e6-ae88-002590263bf5.html
  MFH:		2016Q2

Changes:
  head/mail/roundcube/Makefile
  head/mail/roundcube/files/patch-CVE-2016-5103
Comment 6 commit-hook freebsd_committer freebsd_triage 2016-06-10 01:18:21 UTC 
A commit references this bug:

Author: junovitch
Date: Fri Jun 10 01:17:31 UTC 2016
New revision: 416649
URL: https://svnweb.freebsd.org/changeset/ports/416649

Log:
  MFH: r414979 r416648

  Update to 1.1.5 release.

  Apply patch from upstream for cross-site scripting vulnerability

  PR:		209841
  Reported by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Approved by:	maintainer timeout (2 weeks)
  Security:	CVE-2016-5103
  Security:	https://vuxml.FreeBSD.org/freebsd/97e86d10-2ea7-11e6-ae88-002590263bf5.html

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q2/
  branches/2016Q2/mail/roundcube/Makefile
  branches/2016Q2/mail/roundcube/distinfo
  branches/2016Q2/mail/roundcube/files/patch-CVE-2016-5103
Comment 7 Jason Unovitch freebsd_committer freebsd_triage 2016-06-10 01:22:02 UTC 
In the interest of avoiding surprises to quarterly users the patch was applied to keep us on 1.1.X for the time being in quarterly and head.  I'll leave it to the maintainer to handle the testing for a 1.1.X -> 1.2.X version bump.

Vladimir, thanks for the patch, testing, and follow up.
Comment 8 VK 2016-06-10 09:08:01 UTC 
Thanks for taking care of this.

For the record, the upstream will continue supporting the 1.1.x branch despite it having released 1.2.x recently, so 1.1.6 is expected, with this fix.