Bug 263749

Summary: mail/rainloop mail/rainloop-community: affected by CVE-2022-29360
Product: Ports & Packages Reporter: Lapo Luchini <lapo>
Component: Individual Port(s)Assignee: Yasuhiro Kimura <yasu>
Status: Closed FIXED    
Severity: Affects Only Me Flags: yasu: maintainer-feedback+
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description Lapo Luchini 2022-05-03 08:17:43 UTC 
Cfr. 
https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw
https://github.com/RainLoop/rainloop-webmail/issues/2142

Unfortunately I don't have a time for a patch at the moment, but it could make sense to either:
- add CVE indication to `pkg audit`
- add SonarSource-produced unofficial patch to this port
- add SnappyMail in the Ports
Comment 1 commit-hook freebsd_committer freebsd_triage 2022-05-03 10:15:15 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f9f524f160cb67555ffab240926b693d090ebd20

commit f9f524f160cb67555ffab240926b693d090ebd20
Author:     Yasuhiro Kimura <yasu@FreeBSD.org>
AuthorDate: 2022-05-03 10:06:33 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2022-05-03 10:12:56 +0000

    mail/rainloop: Add patch to fix cross-site-scripting (XSS) vulnerability

    PR:             263749
    Reported by:    Lapo Luchini
    Obtained from:  https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw
    MFH:            2022Q2
    Security:       a8118db0-cac2-11ec-9288-0800270512f4

 mail/rainloop/Makefile                              |  2 +-
 ....0_app_libraries_MailSo_Base_HtmlUtils.php (new) | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2022-05-03 10:16:16 UTC 
A commit in branch 2022Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=365d267c54be8e7a985ed58360621924325187dc

commit 365d267c54be8e7a985ed58360621924325187dc
Author:     Yasuhiro Kimura <yasu@FreeBSD.org>
AuthorDate: 2022-05-03 10:06:33 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2022-05-03 10:15:08 +0000

    mail/rainloop: Add patch to fix cross-site-scripting (XSS) vulnerability

    PR:             263749
    Reported by:    Lapo Luchini
    Obtained from:  https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw
    MFH:            2022Q2
    Security:       a8118db0-cac2-11ec-9288-0800270512f4

    (cherry picked from commit f9f524f160cb67555ffab240926b693d090ebd20)

 mail/rainloop/Makefile                              |  2 +-
 ....0_app_libraries_MailSo_Base_HtmlUtils.php (new) | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)
Comment 3 Yasuhiro Kimura freebsd_committer freebsd_triage 2022-05-03 10:19:33 UTC 
(In reply to Lapo Luchini from comment #0)

Thanks for reporting. Fixed vulnerability by applying patch proposed by reporter.
Comment 4 Lapo Luchini 2022-05-31 10:09:21 UTC 
PS: should this be applied to rainloop-community as well?
Comment 5 Yasuhiro Kimura freebsd_committer freebsd_triage 2022-05-31 10:20:12 UTC 
(In reply to Lapo Luchini from comment #4)

Since mail/rainloop-community is slave port of mail/rainloop, ports f9f524f160cb also affects to it.