From bugzilla_noreply@novell.com Thu Jul 11 15:51:16 2019
From: bugzilla_noreply@novell.com
To: bugs@lists.opensuse.org
Subject: [Bug 1115718] VUL-0: CVE-2018-19206: roundcubemail:
 steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of
 <svg><style>
Date: Thu, 11 Jul 2019 15:51:05 +0000
Message-ID: <bug-1115718-21960-xKkPARZfwE@http.bugzilla.suse.com/>
In-Reply-To: <bug-1115718-21960@http.bugzilla.suse.com/>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3333241903881035643=="

--===============3333241903881035643==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

http://bugzilla.suse.com/show_bug.cgi?id=1115718
http://bugzilla.suse.com/show_bug.cgi?id=1115718#c2

Marcus Meissner <meissner(a)suse.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
                 CC|                            |meissner(a)suse.com
            Version|Leap 42.3                   |Leap 15.0
         Resolution|WONTFIX                     |---

--- Comment #2 from Marcus Meissner <meissner(a)suse.com> ---
15.0 and 15.1 unfixed, factory is fixed

-- 
You are receiving this mail because:
You are on the CC list for the bug.



--===============3333241903881035643==
Content-Type: text/html
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.htm"
MIME-Version: 1.0

PGh0bWw+CiAgICA8aGVhZD4KICAgICAgPGJhc2UgaHJlZj0iaHR0cDovL2J1Z3ppbGxhLnN1c2Uu
Y29tLyIgLz4KICAgIDwvaGVhZD4KICAgIDxib2R5PjxzcGFuIGNsYXNzPSJ2Y2FyZCI+PGEgY2xh
c3M9ImVtYWlsIiBocmVmPSJtYWlsdG86bWVpc3NuZXImIzY0O3N1c2UuY29tIiB0aXRsZT0iTWFy
Y3VzIE1laXNzbmVyICZsdDttZWlzc25lciYjNjQ7c3VzZS5jb20mZ3Q7Ij4gPHNwYW4gY2xhc3M9
ImZuIj5NYXJjdXMgTWVpc3NuZXI8L3NwYW4+PC9hPgo8L3NwYW4+IGNoYW5nZWQKICAgICAgICAg
ICAgICA8YSBjbGFzcz0iYnpfYnVnX2xpbmsgCiAgICAgICAgICBiel9zdGF0dXNfUkVPUEVORUQg
IgogICB0aXRsZT0iUkVPUEVORUQgLSBWVUwtMDogQ1ZFLTIwMTgtMTkyMDY6IHJvdW5kY3ViZW1h
aWw6IHN0ZXBzL21haWwvZnVuYy5pbmMgaW4gUm91bmRjdWJlIGJlZm9yZSAxLjMuOCBoYXMgWFNT
IHZpYSBjcmFmdGVkIHVzZSBvZiAmbHQ7c3ZnJmd0OyZsdDtzdHlsZSZndDsiCiAgIGhyZWY9Imh0
dHA6Ly9idWd6aWxsYS5zdXNlLmNvbS9zaG93X2J1Zy5jZ2k/aWQ9MTExNTcxOCI+YnVnIDExMTU3
MTg8L2E+CiAgICAgICAgICA8YnI+CiAgICAgICAgICAgICA8dGFibGUgYm9yZGVyPSIxIiBjZWxs
c3BhY2luZz0iMCIgY2VsbHBhZGRpbmc9IjgiPgogICAgICAgICAgPHRyPgogICAgICAgICAgICA8
dGg+V2hhdDwvdGg+CiAgICAgICAgICAgIDx0aD5SZW1vdmVkPC90aD4KICAgICAgICAgICAgPHRo
PkFkZGVkPC90aD4KICAgICAgICAgIDwvdHI+CgogICAgICAgICA8dHI+CiAgICAgICAgICAgPHRk
IHN0eWxlPSJ0ZXh0LWFsaWduOnJpZ2h0OyI+U3RhdHVzPC90ZD4KICAgICAgICAgICA8dGQ+UkVT
T0xWRUQKICAgICAgICAgICA8L3RkPgogICAgICAgICAgIDx0ZD5SRU9QRU5FRAogICAgICAgICAg
IDwvdGQ+CiAgICAgICAgIDwvdHI+CgogICAgICAgICA8dHI+CiAgICAgICAgICAgPHRkIHN0eWxl
PSJ0ZXh0LWFsaWduOnJpZ2h0OyI+Q0M8L3RkPgogICAgICAgICAgIDx0ZD4KICAgICAgICAgICAg
ICAgJm5ic3A7CiAgICAgICAgICAgPC90ZD4KICAgICAgICAgICA8dGQ+bWVpc3NuZXImIzY0O3N1
c2UuY29tCiAgICAgICAgICAgPC90ZD4KICAgICAgICAgPC90cj4KCiAgICAgICAgIDx0cj4KICAg
ICAgICAgICA8dGQgc3R5bGU9InRleHQtYWxpZ246cmlnaHQ7Ij5WZXJzaW9uPC90ZD4KICAgICAg
ICAgICA8dGQ+TGVhcCA0Mi4zCiAgICAgICAgICAgPC90ZD4KICAgICAgICAgICA8dGQ+TGVhcCAx
NS4wCiAgICAgICAgICAgPC90ZD4KICAgICAgICAgPC90cj4KCiAgICAgICAgIDx0cj4KICAgICAg
ICAgICA8dGQgc3R5bGU9InRleHQtYWxpZ246cmlnaHQ7Ij5SZXNvbHV0aW9uPC90ZD4KICAgICAg
ICAgICA8dGQ+V09OVEZJWAogICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgPHRkPi0tLQogICAg
ICAgICAgIDwvdGQ+CiAgICAgICAgIDwvdHI+PC90YWJsZT4KICAgICAgPHA+CiAgICAgICAgPGRp
dj4KICAgICAgICAgICAgPGI+PGEgY2xhc3M9ImJ6X2J1Z19saW5rIAogICAgICAgICAgYnpfc3Rh
dHVzX1JFT1BFTkVEICIKICAgdGl0bGU9IlJFT1BFTkVEIC0gVlVMLTA6IENWRS0yMDE4LTE5MjA2
OiByb3VuZGN1YmVtYWlsOiBzdGVwcy9tYWlsL2Z1bmMuaW5jIGluIFJvdW5kY3ViZSBiZWZvcmUg
MS4zLjggaGFzIFhTUyB2aWEgY3JhZnRlZCB1c2Ugb2YgJmx0O3N2ZyZndDsmbHQ7c3R5bGUmZ3Q7
IgogICBocmVmPSJodHRwOi8vYnVnemlsbGEuc3VzZS5jb20vc2hvd19idWcuY2dpP2lkPTExMTU3
MTgjYzIiPkNvbW1lbnQgIyAyPC9hPgogICAgICAgICAgICAgIG9uIDxhIGNsYXNzPSJiel9idWdf
bGluayAKICAgICAgICAgIGJ6X3N0YXR1c19SRU9QRU5FRCAiCiAgIHRpdGxlPSJSRU9QRU5FRCAt
IFZVTC0wOiBDVkUtMjAxOC0xOTIwNjogcm91bmRjdWJlbWFpbDogc3RlcHMvbWFpbC9mdW5jLmlu
YyBpbiBSb3VuZGN1YmUgYmVmb3JlIDEuMy44IGhhcyBYU1MgdmlhIGNyYWZ0ZWQgdXNlIG9mICZs
dDtzdmcmZ3Q7Jmx0O3N0eWxlJmd0OyIKICAgaHJlZj0iaHR0cDovL2J1Z3ppbGxhLnN1c2UuY29t
L3Nob3dfYnVnLmNnaT9pZD0xMTE1NzE4Ij5idWcgMTExNTcxODwvYT4KICAgICAgICAgICAgICBm
cm9tIDxzcGFuIGNsYXNzPSJ2Y2FyZCI+PGEgY2xhc3M9ImVtYWlsIiBocmVmPSJtYWlsdG86bWVp
c3NuZXImIzY0O3N1c2UuY29tIiB0aXRsZT0iTWFyY3VzIE1laXNzbmVyICZsdDttZWlzc25lciYj
NjQ7c3VzZS5jb20mZ3Q7Ij4gPHNwYW4gY2xhc3M9ImZuIj5NYXJjdXMgTWVpc3NuZXI8L3NwYW4+
PC9hPgo8L3NwYW4+PC9iPgogICAgICAgIDxwcmU+MTUuMCBhbmQgMTUuMSB1bmZpeGVkLCBmYWN0
b3J5IGlzIGZpeGVkPC9wcmU+CiAgICAgICAgPC9kaXY+CiAgICAgIDwvcD4KICAgICAgPGhyPgog
ICAgICA8c3Bhbj5Zb3UgYXJlIHJlY2VpdmluZyB0aGlzIG1haWwgYmVjYXVzZTo8L3NwYW4+CiAg
ICAgIAogICAgICA8dWw+CiAgICAgICAgICA8bGk+WW91IGFyZSBvbiB0aGUgQ0MgbGlzdCBmb3Ig
dGhlIGJ1Zy48L2xpPgogICAgICA8L3VsPgogICAgPC9ib2R5Pgo8L2h0bWw+

--===============3333241903881035643==--