Control: tags 1121952 + patch Control: tags 1121952 + pending
Dear maintainer, I've prepared an NMU for sogo (versioned as 5.12.4-1.2) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. -- Cheers, tobi
diffstat for sogo-5.12.4 sogo-5.12.4 changelog | 7 +++++++ patches/CVE-2025-63499.patch | 40 ++++++++++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 48 insertions(+) diff -Nru sogo-5.12.4/debian/changelog sogo-5.12.4/debian/changelog --- sogo-5.12.4/debian/changelog 2025-12-02 21:40:17.000000000 +0100 +++ sogo-5.12.4/debian/changelog 2025-12-24 13:18:47.000000000 +0100 @@ -1,3 +1,10 @@ +sogo (5.12.4-1.2) unstable; urgency=high + + * Non-maintainer upload. + * CVE-2025-63499 - Cross Site Scripting (XSS) (Closes: #1121952) + + -- Tobias Frost <[email protected]> Wed, 24 Dec 2025 13:18:47 +0100 + sogo (5.12.4-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru sogo-5.12.4/debian/patches/CVE-2025-63499.patch sogo-5.12.4/debian/patches/CVE-2025-63499.patch --- sogo-5.12.4/debian/patches/CVE-2025-63499.patch 1970-01-01 01:00:00.000000000 +0100 +++ sogo-5.12.4/debian/patches/CVE-2025-63499.patch 2025-12-24 13:16:23.000000000 +0100 @@ -0,0 +1,40 @@ +Description: CVE-2025-63499 - Reflected XSS Vulnerability +Origin: https://github.com/Alinto/sogo/commit/16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb +Bug: https://github.com/poblaguev-tot/CVE-2025-63499 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121952 + +From 16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb Mon Sep 17 00:00:00 2001 +From: Hivert Quentin <[email protected]> +Date: Wed, 26 Nov 2025 13:22:38 +0100 +Subject: [PATCH] fix(vulnerability): prevent sogo to execute scripts pass in + theme query + +--- + UI/SOGoUI/UIxComponent.m | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/UI/SOGoUI/UIxComponent.m b/UI/SOGoUI/UIxComponent.m +index a8658e772b..012d6edea7 100644 +--- a/UI/SOGoUI/UIxComponent.m ++++ b/UI/SOGoUI/UIxComponent.m +@@ -395,14 +395,18 @@ - (NSString *) ownPath + + - (NSString *) relativePathToUserFolderSubPath: (NSString *) _sub + { +- NSString *dst, *rel, *theme; ++ NSString *dst, *rel, *theme, *safeTheme; + + dst = [[self userFolderPath] stringByAppendingPathComponent: _sub]; + rel = [dst urlPathRelativeToPath:[self ownPath]]; + + theme = [[context request] formValueForKey: @"theme"]; + if ([theme length]) +- rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme]; ++ { ++ safeTheme = [theme stringWithoutHTMLInjection: YES]; ++ if([safeTheme isEqualToString: theme]) ++ rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme]; ++ } + + return rel; + } diff -Nru sogo-5.12.4/debian/patches/series sogo-5.12.4/debian/patches/series --- sogo-5.12.4/debian/patches/series 2025-10-19 15:44:52.000000000 +0200 +++ sogo-5.12.4/debian/patches/series 2025-12-24 13:10:49.000000000 +0100 @@ -11,3 +11,4 @@ python3.patch disable_isIpv4_test.patch cross.patch +CVE-2025-63499.patch
signature.asc
Description: PGP signature
