Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:sogo User: [email protected] Usertags: pu
[ Reason ] This s-p-u fixes CVE-2025-63498 and CVE-2025-63499, two XSS vulnerabilities. The plan is to fix sogos vulnerabilities in all the releases, also LTS, being stable the first step. Fixing * CVE-2025-63498 - Cross Site Scripting (XSS) * CVE-2025-63499 - Cross Site Scripting (XSS) (Closes: #1121952) [ Tests ] I've verified that the POCs the tracker mentions stops working (they did trigger before) in a Trixie VM. [ Risks ] Patch is cherry-picked from upstream are small and quite straight forward. See the dep3 headers for pointers to the upstream changes. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] see above [ Other info ] The Security team gave their OK for this upload as s-p-u. I'll upload the changes after this mail has been sent. -- tobi
diff -Nru sogo-5.12.1/debian/changelog sogo-5.12.1/debian/changelog --- sogo-5.12.1/debian/changelog 2025-07-25 11:26:33.000000000 +0200 +++ sogo-5.12.1/debian/changelog 2025-12-31 11:33:39.000000000 +0100 @@ -1,3 +1,11 @@ +sogo (5.12.1-3+deb13u1) trixie; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2025-63498 - Cross Site Scripting (XSS) + * CVE-2025-63499 - Cross Site Scripting (XSS) (Closes: #1121952) + + -- Tobias Frost <[email protected]> Wed, 31 Dec 2025 11:33:39 +0100 + sogo (5.12.1-3) unstable; urgency=medium * Add upstream patch to fix freebusy calculation. diff -Nru sogo-5.12.1/debian/patches/CVE-2025-63498.patch sogo-5.12.1/debian/patches/CVE-2025-63498.patch --- sogo-5.12.1/debian/patches/CVE-2025-63498.patch 1970-01-01 01:00:00.000000000 +0100 +++ sogo-5.12.1/debian/patches/CVE-2025-63498.patch 2025-12-31 10:20:54.000000000 +0100 @@ -0,0 +1,54 @@ +Description: CVE-2025-63498 - Cross Site Scripting (XSS) via the "userName" parameter +Origin: https://github.com/Alinto/sogo/commit/9e20190fad1a437f7e1307f0adcfe19a8d45184c +Bug: https://github.com/xryptoh/CVE-2025-63498 + +From 9e20190fad1a437f7e1307f0adcfe19a8d45184c Mon Sep 17 00:00:00 2001 +From: Hivert Quentin <[email protected]> +Date: Thu, 2 Oct 2025 13:37:56 +0200 +Subject: [PATCH] fix(login): Only remember the login if the auth was + successful + +--- + UI/MainUI/SOGoRootPage.m | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/UI/MainUI/SOGoRootPage.m b/UI/MainUI/SOGoRootPage.m +index f3d54dd6fb..79533e42d1 100644 +--- a/UI/MainUI/SOGoRootPage.m ++++ b/UI/MainUI/SOGoRootPage.m +@@ -274,7 +274,7 @@ - (WOResponse *) connectAction + + SOGoPasswordPolicyError err; + int expire, grace; +- BOOL rememberLogin, b; ++ BOOL rememberLogin, b, loginSuccess; + + err = PolicyNoError; + expire = grace = -1; +@@ -296,12 +296,14 @@ - (WOResponse *) connectAction + perr: &err expire: &expire grace: &grace additionalInfo: &additionalLoginInformations useCache: NO]; + [self translateAdditionalLoginInformations: &additionalLoginInformations]; + +- if (b ++ loginSuccess = b + && (err == PolicyNoError) + // no password policy + && ((expire < 0 && grace < 0) // no password policy or everything is alright + || (expire < 0 && grace > 0) // password expired, grace still permits login +- || (expire >= 0 && grace == -1))) // password about to expire OR ppolicy activated and passwd never changed ++ || (expire >= 0 && grace == -1)); // password about to expire OR ppolicy activated and passwd never changed ++ ++ if (loginSuccess) + { + NSMutableDictionary *json = [NSMutableDictionary dictionary]; + +@@ -442,7 +444,8 @@ - (WOResponse *) connectAction + response = [self _responseWithLDAPPolicyError: err additionalInfos: additionalLoginInformations]; + } + +- if (rememberLogin) ++ //Only remember login If the auth was succesful... ++ if (rememberLogin && loginSuccess) + [response addCookie: [self _cookieWithUsername: [params objectForKey: @"userName"]]]; + else + [response addCookie: [self _cookieWithUsername: nil]]; diff -Nru sogo-5.12.1/debian/patches/CVE-2025-63499.patch sogo-5.12.1/debian/patches/CVE-2025-63499.patch --- sogo-5.12.1/debian/patches/CVE-2025-63499.patch 1970-01-01 01:00:00.000000000 +0100 +++ sogo-5.12.1/debian/patches/CVE-2025-63499.patch 2025-12-25 11:52:09.000000000 +0100 @@ -0,0 +1,40 @@ +Description: CVE-2025-63499 - Reflected XSS Vulnerability +Origin: https://github.com/Alinto/sogo/commit/16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb +Bug: https://github.com/poblaguev-tot/CVE-2025-63499 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121952 + +From 16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb Mon Sep 17 00:00:00 2001 +From: Hivert Quentin <[email protected]> +Date: Wed, 26 Nov 2025 13:22:38 +0100 +Subject: [PATCH] fix(vulnerability): prevent sogo to execute scripts pass in + theme query + +--- + UI/SOGoUI/UIxComponent.m | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/UI/SOGoUI/UIxComponent.m b/UI/SOGoUI/UIxComponent.m +index a8658e772b..012d6edea7 100644 +--- a/UI/SOGoUI/UIxComponent.m ++++ b/UI/SOGoUI/UIxComponent.m +@@ -395,14 +395,18 @@ - (NSString *) ownPath + + - (NSString *) relativePathToUserFolderSubPath: (NSString *) _sub + { +- NSString *dst, *rel, *theme; ++ NSString *dst, *rel, *theme, *safeTheme; + + dst = [[self userFolderPath] stringByAppendingPathComponent: _sub]; + rel = [dst urlPathRelativeToPath:[self ownPath]]; + + theme = [[context request] formValueForKey: @"theme"]; + if ([theme length]) +- rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme]; ++ { ++ safeTheme = [theme stringWithoutHTMLInjection: YES]; ++ if([safeTheme isEqualToString: theme]) ++ rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme]; ++ } + + return rel; + } diff -Nru sogo-5.12.1/debian/patches/series sogo-5.12.1/debian/patches/series --- sogo-5.12.1/debian/patches/series 2025-07-25 11:24:14.000000000 +0200 +++ sogo-5.12.1/debian/patches/series 2025-12-31 10:20:54.000000000 +0100 @@ -15,3 +15,5 @@ upstream_password_regex.patch upstream_fix_evaluation_freebusy.patch upstream_use_openid_libcurl.patch +CVE-2025-63499.patch +CVE-2025-63498.patch
signature.asc
Description: PGP signature
