I modified the upstream changeset 2148 to apply to the 0.1.1 version in debian.
The debdiff is attached...
--
Andreas Henriksson
diff -u roundcube-0.1.1/debian/changelog roundcube-0.1.1/debian/changelog
--- roundcube-0.1.1/debian/changelog
+++ roundcube-0.1.1/debian/changelog
@@ -1,3 +1,11 @@
+roundcube (0.1.1-8.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add 'modified_changeset_2148.patch' to fix code injection vulnerability.
+ (Closes: #508628)
+
+ -- Andreas Henriksson <andr...@fatal.se> Sat, 13 Dec 2008 13:36:54 +0100
+
roundcube (0.1.1-8) unstable; urgency=low
[ Vincent Bernat ]
diff -u roundcube-0.1.1/debian/patches/series roundcube-0.1.1/debian/patches/series
--- roundcube-0.1.1/debian/patches/series
+++ roundcube-0.1.1/debian/patches/series
@@ -8,0 +9 @@
+modified_changeset_2148.patch
only in patch2:
unchanged:
--- roundcube-0.1.1.orig/debian/patches/modified_changeset_2148.patch
+++ roundcube-0.1.1/debian/patches/modified_changeset_2148.patch
@@ -0,0 +1,104 @@
+Upstreams changeset 2148, modified to apply to debians 0.1.1 version of
+roundcube.
+
+--- roundcube-0.1.1/program/lib/html2text.inc 2007-03-21 10:54:10.000000000 +0100
++++ roundcube-0.1.1-fixed/program/lib/html2text.inc 2008-12-13 13:34:57.000000000 +0100
+@@ -112,12 +112,8 @@
+ "/[\n\t]+/", // Newlines and tabs
+ '/<script[^>]*>.*?<\/script>/i', // <script>s -- which strip_tags supposedly has problems with
+ //'/<!-- .* -->/', // Comments -- which strip_tags might have problem a with
+- '/<a [^>]*href=("|\')([^"\']+)\1[^>]*>(.+?)<\/a>/ie', // <a href="">
+- '/<h[123][^>]*>(.+?)<\/h[123]>/ie', // H1 - H3
+- '/<h[456][^>]*>(.+?)<\/h[456]>/ie', // H4 - H6
+ '/<p[^>]*>/i', // <P>
+ '/<br[^>]*>/i', // <br>
+- '/<b[^>]*>(.+?)<\/b>/ie', // <b>
+ '/<i[^>]*>(.+?)<\/i>/i', // <i>
+ '/(<ul[^>]*>|<\/ul>)/i', // <ul> and </ul>
+ '/(<ol[^>]*>|<\/ol>)/i', // <ol> and </ol>
+@@ -126,7 +122,6 @@
+ '/(<table[^>]*>|<\/table>)/i', // <table> and </table>
+ '/(<tr[^>]*>|<\/tr>)/i', // <tr> and </tr>
+ '/<td[^>]*>(.+?)<\/td>/i', // <td> and </td>
+- '/<th[^>]*>(.+?)<\/th>/ie', // <th> and </th>
+ '/ /i',
+ '/"/i',
+ '/>/i',
+@@ -199,6 +194,22 @@
+ );
+
+ /**
++ * List of preg* regular expression patterns to search for
++ * and replace using callback function.
++ *
++ * @var array $callback_search
++ * @access public
++ */
++ var $callback_search = array(
++ '/<(h)[123456][^>]*>(.*?)<\/h[123456]>/i', // H1 - H3
++ '/<(b)[^>]*>(.*?)<\/b>/i', // <b>
++ '/<(strong)[^>]*>(.*?)<\/strong>/i', // <strong>
++ '/<(a) [^>]*href=("|\')([^"\']+)\2[^>]*>(.*?)<\/a>/i',
++ // <a href="">
++ '/<(th)[^>]*>(.*?)<\/th>/i', // <th> and </th>
++ );
++
++ /**
+ * Contains a list of HTML tags to allow in the resulting text.
+ *
+ * @var string $allowed_tags
+@@ -379,6 +390,7 @@
+
+ // Run our defined search-and-replace
+ $text = preg_replace($this->search, $this->replace, $text);
++ $text = preg_replace_callback($this->callback_search, array('html2text', '_preg_callback'), $text);
+
+ // Strip any other HTML tags
+ $text = strip_tags($text, $this->allowed_tags);
+@@ -446,6 +458,44 @@
+
+ return $display . ' [' . ($index+1) . ']';
+ }
++
++ /**
++ * Callback function for preg_replace_callback use.
++ *
++ * @param array PREG matches
++ * @return string
++ * @access private
++ */
++ function _preg_callback($matches)
++ {
++ switch($matches[1])
++ {
++ case 'b':
++ case 'strong':
++ return $this->_strtoupper($matches[2]);
++ case 'hr':
++ return $this->_strtoupper("\t\t". $matches[2] ."\n");
++ case 'h':
++ return $this->_strtoupper("\n\n". $matches[2] ."\n\n");
++ case 'a':
++ return $this->_build_link_list($matches[3], $matches[4]);
++ }
++ }
++
++ /**
++ * Strtoupper multibyte wrapper function
++ *
++ * @param string
++ * @return string
++ * @access private
++ */
++ function _strtoupper($str)
++ {
++ if (function_exists('mb_strtoupper'))
++ return mb_strtoupper($str);
++ else
++ return strtoupper($str);
++ }
+ }
+
+-?>
+\ No newline at end of file
++?>
