roundcube CVE-2025-49113

have Debian 12 and roundcube 1.6.5+dfsg-1+deb12u5 installed and want to know if I habe to take action?

 

thank you very much till

 

For anyone wanting to fix this on bullseye which still does not have the security backport you can just use this patch against the files. I've done it to our prod systems this week and it works just fine:

Code:

--- usr/share/roundcube/program/steps/settings/upload.inc.orig    2023-10-14 18:34:32.000000000 +0200
+++ usr/share/roundcube/program/steps/settings/upload.inc    2025-06-03 13:37:00.257331562 +0200
@@ -20,6 +20,13 @@
 $from = rcube_utils::get_input_value('_from', rcube_utils::INPUT_GET);
 $type = preg_replace('/(add|edit)-/', '', $from);
 
+// Validate URL input.
+if (!rcube_utils::is_simple_string($type)) {
+    $RCMAIL->write_log('errors', 'The URL parameter "_from" contains disallowed characters and the request is thus rejected.');
+    $OUTPUT->command('display_message', 'Invalid input', 'error');
+    $OUTPUT->send('iframe');
+}
+
 // Plugins in Settings may use this file for some uploads (#5694)
 // Make sure it does not contain a dot, which is a special character
 // when using rcube_session::append() below
--- usr/share/roundcube/program/lib/Roundcube/rcube_utils.php.orig    2024-08-08 23:48:56.000000000 +0200
+++ usr/share/roundcube/program/lib/Roundcube/rcube_utils.php    2025-06-03 13:23:51.328614618 +0200
@@ -243,6 +243,22 @@
     }
 
     /**
+     * Check if input value is a "simple" string.
+     * "Simple" is defined as a non-empty string containing only
+     *  - "word" characters (alphanumeric plus underscore),
+     *  - dots,
+     *  - dashes.
+     *
+     * @param mixed $input The value to test
+     *
+     * @return bool
+     */
+    public static function is_simple_string($input)
+    {
+        return is_string($input) && (bool) preg_match('/^[\w.-]+$/i', $input);
+    }
+
+    /**
      * Read input value and convert it for internal use
      * Performs stripslashes() and charset conversion if necessary
      *