[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#695174: marked as done (t-p-u pre-approval owncloud/4.0.4debian2-3.1)

Your message dated Thu, 13 Dec 2012 13:07:03 +0000
with message-id <78a97e75c6e24e7c1f7e2741c2fa1672@mail.adsl.funky-badger.org>
and subject line Re: Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
has caused the Debian Bug report #695174,
regarding t-p-u pre-approval owncloud/4.0.4debian2-3.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
695174: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695174
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

I would like to ask pre-approval to upload owncloud 4.0.4debian2-3.1 to
testing-proposed-updates. It fixes bug #693990 (multiple security
issues). The debdiff is attached.

This bug has been fixed in unstable with a similar patch in version
4.0.8debian-1.1.  I had to adopt 07_oc-sa-2012-002.patch and backport a
helper function from the unstable upstream version.


Cheers,

Michael

diff -Nru owncloud-4.0.4debian2/debian/changelog owncloud-4.0.4debian2/debian/changelog
--- owncloud-4.0.4debian2/debian/changelog	2012-09-22 18:36:17.000000000 +0200
+++ owncloud-4.0.4debian2/debian/changelog	2012-12-04 22:45:50.000000000 +0100
@@ -1,3 +1,16 @@
+owncloud (4.0.4debian2-3.1) testing-proposed-updates; urgency=high
+
+  * Non-maintainer upload, fixes several security issues (Closes: #693990).
+  * debian/patches/06_oc-sa-2012-001.patch: Fix multiple XSS vulnerabilities.
+  * debian/patches/07_oc-sa-2012-002.patch: Fix timing attack.
+  * debian/patches/08_oc-sa-2012-004.patch: Fix code execution in migrate.php.
+  * debian/patches/09_oc-sa-2012-005.patch: Fix code execution in
+    filesystem.php.
+  * debian/pathes/07_oc-sa-2012-002.patch: Backport generate_random_bytes()
+    function from 4.0.8 release.
+
+ -- Michael Banck <mbanck@debian.org>  Tue, 04 Dec 2012 22:22:39 +0100
+
 owncloud (4.0.4debian2-3) testing-proposed-updates; urgency=high
 
   * debian/patches:
diff -Nru owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch
--- owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch	1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch	2012-12-04 22:47:34.000000000 +0100
@@ -0,0 +1,49 @@
+Index: owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js
+===================================================================
+--- owncloud-4.0.4debian2.orig/3rdparty/fullcalendar/js/fullcalendar.js	2012-12-04 22:43:43.296931413 +0100
++++ owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js	2012-12-04 22:47:26.874081078 +0100
+@@ -4662,7 +4662,7 @@
+ 					"</span>";
+ 			}
+ 			html +=
+-				"<span class='fc-event-title'>" + event.title + "</span>" +
++				"<span class='fc-event-title'>" + htmlEscape(event.title) + "</span>" +
+ 				"</div>";
+ 			if (seg.isEnd && isEventResizable(event)) {
+ 				html +=
+@@ -5220,5 +5220,5 @@
+ 	};
+ 	
+ }
+-
++
+ })(jQuery);
+Index: owncloud-4.0.4debian2/apps/files/js/filelist.js
+===================================================================
+--- owncloud-4.0.4debian2.orig/apps/files/js/filelist.js	2012-12-04 22:47:26.810080751 +0100
++++ owncloud-4.0.4debian2/apps/files/js/filelist.js	2012-12-04 22:47:26.874081078 +0100
+@@ -14,9 +14,9 @@
+ 			var extension=false;
+ 		}
+ 		html+='<td class="filename" style="background-image:url('+img+')"><input type="checkbox" />';
+-		html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '&lt;').replace(/>/, '&gt;')+'/'+name+'"><span class="nametext">'+basename
++		html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '&lt;').replace(/>/, '&gt;')+'/'+escapeHTML(name)+'"><span class="nametext">'+escapeHTML(basename);
+ 		if(extension){
+-			html+='<span class="extension">'+extension+'</span>';
++			html+='<span class="extension">'+escapeHTML(extension)+'</span>';
+ 		}
+ 		html+='</span></a></td>';
+ 		if(size!='Pending'){
+Index: owncloud-4.0.4debian2/apps/files_versions/js/versions.js
+===================================================================
+--- owncloud-4.0.4debian2.orig/apps/files_versions/js/versions.js	2012-12-04 22:43:43.296931413 +0100
++++ owncloud-4.0.4debian2/apps/files_versions/js/versions.js	2012-12-04 22:47:26.874081078 +0100
+@@ -36,7 +36,7 @@
+ 	
+ 	var historyUrl = OC.linkTo('files_versions', 'history.php') + '?path='+encodeURIComponent( $( '#dir' ).val() ).replace( /%2F/g, '/' )+'/'+encodeURIComponent( filename );
+ 	
+-	var html = '<div id="dropdown" class="drop" data-file="'+files+'">';
++	var html = '<div id="dropdown" class="drop" data-file="'+escapeHTML(files)+'">';
+ 	html += '<div id="private">';
+ 	html += '<select data-placeholder="Saved versions" id="found_versions" class="chzen-select" style="width:16em;">';
+ 	html += '<option value=""></option>';
diff -Nru owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch
--- owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch	1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch	2012-12-04 22:47:37.000000000 +0100
@@ -0,0 +1,65 @@
+Index: owncloud-4.0.4debian2/core/lostpassword/resetpassword.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/core/lostpassword/resetpassword.php	2012-12-04 22:47:31.174103213 +0100
++++ owncloud-4.0.4debian2/core/lostpassword/resetpassword.php	2012-12-04 22:47:36.618131274 +0100
+@@ -10,7 +10,7 @@
+ require_once('../../lib/base.php');
+ 
+ // Someone wants to reset their password:
+-if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === $_GET['token']) {
++if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === hash("sha256", $_GET['token'])) {
+ 	if (isset($_POST['password'])) {
+ 		if (OC_User::setPassword($_GET['user'], $_POST['password'])) {
+ 			OC_Preferences::deleteKey($_GET['user'], 'owncloud', 'lostpassword');
+Index: owncloud-4.0.4debian2/lib/util.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/lib/util.php	2012-12-04 22:47:31.174103213 +0100
++++ owncloud-4.0.4debian2/lib/util.php	2012-12-04 22:47:36.622131291 +0100
+@@ -459,8 +459,31 @@
+ 	
+  	}
+ 	
+-	
++        /*
++        * @brief Generates random bytes with "openssl_random_pseudo_bytes" with a fallback for systems without openssl
++        * Inspired by gorgo on php.net
++        * @param Int with the length of the random
++        * @return String with the random bytes
++        */
++        public static function generate_random_bytes($length = 30) {
++                if(function_exists('openssl_random_pseudo_bytes')) {
++                        $pseudo_byte = bin2hex(openssl_random_pseudo_bytes($length, $strong));
++                        if($strong == TRUE) {
++                                return substr($pseudo_byte, 0, $length); // Truncate it to match the length
++                        }
++                }
+ 
++                // fallback to mt_rand()
++                $characters = '0123456789';
++                $characters .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
++                $charactersLength = strlen($characters)-1;
++                $pseudo_byte = "";
+ 
++                // Select some random characters
++                for ($i = 0; $i < $length; $i++) {
++                        $pseudo_byte .= $characters[mt_rand(0, $charactersLength)];
++                }
++                return $pseudo_byte;
++        }
+ }
+ 
+Index: owncloud-4.0.4debian2/core/lostpassword/index.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/core/lostpassword/index.php	2012-12-04 22:47:31.174103213 +0100
++++ owncloud-4.0.4debian2/core/lostpassword/index.php	2012-12-04 22:47:36.622131291 +0100
+@@ -13,8 +13,8 @@
+ // Someone lost their password:
+ if (isset($_POST['user'])) {
+ 	if (OC_User::userExists($_POST['user'])) {
+-		$token = sha1($_POST['user'].md5(uniqid(rand(), true)));
+-		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
++		$token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));
++		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks
+ 		$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
+ 		if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {
+ 			$link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php').'?user='.urlencode($_POST['user']).'&token='.$token;
diff -Nru owncloud-4.0.4debian2/debian/patches/08_oc-sa-2012-004.patch owncloud-4.0.4debian2/debian/patches/08_oc-sa-2012-004.patch
--- owncloud-4.0.4debian2/debian/patches/08_oc-sa-2012-004.patch	1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/08_oc-sa-2012-004.patch	2012-12-04 22:19:55.000000000 +0100
@@ -0,0 +1,91 @@
+Index: owncloud-4.0.4debian2/lib/migrate.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/lib/migrate.php	2012-12-04 21:56:35.000000000 +0100
++++ owncloud-4.0.4debian2/lib/migrate.php	2012-12-04 22:19:42.125448119 +0100
+@@ -205,8 +205,8 @@
+ 		// Get export_info.json
+ 		$scan = scandir( $extractpath );
+ 		// Check for export_info.json
+-		if( !in_array( 'export_info.json', $scan ) ){
+-			OC_Log::write( 'migration', 'Invalid import file, export_info.json note found', OC_Log::ERROR );
++		if( !in_array( 'export_info.json', $scan ) ) {
++			OC_Log::write( 'migration', 'Invalid import file, export_info.json not found', OC_Log::ERROR );
+ 			return json_encode( array( 'success' => false ) );
+ 		}
+ 		$json = json_decode( file_get_contents( $extractpath . 'export_info.json' ) );
+@@ -241,12 +241,19 @@
+ 					return json_encode( array( 'success' => false ) );
+ 				}
+ 				// Copy data
+-				if( !self::copy_r( $extractpath . $json->exporteduser, $datadir . '/' . self::$uid ) ){
+-					return json_encode( array( 'success' => false ) );
++				$userfolder = $extractpath . $json->exporteduser;
++				$newuserfolder = $datadir . '/' . self::$uid;
++				foreach(scandir($userfolder) as $file){
++					if($file !== '.' && $file !== '..' && is_dir($file)){
++						// Then copy the folder over
++						OC_Helper::copyr($userfolder.'/'.$file, $newuserfolder.'/'.$file);
++					}
+ 				}
+ 				// Import user app data
+-				if( !$appsimported = self::importAppData( $extractpath . $json->exporteduser . '/migration.db', $json, self::$uid ) ){
+-					return json_encode( array( 'success' => false ) );
++				if(file_exists($extractpath . $json->exporteduser . '/migration.db')){
++					if( !$appsimported = self::importAppData( $extractpath . $json->exporteduser . '/migration.db', $json, self::$uid ) ) {
++						return json_encode( array( 'success' => false ) );
++					}
+ 				}
+ 				// All done!
+ 				if( !self::unlink_r( $extractpath ) ){
+@@ -311,37 +318,6 @@
+ 	}
+ 
+ 	/**
+-	* @brief copies recursively
+-	* @param $path string path to source folder
+-	* @param $dest string path to destination
+-	* @return bool
+-	*/
+-	private static function copy_r( $path, $dest ){
+-		if( is_dir($path) ){
+-			@mkdir( $dest );
+-			$objects = scandir( $path );
+-			if( sizeof( $objects ) > 0 ){
+-				foreach( $objects as $file ){
+-					if( $file == "." || $file == ".." || $file == ".htaccess")
+-					continue;
+-					// go on
+-					if( is_dir( $path . '/' . $file ) ){
+-						self::copy_r( $path  .'/' . $file, $dest . '/' . $file );
+-					} else {
+-						copy( $path . '/' . $file, $dest . '/' . $file );
+-					}
+-				}
+-			}
+-			return true;
+-		}
+-		elseif( is_file( $path ) ){
+-			return copy( $path, $dest );
+-		} else {
+-			return false;
+-		}
+-	}
+-
+-	/**
+ 	* @brief tries to extract the import zip
+ 	* @param $path string path to the zip
+ 	* @return string path to extract location (with a trailing slash) or false on failure
+Index: owncloud-4.0.4debian2/lib/helper.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/lib/helper.php	2012-06-26 21:54:07.000000000 +0200
++++ owncloud-4.0.4debian2/lib/helper.php	2012-12-04 22:19:42.125448119 +0100
+@@ -309,7 +309,8 @@
+ 					self::copyr("$src/$file", "$dest/$file");
+ 				}
+ 			}
+-		}elseif(file_exists($src)){
++
++		}elseif(file_exists($src) && !OC_Filesystem::isFileBlacklisted($src)) {
+ 			copy($src, $dest);
+ 		}
+ 	}
diff -Nru owncloud-4.0.4debian2/debian/patches/09_oc-sa-2012-005.patch owncloud-4.0.4debian2/debian/patches/09_oc-sa-2012-005.patch
--- owncloud-4.0.4debian2/debian/patches/09_oc-sa-2012-005.patch	1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/09_oc-sa-2012-005.patch	2012-12-04 22:19:51.000000000 +0100
@@ -0,0 +1,52 @@
+Index: owncloud-4.0.4debian2/lib/filesystem.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/lib/filesystem.php	2012-12-04 21:56:35.000000000 +0100
++++ owncloud-4.0.4debian2/lib/filesystem.php	2012-12-04 22:19:45.133463687 +0100
+@@ -361,12 +361,16 @@
+ 	 * @return bool
+ 	 */
+ 	static public function isValidPath($path){
++		$path = str_replace('\\', '/', $path);
+ 		if(!$path || $path[0]!=='/'){
+ 			$path='/'.$path;
+ 		}
+ 		if(strstr($path,'/../') || strrchr($path, '/') === '/..' ){
+ 			return false;
+ 		}
++		if(self::isFileBlacklisted($path)){
++			return false;
++		}
+ 		return true;
+ 	}
+ 	
+@@ -375,21 +379,23 @@
+ 	 * Listens to write and rename hooks
+ 	 * @param array $data from hook
+ 	 */
+-	static public function isBlacklisted($data){
+-		$blacklist = array('.htaccess');
++	static public function isBlacklisted($data) {
+ 		if (isset($data['path'])) {
+ 			$path = $data['path'];
+ 		} else if (isset($data['newpath'])) {
+ 			$path = $data['newpath'];
+ 		}
+ 		if (isset($path)) {
+-			$filename = strtolower(basename($path));
+-			if (in_array($filename, $blacklist)) {
+-				$data['run'] = false;
+-			}
++			$data['run'] = !self::isFileBlacklisted($path);
+ 		}
+ 	}
+-	
++
++	static public function isFileBlacklisted($path){
++		$blacklist = array('.htaccess');
++		$filename = strtolower(basename($path));
++		return in_array($filename, $blacklist);
++	}
++
+ 	/**
+ 	 * following functions are equivilent to their php buildin equivilents for arguments/return values.
+ 	 */
diff -Nru owncloud-4.0.4debian2/debian/patches/series owncloud-4.0.4debian2/debian/patches/series
--- owncloud-4.0.4debian2/debian/patches/series	2012-09-22 16:03:47.000000000 +0200
+++ owncloud-4.0.4debian2/debian/patches/series	2012-12-04 22:43:34.000000000 +0100
@@ -15,4 +15,7 @@
 remove_unused_unsecure_files.diff
 BTS688394.diff
 backported_security_fixes.diff
-
+06_oc-sa-2012-001.patch
+07_oc-sa-2012-002.patch
+08_oc-sa-2012-004.patch
+09_oc-sa-2012-005.patch

--- End Message ---
--- Begin Message --- 
On 13.12.2012 09:28, Michael Banck wrote:

On Wed, Dec 12, 2012 at 09:20:38PM +0100, Julien Cristau wrote:

On Wed, Dec 12, 2012 at 19:44:38 +0000, Adam D. Barratt wrote:
> ++function escapeHTML(s) {
> [...]
> +Index: owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js 
> [...]
> +- "<span class='fc-event-title'>" + event.title + "</span>" + > ++ "<span class='fc-event-title'>" + htmlEscape(event.title) + "</span>" + 
>
> Should the htmlEscape() call in that last hunk be escapeHTML()?
>
iirc fullcalendar has its own preexisting escape function, with a
different name.


Yes:

mba@hartree:~/debian/bsp/owncloud-4.0.4debian2$ grep -r htmlEscape *
| head -1
3rdparty/fullcalendar/js/fullcalendar.js:function htmlEscape(s) {
mba@hartree:~/debian/bsp/owncloud-4.0.4debian2$


How entirely unconfusing. :-(

Approved; thanks.

Regards,

Adam

--- End Message ---
Reply to: