Bug#699652: tpu: owncloud/4.0.4debian2-3.3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi Release Team
owncloud in unstable fixes some security bugs: #698737, which are some
XSS vulnerabilities fixed in unstable (CVE-2012-0201, CVE-2012-0202
and CVE-2012-0203). But we have a newer version in unstable. Attached
is the proposed debdiff against the version in unstable (practicly the
same patch as applied in unstable).
Attached is the debdiff. Could I upload this to t-p-u?
Regards and thanks for your work!
Salvatore
diff -Nru owncloud-4.0.4debian2/debian/changelog owncloud-4.0.4debian2/debian/changelog
--- owncloud-4.0.4debian2/debian/changelog 2013-01-04 23:31:11.000000000 +0100
+++ owncloud-4.0.4debian2/debian/changelog 2013-02-02 23:55:58.000000000 +0100
@@ -1,3 +1,12 @@
+owncloud (4.0.4debian2-3.3) testing-proposed-updates; urgency=high
+
+ * Non-maintainer upload.
+ * Add 12_oc-sa-2013-001.patch patch
+ [SECURITY] CVE-2012-0201, CVE-2012-0202 and CVE-2012-0203: Fix multiple
+ XSS vulnerabilities. (Closes: #698737)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 02 Feb 2013 23:52:13 +0100
+
owncloud (4.0.4debian2-3.2) testing-proposed-updates; urgency=high
* Non-maintainer upload.
diff -Nru owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch
--- owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch 1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch 2013-02-02 23:55:58.000000000 +0100
@@ -0,0 +1,86 @@
+Description: Fix multiple XSS vulnerabilities
+ - CVE-2013-0201
+ - CVE-2013-0202
+ - CVE-2013-0203
+ .
+ See: http://owncloud.org/about/security/advisories/oC-SA-2013-001/
+Origin: upstream
+Bug-Debian: http://bugs.debian.org/698737
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2013-01-24
+
+--- a/apps/gallery/sharing.php
++++ b/apps/gallery/sharing.php
+@@ -37,7 +37,7 @@
+ <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js" type="text/javascript"></script>
+ <script src="js/sharing.js" type="text/javascript"></script>
+ <script>
+- var TOKEN = '<?php echo $_GET['token']; ?>';
++ var TOKEN = '<?php echo OC_Util::sanitizeHTML($_GET['token']); ?>';
+ </script>
+ </head>
+ <body>
+--- a/core/lostpassword/templates/resetpassword.php
++++ b/core/lostpassword/templates/resetpassword.php
+@@ -1,4 +1,4 @@
+-<form action="<?php echo 'resetpassword.php?'.$_SERVER['QUERY_STRING']; ?>" method="post">
++<form action="<?php echo 'resetpassword.php?user='.htmlentities($_GET['user']).'&token='.htmlentities($_GET['token']); ?>" method="post">
+ <fieldset>
+ <?php if($_['success']): ?>
+ <h1><?php echo $l->t('Your password was reset'); ?></h1>
+--- a/lib/helper.php
++++ b/lib/helper.php
+@@ -179,8 +179,9 @@
+ $mimetype=$alias[$mimetype];
+ // echo $mimetype;
+ }
+- // Replace slash with a minus
++ // Replace slash and backslash with a minus
+ $mimetype = str_replace( "/", "-", $mimetype );
++ $mimetype = str_replace( "\\", "-", $mimetype );
+
+ // Is it a dir?
+ if( $mimetype == "dir" ){
+--- a/apps/files_sharing/ajax/share.php
++++ b/apps/files_sharing/ajax/share.php
+@@ -25,7 +25,7 @@
+ }
+ } catch (Exception $exception) {
+ OCP\Util::writeLog('files_sharing', 'Unexpected Error : '.$exception->getMessage(), OCP\Util::ERROR);
+- OCP\JSON::error(array('data' => array('message' => $exception->getMessage())));
++ OCP\JSON::error(array('data' => array('message' => OC_Util::sanitizeHTML($exception->getMessage()))));
+ }
+ } else {
+ if ($file['encrypted'] == true) {
+--- a/apps/bookmarks/js/bookmarks.js
++++ b/apps/bookmarks/js/bookmarks.js
+@@ -158,9 +158,9 @@
+ '</span> ' +
+ '</p>' +
+ '<p class="bookmark_title">'+
+- '<a href="' + encodeEntities(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.title) + '</a>' +
++ '<a href="' + encodeURI(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.title) + '</a>' +
+ '</p>' +
+- '<p class="bookmark_url"><a href="' + encodeEntities(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.url) + '</a></p>' +
++ '<p class="bookmark_url"><a href="' + encodeURI(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeURI(bookmark.url) + '</a></p>' +
+ '</div>'
+ );
+ if(taglist != '') {
+@@ -198,4 +198,4 @@
+ function hasProtocol(url) {
+ var regexp = /(ftp|http|https|sftp)/;
+ return regexp.test(url);
+-}
++}
+\ No newline at end of file
+--- a/apps/calendar/js/calendar.js
++++ b/apps/calendar/js/calendar.js
+@@ -718,7 +718,7 @@
+ ' class="' + classes.join(' ') + '"' +
+ '>' +
+ '<span class="fc-event-title">' +
+- event.title +
++ escapeHTML(event.title) +
+ '</span>' +
+ '</span>' +
+ '</td>' +
diff -Nru owncloud-4.0.4debian2/debian/patches/series owncloud-4.0.4debian2/debian/patches/series
--- owncloud-4.0.4debian2/debian/patches/series 2013-01-04 23:28:29.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/series 2013-02-02 23:55:58.000000000 +0100
@@ -21,3 +21,4 @@
09_oc-sa-2012-005.patch
10_oc-sa-2012-006.patch
11_oc-sa-2012-007.patch
+12_oc-sa-2013-001.patch
Reply to: