[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#699652: tpu: owncloud/4.0.4debian2-3.3



Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team

owncloud in unstable fixes some security bugs: #698737, which are some
XSS vulnerabilities fixed in unstable (CVE-2012-0201, CVE-2012-0202
and CVE-2012-0203). But we have a newer version in unstable. Attached
is the proposed debdiff against the version in unstable (practicly the
same patch as applied in unstable).

Attached is the debdiff. Could I upload this to t-p-u?

Regards and thanks for your work!

Salvatore
diff -Nru owncloud-4.0.4debian2/debian/changelog owncloud-4.0.4debian2/debian/changelog
--- owncloud-4.0.4debian2/debian/changelog	2013-01-04 23:31:11.000000000 +0100
+++ owncloud-4.0.4debian2/debian/changelog	2013-02-02 23:55:58.000000000 +0100
@@ -1,3 +1,12 @@
+owncloud (4.0.4debian2-3.3) testing-proposed-updates; urgency=high
+
+  * Non-maintainer upload.
+  * Add 12_oc-sa-2013-001.patch patch
+    [SECURITY] CVE-2012-0201, CVE-2012-0202 and CVE-2012-0203: Fix multiple
+    XSS vulnerabilities. (Closes: #698737)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 02 Feb 2013 23:52:13 +0100
+
 owncloud (4.0.4debian2-3.2) testing-proposed-updates; urgency=high
 
   * Non-maintainer upload.
diff -Nru owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch
--- owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch	1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch	2013-02-02 23:55:58.000000000 +0100
@@ -0,0 +1,86 @@
+Description: Fix multiple XSS vulnerabilities
+ - CVE-2013-0201
+ - CVE-2013-0202
+ - CVE-2013-0203
+ .
+ See: http://owncloud.org/about/security/advisories/oC-SA-2013-001/
+Origin: upstream
+Bug-Debian: http://bugs.debian.org/698737
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2013-01-24
+
+--- a/apps/gallery/sharing.php
++++ b/apps/gallery/sharing.php
+@@ -37,7 +37,7 @@
+     <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"; type="text/javascript"></script>
+     <script src="js/sharing.js" type="text/javascript"></script>
+     <script>
+-      var TOKEN = '<?php echo $_GET['token']; ?>';
++      var TOKEN = '<?php echo OC_Util::sanitizeHTML($_GET['token']); ?>';
+     </script>
+   </head>
+   <body>
+--- a/core/lostpassword/templates/resetpassword.php
++++ b/core/lostpassword/templates/resetpassword.php
+@@ -1,4 +1,4 @@
+-<form action="<?php echo 'resetpassword.php?'.$_SERVER['QUERY_STRING']; ?>" method="post">
++<form action="<?php echo 'resetpassword.php?user='.htmlentities($_GET['user']).'&token='.htmlentities($_GET['token']); ?>" method="post">
+ 	<fieldset>
+ 		<?php if($_['success']): ?>
+ 			<h1><?php echo $l->t('Your password was reset'); ?></h1>
+--- a/lib/helper.php
++++ b/lib/helper.php
+@@ -179,8 +179,9 @@
+ 			$mimetype=$alias[$mimetype];
+ // 			echo $mimetype;
+ 		}
+-		// Replace slash with a minus
++		// Replace slash and backslash with a minus
+ 		$mimetype = str_replace( "/", "-", $mimetype );
++		$mimetype = str_replace( "\\", "-", $mimetype );
+ 
+ 		// Is it a dir?
+ 		if( $mimetype == "dir" ){
+--- a/apps/files_sharing/ajax/share.php
++++ b/apps/files_sharing/ajax/share.php
+@@ -25,7 +25,7 @@
+ 			}
+ 		} catch (Exception $exception) {
+ 			OCP\Util::writeLog('files_sharing', 'Unexpected Error : '.$exception->getMessage(), OCP\Util::ERROR);
+-			OCP\JSON::error(array('data' => array('message' => $exception->getMessage())));
++			OCP\JSON::error(array('data' => array('message' => OC_Util::sanitizeHTML($exception->getMessage()))));
+ 		}
+ 	} else {
+ 		if ($file['encrypted'] == true) {
+--- a/apps/bookmarks/js/bookmarks.js
++++ b/apps/bookmarks/js/bookmarks.js
+@@ -158,9 +158,9 @@
+ 				'</span>&nbsp;' +
+ 			'</p>' +
+ 			'<p class="bookmark_title">'+
+-				'<a href="' + encodeEntities(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.title) + '</a>' +
++				'<a href="' + encodeURI(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.title) + '</a>' +
+ 			'</p>' +
+-			'<p class="bookmark_url"><a href="' + encodeEntities(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.url) + '</a></p>' +
++			'<p class="bookmark_url"><a href="' + encodeURI(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeURI(bookmark.url) + '</a></p>' +
+ 		'</div>'
+ 	);
+ 	if(taglist != '') {
+@@ -198,4 +198,4 @@
+ function hasProtocol(url) {
+     var regexp = /(ftp|http|https|sftp)/;
+     return regexp.test(url);
+-}
++}
+\ No newline at end of file
+--- a/apps/calendar/js/calendar.js
++++ b/apps/calendar/js/calendar.js
+@@ -718,7 +718,7 @@
+ 			' class="' + classes.join(' ') + '"' +
+ 			'>' +
+ 			'<span class="fc-event-title">' +
+-			event.title +
++			escapeHTML(event.title) +
+ 			'</span>' +
+ 			'</span>' +
+ 			'</td>' +
diff -Nru owncloud-4.0.4debian2/debian/patches/series owncloud-4.0.4debian2/debian/patches/series
--- owncloud-4.0.4debian2/debian/patches/series	2013-01-04 23:28:29.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/series	2013-02-02 23:55:58.000000000 +0100
@@ -21,3 +21,4 @@
 09_oc-sa-2012-005.patch
 10_oc-sa-2012-006.patch
 11_oc-sa-2012-007.patch
+12_oc-sa-2013-001.patch

Reply to: