Bug#699652: marked as done (tpu: owncloud/4.0.4debian2-3.3)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 4 Feb 2013 19:30:53 +0100
with message-id <20130204183053.GW8837@radis.cristau.org>
and subject line Re: Bug#699652: tpu: owncloud/4.0.4debian2-3.3
has caused the Debian Bug report #699652,
regarding tpu: owncloud/4.0.4debian2-3.3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
699652: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699652
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: tpu: owncloud/4.0.4debian2-3.3
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sun, 03 Feb 2013 00:05:39 +0100
• Message-id: <20130202230539.6382.1875.reportbug@elende.valinor.li>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team

owncloud in unstable fixes some security bugs: #698737, which are some
XSS vulnerabilities fixed in unstable (CVE-2012-0201, CVE-2012-0202
and CVE-2012-0203). But we have a newer version in unstable. Attached
is the proposed debdiff against the version in unstable (practicly the
same patch as applied in unstable).

Attached is the debdiff. Could I upload this to t-p-u?

Regards and thanks for your work!

Salvatore

diff -Nru owncloud-4.0.4debian2/debian/changelog owncloud-4.0.4debian2/debian/changelog
--- owncloud-4.0.4debian2/debian/changelog	2013-01-04 23:31:11.000000000 +0100
+++ owncloud-4.0.4debian2/debian/changelog	2013-02-02 23:55:58.000000000 +0100
@@ -1,3 +1,12 @@
+owncloud (4.0.4debian2-3.3) testing-proposed-updates; urgency=high
+
+  * Non-maintainer upload.
+  * Add 12_oc-sa-2013-001.patch patch
+    [SECURITY] CVE-2012-0201, CVE-2012-0202 and CVE-2012-0203: Fix multiple
+    XSS vulnerabilities. (Closes: #698737)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 02 Feb 2013 23:52:13 +0100
+
 owncloud (4.0.4debian2-3.2) testing-proposed-updates; urgency=high
 
   * Non-maintainer upload.
diff -Nru owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch
--- owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch	1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch	2013-02-02 23:55:58.000000000 +0100
@@ -0,0 +1,86 @@
+Description: Fix multiple XSS vulnerabilities
+ - CVE-2013-0201
+ - CVE-2013-0202
+ - CVE-2013-0203
+ .
+ See: http://owncloud.org/about/security/advisories/oC-SA-2013-001/
+Origin: upstream
+Bug-Debian: http://bugs.debian.org/698737
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2013-01-24
+
+--- a/apps/gallery/sharing.php
++++ b/apps/gallery/sharing.php
+@@ -37,7 +37,7 @@
+     <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"; type="text/javascript"></script>
+     <script src="js/sharing.js" type="text/javascript"></script>
+     <script>
+-      var TOKEN = '<?php echo $_GET['token']; ?>';
++      var TOKEN = '<?php echo OC_Util::sanitizeHTML($_GET['token']); ?>';
+     </script>
+   </head>
+   <body>
+--- a/core/lostpassword/templates/resetpassword.php
++++ b/core/lostpassword/templates/resetpassword.php
+@@ -1,4 +1,4 @@
+-<form action="<?php echo 'resetpassword.php?'.$_SERVER['QUERY_STRING']; ?>" method="post">
++<form action="<?php echo 'resetpassword.php?user='.htmlentities($_GET['user']).'&token='.htmlentities($_GET['token']); ?>" method="post">
+ 	<fieldset>
+ 		<?php if($_['success']): ?>
+ 			<h1><?php echo $l->t('Your password was reset'); ?></h1>
+--- a/lib/helper.php
++++ b/lib/helper.php
+@@ -179,8 +179,9 @@
+ 			$mimetype=$alias[$mimetype];
+ // 			echo $mimetype;
+ 		}
+-		// Replace slash with a minus
++		// Replace slash and backslash with a minus
+ 		$mimetype = str_replace( "/", "-", $mimetype );
++		$mimetype = str_replace( "\\", "-", $mimetype );
+ 
+ 		// Is it a dir?
+ 		if( $mimetype == "dir" ){
+--- a/apps/files_sharing/ajax/share.php
++++ b/apps/files_sharing/ajax/share.php
+@@ -25,7 +25,7 @@
+ 			}
+ 		} catch (Exception $exception) {
+ 			OCP\Util::writeLog('files_sharing', 'Unexpected Error : '.$exception->getMessage(), OCP\Util::ERROR);
+-			OCP\JSON::error(array('data' => array('message' => $exception->getMessage())));
++			OCP\JSON::error(array('data' => array('message' => OC_Util::sanitizeHTML($exception->getMessage()))));
+ 		}
+ 	} else {
+ 		if ($file['encrypted'] == true) {
+--- a/apps/bookmarks/js/bookmarks.js
++++ b/apps/bookmarks/js/bookmarks.js
+@@ -158,9 +158,9 @@
+ 				'</span>&nbsp;' +
+ 			'</p>' +
+ 			'<p class="bookmark_title">'+
+-				'<a href="' + encodeEntities(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.title) + '</a>' +
++				'<a href="' + encodeURI(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.title) + '</a>' +
+ 			'</p>' +
+-			'<p class="bookmark_url"><a href="' + encodeEntities(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.url) + '</a></p>' +
++			'<p class="bookmark_url"><a href="' + encodeURI(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeURI(bookmark.url) + '</a></p>' +
+ 		'</div>'
+ 	);
+ 	if(taglist != '') {
+@@ -198,4 +198,4 @@
+ function hasProtocol(url) {
+     var regexp = /(ftp|http|https|sftp)/;
+     return regexp.test(url);
+-}
++}
+\ No newline at end of file
+--- a/apps/calendar/js/calendar.js
++++ b/apps/calendar/js/calendar.js
+@@ -718,7 +718,7 @@
+ 			' class="' + classes.join(' ') + '"' +
+ 			'>' +
+ 			'<span class="fc-event-title">' +
+-			event.title +
++			escapeHTML(event.title) +
+ 			'</span>' +
+ 			'</span>' +
+ 			'</td>' +
diff -Nru owncloud-4.0.4debian2/debian/patches/series owncloud-4.0.4debian2/debian/patches/series
--- owncloud-4.0.4debian2/debian/patches/series	2013-01-04 23:28:29.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/series	2013-02-02 23:55:58.000000000 +0100
@@ -21,3 +21,4 @@
 09_oc-sa-2012-005.patch
 10_oc-sa-2012-006.patch
 11_oc-sa-2012-007.patch
+12_oc-sa-2013-001.patch

--- End Message ---

--- Begin Message ---

• To: Salvatore Bonaccorso <carnil@debian.org>, 699652-done@bugs.debian.org
• Subject: Re: Bug#699652: tpu: owncloud/4.0.4debian2-3.3
• From: Julien Cristau <jcristau@debian.org>
• Date: Mon, 4 Feb 2013 19:30:53 +0100
• Message-id: <20130204183053.GW8837@radis.cristau.org>
• In-reply-to: <20130203231551.GA706@elende>
• References: <20130202230539.6382.1875.reportbug@elende.valinor.li> <20130203225004.GT8837@radis.cristau.org> <20130203231551.GA706@elende>

On Mon, Feb  4, 2013 at 00:15:52 +0100, Salvatore Bonaccorso wrote:

> Thanks done!
> 
Approved.

> > > +--- a/apps/gallery/sharing.php
> > > ++++ b/apps/gallery/sharing.php
> > > +@@ -37,7 +37,7 @@
> > > +     <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"; type="text/javascript"></script>
> > 
> > ick.
> 
> Indeed; have not checked in detail but does not seem to be reported to
> the BTS so far.
> 
If that does end up in the binary packages, would you mind filing it?

Thanks,
Julien

Attachment: signature.asc
Description: Digital signature

--- End Message ---