Your message dated Mon, 4 Feb 2013 19:30:53 +0100 with message-id <20130204183053.GW8837@radis.cristau.org> and subject line Re: Bug#699652: tpu: owncloud/4.0.4debian2-3.3 has caused the Debian Bug report #699652, regarding tpu: owncloud/4.0.4debian2-3.3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 699652: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699652 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: tpu: owncloud/4.0.4debian2-3.3
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 03 Feb 2013 00:05:39 +0100
- Message-id: <20130202230539.6382.1875.reportbug@elende.valinor.li>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Hi Release Team owncloud in unstable fixes some security bugs: #698737, which are some XSS vulnerabilities fixed in unstable (CVE-2012-0201, CVE-2012-0202 and CVE-2012-0203). But we have a newer version in unstable. Attached is the proposed debdiff against the version in unstable (practicly the same patch as applied in unstable). Attached is the debdiff. Could I upload this to t-p-u? Regards and thanks for your work! Salvatorediff -Nru owncloud-4.0.4debian2/debian/changelog owncloud-4.0.4debian2/debian/changelog --- owncloud-4.0.4debian2/debian/changelog 2013-01-04 23:31:11.000000000 +0100 +++ owncloud-4.0.4debian2/debian/changelog 2013-02-02 23:55:58.000000000 +0100 @@ -1,3 +1,12 @@ +owncloud (4.0.4debian2-3.3) testing-proposed-updates; urgency=high + + * Non-maintainer upload. + * Add 12_oc-sa-2013-001.patch patch + [SECURITY] CVE-2012-0201, CVE-2012-0202 and CVE-2012-0203: Fix multiple + XSS vulnerabilities. (Closes: #698737) + + -- Salvatore Bonaccorso <carnil@debian.org> Sat, 02 Feb 2013 23:52:13 +0100 + owncloud (4.0.4debian2-3.2) testing-proposed-updates; urgency=high * Non-maintainer upload. diff -Nru owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch --- owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch 1970-01-01 01:00:00.000000000 +0100 +++ owncloud-4.0.4debian2/debian/patches/12_oc-sa-2013-001.patch 2013-02-02 23:55:58.000000000 +0100 @@ -0,0 +1,86 @@ +Description: Fix multiple XSS vulnerabilities + - CVE-2013-0201 + - CVE-2013-0202 + - CVE-2013-0203 + . + See: http://owncloud.org/about/security/advisories/oC-SA-2013-001/ +Origin: upstream +Bug-Debian: http://bugs.debian.org/698737 +Author: Salvatore Bonaccorso <carnil@debian.org> +Last-Update: 2013-01-24 + +--- a/apps/gallery/sharing.php ++++ b/apps/gallery/sharing.php +@@ -37,7 +37,7 @@ + <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js" type="text/javascript"></script> + <script src="js/sharing.js" type="text/javascript"></script> + <script> +- var TOKEN = '<?php echo $_GET['token']; ?>'; ++ var TOKEN = '<?php echo OC_Util::sanitizeHTML($_GET['token']); ?>'; + </script> + </head> + <body> +--- a/core/lostpassword/templates/resetpassword.php ++++ b/core/lostpassword/templates/resetpassword.php +@@ -1,4 +1,4 @@ +-<form action="<?php echo 'resetpassword.php?'.$_SERVER['QUERY_STRING']; ?>" method="post"> ++<form action="<?php echo 'resetpassword.php?user='.htmlentities($_GET['user']).'&token='.htmlentities($_GET['token']); ?>" method="post"> + <fieldset> + <?php if($_['success']): ?> + <h1><?php echo $l->t('Your password was reset'); ?></h1> +--- a/lib/helper.php ++++ b/lib/helper.php +@@ -179,8 +179,9 @@ + $mimetype=$alias[$mimetype]; + // echo $mimetype; + } +- // Replace slash with a minus ++ // Replace slash and backslash with a minus + $mimetype = str_replace( "/", "-", $mimetype ); ++ $mimetype = str_replace( "\\", "-", $mimetype ); + + // Is it a dir? + if( $mimetype == "dir" ){ +--- a/apps/files_sharing/ajax/share.php ++++ b/apps/files_sharing/ajax/share.php +@@ -25,7 +25,7 @@ + } + } catch (Exception $exception) { + OCP\Util::writeLog('files_sharing', 'Unexpected Error : '.$exception->getMessage(), OCP\Util::ERROR); +- OCP\JSON::error(array('data' => array('message' => $exception->getMessage()))); ++ OCP\JSON::error(array('data' => array('message' => OC_Util::sanitizeHTML($exception->getMessage())))); + } + } else { + if ($file['encrypted'] == true) { +--- a/apps/bookmarks/js/bookmarks.js ++++ b/apps/bookmarks/js/bookmarks.js +@@ -158,9 +158,9 @@ + '</span> ' + + '</p>' + + '<p class="bookmark_title">'+ +- '<a href="' + encodeEntities(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.title) + '</a>' + ++ '<a href="' + encodeURI(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.title) + '</a>' + + '</p>' + +- '<p class="bookmark_url"><a href="' + encodeEntities(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.url) + '</a></p>' + ++ '<p class="bookmark_url"><a href="' + encodeURI(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeURI(bookmark.url) + '</a></p>' + + '</div>' + ); + if(taglist != '') { +@@ -198,4 +198,4 @@ + function hasProtocol(url) { + var regexp = /(ftp|http|https|sftp)/; + return regexp.test(url); +-} ++} +\ No newline at end of file +--- a/apps/calendar/js/calendar.js ++++ b/apps/calendar/js/calendar.js +@@ -718,7 +718,7 @@ + ' class="' + classes.join(' ') + '"' + + '>' + + '<span class="fc-event-title">' + +- event.title + ++ escapeHTML(event.title) + + '</span>' + + '</span>' + + '</td>' + diff -Nru owncloud-4.0.4debian2/debian/patches/series owncloud-4.0.4debian2/debian/patches/series --- owncloud-4.0.4debian2/debian/patches/series 2013-01-04 23:28:29.000000000 +0100 +++ owncloud-4.0.4debian2/debian/patches/series 2013-02-02 23:55:58.000000000 +0100 @@ -21,3 +21,4 @@ 09_oc-sa-2012-005.patch 10_oc-sa-2012-006.patch 11_oc-sa-2012-007.patch +12_oc-sa-2013-001.patch
--- End Message ---
--- Begin Message ---
- To: Salvatore Bonaccorso <carnil@debian.org>, 699652-done@bugs.debian.org
- Subject: Re: Bug#699652: tpu: owncloud/4.0.4debian2-3.3
- From: Julien Cristau <jcristau@debian.org>
- Date: Mon, 4 Feb 2013 19:30:53 +0100
- Message-id: <20130204183053.GW8837@radis.cristau.org>
- In-reply-to: <20130203231551.GA706@elende>
- References: <20130202230539.6382.1875.reportbug@elende.valinor.li> <20130203225004.GT8837@radis.cristau.org> <20130203231551.GA706@elende>
On Mon, Feb 4, 2013 at 00:15:52 +0100, Salvatore Bonaccorso wrote: > Thanks done! > Approved. > > > +--- a/apps/gallery/sharing.php > > > ++++ b/apps/gallery/sharing.php > > > +@@ -37,7 +37,7 @@ > > > + <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js" type="text/javascript"></script> > > > > ick. > > Indeed; have not checked in detail but does not seem to be reported to > the BTS so far. > If that does end up in the binary packages, would you mind filing it? Thanks, JulienAttachment: signature.asc
Description: Digital signature
--- End Message ---