Bug#697414: tpu: owncloud/4.0.4debian2-3.2 (pre-approval)
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
I'd like to see if it's feasible to upload a targeted fix to testing-proposed-
updates to address #696574.
This bug has been fixed in unstable already, but given it has a newer upstream
version, it's unlikely it will migrate, hence this request.
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
diff -Nru owncloud-4.0.4debian2/debian/changelog owncloud-4.0.4debian2/debian/changelog
--- owncloud-4.0.4debian2/debian/changelog 2012-12-05 22:12:11.000000000 +0100
+++ owncloud-4.0.4debian2/debian/changelog 2013-01-04 23:31:11.000000000 +0100
@@ -1,3 +1,14 @@
+owncloud (4.0.4debian2-3.2) testing-proposed-updates; urgency=high
+
+ * Non-maintainer upload.
+ * Multiple security fixes (Closes: #696574):
+ + debian/patches/10_oc-sa-2012-006.patch:
+ - CVE-2012-5665: Auth bypass in user_webdavauth and user_ldap
+ + debian/patches/11_oc-sa-2012-007.patch:
+ - CVE-2012-5666: XSS vulnerability in bookmarks
+
+ -- Luca Falavigna <dktrkranz@debian.org> Fri, 04 Jan 2013 23:30:46 +0100
+
owncloud (4.0.4debian2-3.1) testing-proposed-updates; urgency=high
* Non-maintainer upload, fixes several security issues (Closes: #693990).
diff -Nru owncloud-4.0.4debian2/debian/patches/10_oc-sa-2012-006.patch owncloud-4.0.4debian2/debian/patches/10_oc-sa-2012-006.patch
--- owncloud-4.0.4debian2/debian/patches/10_oc-sa-2012-006.patch 1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/10_oc-sa-2012-006.patch 2013-01-04 23:28:29.000000000 +0100
@@ -0,0 +1,48 @@
+Index: owncloud-4.0.8debian/apps/files_encryption/settings.php
+===================================================================
+--- owncloud-4.0.8debian.orig/apps/files_encryption/settings.php 2012-10-09 17:09:46.000000000 +0200
++++ owncloud-4.0.8debian/apps/files_encryption/settings.php 2012-12-25 16:29:57.110214044 +0100
+@@ -6,6 +6,8 @@
+ * See the COPYING-README file.
+ */
+
++OC_Util::checkAdminUser();
++
+ $tmpl = new OCP\Template( 'files_encryption', 'settings');
+ $blackList=explode(',',OCP\Config::getAppValue('files_encryption','type_blacklist','jpg,png,jpeg,avi,mpg,mpeg,mkv,mp3,oga,ogv,ogg'));
+ $enabled=(OCP\Config::getAppValue('files_encryption','enable_encryption','true')=='true');
+Index: owncloud-4.0.8debian/apps/user_ldap/settings.php
+===================================================================
+--- owncloud-4.0.8debian.orig/apps/user_ldap/settings.php 2012-10-09 17:10:37.000000000 +0200
++++ owncloud-4.0.8debian/apps/user_ldap/settings.php 2012-12-25 16:29:57.114214045 +0100
+@@ -20,6 +20,9 @@
+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
++
++OC_Util::checkAdminUser();
++
+ $params = array('ldap_host', 'ldap_port', 'ldap_dn', 'ldap_agent_password', 'ldap_base', 'ldap_base_users', 'ldap_base_groups', 'ldap_userlist_filter', 'ldap_login_filter', 'ldap_group_filter', 'ldap_display_name', 'ldap_group_display_name', 'ldap_tls', 'ldap_nocase', 'ldap_quota_def', 'ldap_quota_attr', 'ldap_email_attr', 'ldap_group_member_assoc_attribute');
+
+ OCP\Util::addscript('user_ldap', 'settings');
+Index: owncloud-4.0.8debian/apps/user_migrate/settings.php
+===================================================================
+--- owncloud-4.0.8debian.orig/apps/user_migrate/settings.php 2012-10-09 17:10:37.000000000 +0200
++++ owncloud-4.0.8debian/apps/user_migrate/settings.php 2012-12-25 16:29:57.114214045 +0100
+@@ -22,6 +22,9 @@
+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
++
++OC_Util::checkLoggedIn();
++
+ OCP\App::checkAppEnabled('user_migrate');
+ if (isset($_POST['user_import'])) {
+ $root = OC::$SERVERROOT . "/";
+@@ -86,4 +89,4 @@
+ // fill template
+ $tmpl = new OCP\Template('user_migrate', 'settings');
+ return $tmpl->fetchPage();
+-}
+\ No newline at end of file
++}
diff -Nru owncloud-4.0.4debian2/debian/patches/11_oc-sa-2012-007.patch owncloud-4.0.4debian2/debian/patches/11_oc-sa-2012-007.patch
--- owncloud-4.0.4debian2/debian/patches/11_oc-sa-2012-007.patch 1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/11_oc-sa-2012-007.patch 2013-01-04 23:28:29.000000000 +0100
@@ -0,0 +1,13 @@
+Index: owncloud-4.0.8debian/apps/bookmarks/js/bookmarks.js
+===================================================================
+--- owncloud-4.0.8debian.orig/apps/bookmarks/js/bookmarks.js 2012-10-09 17:10:37.000000000 +0200
++++ owncloud-4.0.8debian/apps/bookmarks/js/bookmarks.js 2012-12-25 16:25:21.050223382 +0100
+@@ -141,7 +141,7 @@
+ var taglist = '';
+ for ( var i=0, len=tags.length; i<len; ++i ){
+ if(tags[i] != '')
+- taglist = taglist + '<a class="bookmark_tag" href="'+replaceQueryString( String(window.location), 'tag', encodeURIComponent(tags[i])) + '">' + tags[i] + '</a> ';
++ taglist = taglist + '<a class="bookmark_tag" href="'+replaceQueryString(escapeHTML(String(window.location)), 'tag', encodeURIComponent(tags[i])) + '">' + tags[i] + '</a> ';
+ }
+ if(!hasProtocol(bookmark.url)) {
+ bookmark.url = 'http://' + bookmark.url;
diff -Nru owncloud-4.0.4debian2/debian/patches/series owncloud-4.0.4debian2/debian/patches/series
--- owncloud-4.0.4debian2/debian/patches/series 2012-12-04 22:43:34.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/series 2013-01-04 23:28:29.000000000 +0100
@@ -19,3 +19,5 @@
07_oc-sa-2012-002.patch
08_oc-sa-2012-004.patch
09_oc-sa-2012-005.patch
+10_oc-sa-2012-006.patch
+11_oc-sa-2012-007.patch
Reply to: