Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please pre-approve an unblock for the owncloud package
It cherry-picks three security fixes from the recently released 7.0.5
version (already in experimental):
owncloud (7.0.4+dfsg-3) unstable; urgency=medium
* Add gbp config file to follow the jessie branch
* Backport security fixes from 7.0.5:
- Multiple stored XSS in "contacts" application [OC-SA-2015-001]
- Multiple stored XSS in "documents" application [OC-SA-2015-002]
- Bypass of file blacklist [OC-SA-2015-004]
* Run upgrade script with sudo as www-data user
* Depend on php5-cli (it is actually used in postinst)
-- David Prévot <taffit@debian.org> Wed, 25 Mar 2015 16:20:32 -0400
I’d also like to shim in two other small changes:
- the upgrade script should be run as the same user as the installed
data, i.e., www-data by default, instead of root: this recommendation
has recently been enforced upstream since the upgrade process may
touch data files on top of the potential database changes;
- since the php CLI is called during postinst, php5-cli should be a
dependency instead of a recommendation (the README.Debian change just
drops the now useless explanation why php5-cli was recommended).
The attached debdiff stripes away the webodf.js changes from the
cherry-picked commit from upstream: this minified JavaScript files is
anyway regenerated at build time and is thus not the file included in
the actual binary package.
unblock owncloud/7.0.4+dfsg-3
Thanks in advance
Regards
David
diff --git a/debian/README.Debian b/debian/README.Debian
index 72af84d..10f60aa 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -84,8 +84,6 @@ Some apps, not enabled by default, need the following dependencies:
Improve performance: php5-apcu | php5-xcache
php5-intl (language translation)
-Command line interface: php5-cli
-
Suggested packages
~~~~~~~~~~~~~~~~~~
diff --git a/debian/changelog b/debian/changelog
index 61c2c40..ee5fd9f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+owncloud (7.0.4+dfsg-3) unstable; urgency=medium
+
+ * Add gbp config file to follow the jessie branch
+ * Backport security fixes from 7.0.5:
+ - Multiple stored XSS in "contacts" application [OC-SA-2015-001]
+ - Multiple stored XSS in "documents" application [OC-SA-2015-002]
+ - Bypass of file blacklist [OC-SA-2015-004]
+ * Run upgrade script with sudo as www-data user
+ * Depend on php5-cli (it is actually used in postinst)
+
+ -- David Prévot <taffit@debian.org> Wed, 25 Mar 2015 16:20:32 -0400
+
owncloud (7.0.4+dfsg-2) unstable; urgency=medium
* Upload to unstable as agreed with the release team
diff --git a/debian/control b/debian/control
index 193fed7..8b79bb2 100644
--- a/debian/control
+++ b/debian/control
@@ -44,9 +44,11 @@ Depends: apache2 | httpd,
php-symfony-console,
php-symfony-routing,
php5 (>= 5.3.8),
+ php5-cli,
php5-gd,
php5-json,
php5-mysql | php5-pgsql | php5-sqlite,
+ sudo,
zendframework,
${misc:Depends}
Recommends: exim4 | mail-transport-agent,
@@ -55,7 +57,6 @@ Recommends: exim4 | mail-transport-agent,
php-dropbox,
php-google-api-php-client (<< 1),
php5-apcu | php5-xcache,
- php5-cli,
php5-curl,
php5-intl,
php5-ldap,
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..4e78e26
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = jessie
+upstream-branch = upstream-jessie
diff --git a/debian/patches/0010-Fix-encoding-in-3rdparty-lib.patch b/debian/patches/0010-Fix-encoding-in-3rdparty-lib.patch
new file mode 100644
index 0000000..537fa3f
--- /dev/null
+++ b/debian/patches/0010-Fix-encoding-in-3rdparty-lib.patch
@@ -0,0 +1,31 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Fri, 6 Feb 2015 15:12:43 +0100
+Subject: Fix encoding in 3rdparty lib
+
+Origin: upstream, https://github.com/owncloud/contacts/commit/72dcf24061b9639be75851e3746950b61495bc8f
+---
+ apps/contacts/js/contacts.js | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js
+index be551c9..f5d8879 100644
+--- a/apps/contacts/js/contacts.js
++++ b/apps/contacts/js/contacts.js
+@@ -1089,7 +1089,7 @@ OC.Contacts = OC.Contacts || {};
+ this.$fullelem.find('.groupscontainer').show();
+ //this.$groupSelect.find('option').remove();
+ $.each(availableGroups, function(idx, group) {
+- var $option = $('<option value="' + group.id + '">' + group.name + '</option>');
++ var $option = $('<option value="' + group.id + '">' + escapeHTML(group.name) + '</option>');
+ if(self.inGroup(group.name)) {
+ $option.attr('selected', 'selected');
+ }
+@@ -1575,7 +1575,7 @@ OC.Contacts = OC.Contacts || {};
+ var input = $editor.find('input').first();
+ var params = self.parametersFor(input, true);
+ $(this).find('.meta').html(params.TYPE.join('/'));
+- $(this).find('.adr').html(self.valueFor($editor.find('input').first()).clean('').join(', '));
++ $(this).find('.adr').text(self.valueFor($editor.find('input').first()).clean('').join(', '));
+ $(this).next('.listactions').css('display', 'inline-block');
+ $('body').unbind('click', bodyListener);
+ });
diff --git a/debian/patches/0011-Apply-some-upstream-patches.patch b/debian/patches/0011-Apply-some-upstream-patches.patch
new file mode 100644
index 0000000..f9540a4
--- /dev/null
+++ b/debian/patches/0011-Apply-some-upstream-patches.patch
@@ -0,0 +1,1745 @@
+From: Victor Dubiniuk <victor.dubiniuk@gmail.com>
+Date: Mon, 26 Jan 2015 23:51:28 +0300
+Subject: Apply some upstream patches
+
+Origin: upstream, https://github.com/owncloud/documents/commit/f67a6b11fe97afda9d906e7cfcb8736952b527d3
+---
+ .../3rdparty/webodf/editor/widgets/fontPicker.js | 9 +-
+ .../webodf/editor/widgets/paragraphStyles.js | 11 +-
+ apps/documents/js/3rdparty/webodf/webodf-debug.js | 8 +-
+ apps/documents/js/3rdparty/webodf/webodf.js | 1036 ++++++++++----------
+ 4 files changed, 536 insertions(+), 528 deletions(-)
+
+diff --git a/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js b/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js
+index 039c21b..372df25 100644
+--- a/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js
++++ b/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js
+@@ -36,9 +36,10 @@
+ */
+ /*global define,require,document */
+ define("webodf/editor/widgets/fontPicker", [
+- "dijit/form/Select"],
++ "dijit/form/Select",
++ "dojox/html/entities"],
+
+- function (Select) {
++ function (Select, htmlEntities) {
+ "use strict";
+
+ /**
+@@ -101,7 +102,7 @@ define("webodf/editor/widgets/fontPicker", [
+ name = documentFonts[i].name;
+ family = documentFonts[i].family || name;
+ selectionList.push({
+- label: '<span style="font-family: ' + family + ';">' + name + '</span>',
++ label: '<span style="font-family: ' + htmlEntities.encode(family) + ';">' + htmlEntities.encode(name) + '</span>',
+ value: name
+ });
+ }
+@@ -114,7 +115,7 @@ define("webodf/editor/widgets/fontPicker", [
+ // Lastly populate the fonts provided by the editor
+ for (i = 0; i < editorFonts.length; i += 1) {
+ selectionList.push({
+- label: '<span style="font-family: ' + editorFonts[i] + ';">' + editorFonts[i] + '</span>',
++ label: '<span style="font-family: ' + htmlEntities.encode(editorFonts[i]) + ';">' + htmlEntities.encode(editorFonts[i]) + '</span>',
+ value: editorFonts[i]
+ });
+ }
+diff --git a/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js b/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js
+index 57acaac..0e1acec 100644
+--- a/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js
++++ b/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js
+@@ -39,9 +39,12 @@
+ /*global define,require */
+
+ define("webodf/editor/widgets/paragraphStyles",
+- ["webodf/editor/EditorSession"],
++ [
++ "dojox/html/entities",
++ "webodf/editor/EditorSession"
++ ],
+
+- function (EditorSession) {
++ function (htmlEntities, EditorSession) {
+ "use strict";
+ /**
+ * @constructor
+@@ -99,7 +102,7 @@ define("webodf/editor/widgets/paragraphStyles",
+
+ for (i = 0; i < availableStyles.length; i += 1) {
+ selectionList.push({
+- label: availableStyles[i].displayName,
++ label: htmlEntities.encode(availableStyles[i].displayName),
+ value: availableStyles[i].name
+ });
+ }
+@@ -120,7 +123,7 @@ define("webodf/editor/widgets/paragraphStyles",
+ if (select) {
+ select.addOption({
+ value: styleInfo.name,
+- label: newStyleElement.getAttributeNS(stylens, 'display-name')
++ label: htmlEntities.encode(newStyleElement.getAttributeNS(stylens, 'display-name'))
+ });
+ }
+
+diff --git a/apps/documents/js/3rdparty/webodf/webodf-debug.js b/apps/documents/js/3rdparty/webodf/webodf-debug.js
+index ee718ae..a890800 100644
+--- a/apps/documents/js/3rdparty/webodf/webodf-debug.js
++++ b/apps/documents/js/3rdparty/webodf/webodf-debug.js
+@@ -1,4 +1,4 @@
+-var webodf_version = "0.4.2-2050-g8d8fc02";
++var webodf_version = "0.4.2-2050-g8d8fc02-dirty";
+ function Runtime() {
+ }
+ Runtime.prototype.getVariable = function(name) {
+@@ -13549,7 +13549,11 @@ gui.HyperlinkClickHandler = function HyperlinkClickHandler(getRootNode) {
+ bookmarks[0].scrollIntoView(true)
+ }
+ }else {
+- runtime.getWindow().open(url)
++ if(/^\s*(javascript|data):/.test(url)) {
++ runtime.log("WARN:", "potentially malicious URL ignored")
++ }else {
++ runtime.getWindow().open(url)
++ }
+ }
+ if(e.preventDefault) {
+ e.preventDefault()
+diff --git a/apps/documents/js/3rdparty/webodf/webodf.js b/apps/documents/js/3rdparty/webodf/webodf.js
+index 40d0bda..bf9a4c5 100644
+--- a/apps/documents/js/3rdparty/webodf/webodf.js
++++ b/apps/documents/js/3rdparty/webodf/webodf.js
+@@ -1,57 +1,57 @@
+ // Input 0
+-var webodf_version="0.4.2-2050-g8d8fc02";
++var webodf_version="0.4.2-2050-g8d8fc02-dirty";
[ Over 1500 useless lines stripped ]
diff --git a/debian/patches/0012-Normalize-before-processing.patch b/debian/patches/0012-Normalize-before-processing.patch
new file mode 100644
index 0000000..0269cba
--- /dev/null
+++ b/debian/patches/0012-Normalize-before-processing.patch
@@ -0,0 +1,73 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Fri, 6 Feb 2015 15:09:31 +0100
+Subject: Normalize before processing
+
+Conflicts:
+ tests/lib/files/filesystem.php
+ tests/lib/files/mapper.php
+
+Origin: upstream, https://github.com/owncloud/core/commit/cbf8dd439c5e56a56511e39180d014ce2ecd5221
+---
+ lib/private/files/filesystem.php | 9 +++++----
+ lib/private/files/mapper.php | 6 +++++-
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/lib/private/files/filesystem.php b/lib/private/files/filesystem.php
+index 1ebc790..492d9f1 100644
+--- a/lib/private/files/filesystem.php
++++ b/lib/private/files/filesystem.php
+@@ -524,9 +524,10 @@ class Filesystem {
+ * @return bool
+ */
+ static public function isFileBlacklisted($filename) {
++ $filename = self::normalizePath($filename);
+ $blacklist = \OC_Config::getValue('blacklisted_files', array('.htaccess'));
+ $filename = strtolower(basename($filename));
+- return (in_array($filename, $blacklist));
++ return in_array($filename, $blacklist);
+ }
+
+ /**
+@@ -700,6 +701,9 @@ class Filesystem {
+ return '/';
+ }
+
++ //normalize unicode if possible
++ $path = \OC_Util::normalizeUnicode($path);
++
+ //no windows style slashes
+ $path = str_replace('\\', '/', $path);
+
+@@ -736,9 +740,6 @@ class Filesystem {
+ $path = substr($path, 0, -2);
+ }
+
+- //normalize unicode if possible
+- $path = \OC_Util::normalizeUnicode($path);
+-
+ return $windows_drive_letter . $path;
+ }
+
+diff --git a/lib/private/files/mapper.php b/lib/private/files/mapper.php
+index 5e78ef0..a950d78 100644
+--- a/lib/private/files/mapper.php
++++ b/lib/private/files/mapper.php
+@@ -253,13 +253,17 @@ class Mapper
+ // trim ending dots (for security reasons and win compatibility)
+ $text = preg_replace('~\.+$~', '', $text);
+
+- if (empty($text)) {
++ if (empty($text) || \OC\Files\Filesystem::isFileBlacklisted($text)) {
+ /**
+ * Item slug would be empty. Previously we used uniqid() here.
+ * However this means that the behaviour is not reproducible, so
+ * when uploading files into a "empty" folder, the folders name is
+ * different.
+ *
++ * The other case is, that the slugified name would be a blacklisted
++ * filename. In this case we just use the same workaround by
++ * returning the secure md5 hash of the original name.
++ *
+ * If there would be a md5() hash collision, the deduplicate check
+ * will spot this and append an index later, so this should not be
+ * a problem.
diff --git a/debian/patches/series b/debian/patches/series
index 230b514..ab6e650 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,6 @@ path/0006-Adapt-Crypt_Blowfish-path.patch
path/0007-Adapt-aws-sdk-path.patch
path/0008-Adapt-google-api-php-client-path.patch
path/0009-Adapt-Dropbox-path.patch
+0010-Fix-encoding-in-3rdparty-lib.patch
+0011-Apply-some-upstream-patches.patch
+0012-Normalize-before-processing.patch
diff --git a/debian/postinst b/debian/postinst
index f356c8d..a554ebd 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -51,7 +51,7 @@ case "$1" in
# Update the database on upgrade
# Don’t let it fail, since it exits with 3 if no upgrade is necessary
if [ -e /etc/owncloud/config.php ] ; then
- occ upgrade || true
+ sudo -u www-data occ upgrade || true
fi
;;
Attachment:
signature.asc
Description: Digital signature