[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#781274: marked as done (pu: package owncloud/7.0.4+dfsg-4)

Your message dated Sat, 02 May 2015 12:27:36 +0100
with message-id <e5e99ad7159644ed6076f1a975d8294b@mowgli.jungle.funky-badger.org>
and subject line Re: Bug#781274: unblock: owncloud/7.0.4+dfsg-4
has caused the Debian Bug report #781274,
regarding pu: package owncloud/7.0.4+dfsg-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
781274: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781274
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please pre-approve an unblock for the owncloud package

It cherry-picks three security fixes from the recently released 7.0.5
version (already in experimental):

owncloud (7.0.4+dfsg-3) unstable; urgency=medium

  * Add gbp config file to follow the jessie branch
  * Backport security fixes from 7.0.5:
    - Multiple stored XSS in "contacts" application [OC-SA-2015-001]
    - Multiple stored XSS in "documents" application [OC-SA-2015-002]
    - Bypass of file blacklist [OC-SA-2015-004]
  * Run upgrade script with sudo as www-data user
  * Depend on php5-cli (it is actually used in postinst)

 -- David Prévot <taffit@debian.org>  Wed, 25 Mar 2015 16:20:32 -0400

I’d also like to shim in two other small changes:
- the upgrade script should be run as the same user as the installed
  data, i.e., www-data by default, instead of root: this recommendation
  has recently been enforced upstream since the upgrade process may
  touch data files on top of the potential database changes;
- since the php CLI is called during postinst, php5-cli should be a
  dependency instead of a recommendation (the README.Debian change just
  drops the now useless explanation why php5-cli was recommended).

The attached debdiff stripes away the webodf.js changes from the
cherry-picked commit from upstream: this minified JavaScript files is
anyway regenerated at build time and is thus not the file included in
the actual binary package.

unblock owncloud/7.0.4+dfsg-3

Thanks in advance

Regards

David

diff --git a/debian/README.Debian b/debian/README.Debian
index 72af84d..10f60aa 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -84,8 +84,6 @@ Some apps, not enabled by default, need the following dependencies:
 Improve performance:		php5-apcu | php5-xcache
 				php5-intl (language translation)
 
-Command line interface:		php5-cli
-
 Suggested packages
 ~~~~~~~~~~~~~~~~~~
 
diff --git a/debian/changelog b/debian/changelog
index 61c2c40..ee5fd9f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+owncloud (7.0.4+dfsg-3) unstable; urgency=medium
+
+  * Add gbp config file to follow the jessie branch
+  * Backport security fixes from 7.0.5:
+    - Multiple stored XSS in "contacts" application [OC-SA-2015-001]
+    - Multiple stored XSS in "documents" application [OC-SA-2015-002]
+    - Bypass of file blacklist [OC-SA-2015-004]
+  * Run upgrade script with sudo as www-data user
+  * Depend on php5-cli (it is actually used in postinst)
+
+ -- David Prévot <taffit@debian.org>  Wed, 25 Mar 2015 16:20:32 -0400
+
 owncloud (7.0.4+dfsg-2) unstable; urgency=medium
 
   * Upload to unstable as agreed with the release team
diff --git a/debian/control b/debian/control
index 193fed7..8b79bb2 100644
--- a/debian/control
+++ b/debian/control
@@ -44,9 +44,11 @@ Depends: apache2 | httpd,
          php-symfony-console,
          php-symfony-routing,
          php5 (>= 5.3.8),
+         php5-cli,
          php5-gd,
          php5-json,
          php5-mysql | php5-pgsql | php5-sqlite,
+         sudo,
          zendframework,
          ${misc:Depends}
 Recommends: exim4 | mail-transport-agent,
@@ -55,7 +57,6 @@ Recommends: exim4 | mail-transport-agent,
             php-dropbox,
             php-google-api-php-client (<< 1),
             php5-apcu | php5-xcache,
-            php5-cli,
             php5-curl,
             php5-intl,
             php5-ldap,
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..4e78e26
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = jessie
+upstream-branch = upstream-jessie
diff --git a/debian/patches/0010-Fix-encoding-in-3rdparty-lib.patch b/debian/patches/0010-Fix-encoding-in-3rdparty-lib.patch
new file mode 100644
index 0000000..537fa3f
--- /dev/null
+++ b/debian/patches/0010-Fix-encoding-in-3rdparty-lib.patch
@@ -0,0 +1,31 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Fri, 6 Feb 2015 15:12:43 +0100
+Subject: Fix encoding in 3rdparty lib
+
+Origin: upstream, https://github.com/owncloud/contacts/commit/72dcf24061b9639be75851e3746950b61495bc8f
+---
+ apps/contacts/js/contacts.js | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js
+index be551c9..f5d8879 100644
+--- a/apps/contacts/js/contacts.js
++++ b/apps/contacts/js/contacts.js
+@@ -1089,7 +1089,7 @@ OC.Contacts = OC.Contacts || {};
+ 		this.$fullelem.find('.groupscontainer').show();
+ 		//this.$groupSelect.find('option').remove();
+ 		$.each(availableGroups, function(idx, group) {
+-			var $option = $('<option value="' + group.id + '">' + group.name + '</option>');
++			var $option = $('<option value="' + group.id + '">' + escapeHTML(group.name) + '</option>');
+ 			if(self.inGroup(group.name)) {
+ 				$option.attr('selected', 'selected');
+ 			}
+@@ -1575,7 +1575,7 @@ OC.Contacts = OC.Contacts || {};
+ 						var input = $editor.find('input').first();
+ 						var params = self.parametersFor(input, true);
+ 						$(this).find('.meta').html(params.TYPE.join('/'));
+-						$(this).find('.adr').html(self.valueFor($editor.find('input').first()).clean('').join(', '));
++						$(this).find('.adr').text(self.valueFor($editor.find('input').first()).clean('').join(', '));
+ 						$(this).next('.listactions').css('display', 'inline-block');
+ 						$('body').unbind('click', bodyListener);
+ 					});
diff --git a/debian/patches/0011-Apply-some-upstream-patches.patch b/debian/patches/0011-Apply-some-upstream-patches.patch
new file mode 100644
index 0000000..f9540a4
--- /dev/null
+++ b/debian/patches/0011-Apply-some-upstream-patches.patch
@@ -0,0 +1,1745 @@
+From: Victor Dubiniuk <victor.dubiniuk@gmail.com>
+Date: Mon, 26 Jan 2015 23:51:28 +0300
+Subject: Apply some upstream patches
+
+Origin: upstream, https://github.com/owncloud/documents/commit/f67a6b11fe97afda9d906e7cfcb8736952b527d3
+---
+ .../3rdparty/webodf/editor/widgets/fontPicker.js   |    9 +-
+ .../webodf/editor/widgets/paragraphStyles.js       |   11 +-
+ apps/documents/js/3rdparty/webodf/webodf-debug.js  |    8 +-
+ apps/documents/js/3rdparty/webodf/webodf.js        | 1036 ++++++++++----------
+ 4 files changed, 536 insertions(+), 528 deletions(-)
+
+diff --git a/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js b/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js
+index 039c21b..372df25 100644
+--- a/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js
++++ b/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js
+@@ -36,9 +36,10 @@
+  */
+ /*global define,require,document */
+ define("webodf/editor/widgets/fontPicker", [
+-    "dijit/form/Select"],
++    "dijit/form/Select",
++    "dojox/html/entities"],
+ 
+-    function (Select) {
++    function (Select, htmlEntities) {
+         "use strict";
+ 
+         /**
+@@ -101,7 +102,7 @@ define("webodf/editor/widgets/fontPicker", [
+                     name = documentFonts[i].name;
+                     family = documentFonts[i].family || name;
+                     selectionList.push({
+-                        label: '<span style="font-family: ' + family + ';">' + name + '</span>',
++                        label: '<span style="font-family: ' + htmlEntities.encode(family) + ';">' + htmlEntities.encode(name) + '</span>',
+                         value: name
+                     });
+                 }
+@@ -114,7 +115,7 @@ define("webodf/editor/widgets/fontPicker", [
+                 // Lastly populate the fonts provided by the editor
+                 for (i = 0; i < editorFonts.length; i += 1) {
+                     selectionList.push({
+-                        label: '<span style="font-family: ' + editorFonts[i] + ';">' + editorFonts[i] + '</span>',
++                        label: '<span style="font-family: ' + htmlEntities.encode(editorFonts[i]) + ';">' + htmlEntities.encode(editorFonts[i]) + '</span>',
+                         value: editorFonts[i]
+                     });
+                 }
+diff --git a/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js b/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js
+index 57acaac..0e1acec 100644
+--- a/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js
++++ b/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js
+@@ -39,9 +39,12 @@
+ /*global define,require */
+ 
+ define("webodf/editor/widgets/paragraphStyles",
+-       ["webodf/editor/EditorSession"],
++       [
++           "dojox/html/entities",
++           "webodf/editor/EditorSession"
++       ],
+ 
+-    function (EditorSession) {
++    function (htmlEntities, EditorSession) {
+     "use strict";
+     /**
+      * @constructor
+@@ -99,7 +102,7 @@ define("webodf/editor/widgets/paragraphStyles",
+ 
+             for (i = 0; i < availableStyles.length; i += 1) {
+                 selectionList.push({
+-                    label: availableStyles[i].displayName,
++                    label: htmlEntities.encode(availableStyles[i].displayName),
+                     value: availableStyles[i].name
+                 });
+             }
+@@ -120,7 +123,7 @@ define("webodf/editor/widgets/paragraphStyles",
+             if (select) {
+                 select.addOption({
+                     value: styleInfo.name,
+-                    label: newStyleElement.getAttributeNS(stylens, 'display-name')
++                    label: htmlEntities.encode(newStyleElement.getAttributeNS(stylens, 'display-name'))
+                 });
+             }
+ 
+diff --git a/apps/documents/js/3rdparty/webodf/webodf-debug.js b/apps/documents/js/3rdparty/webodf/webodf-debug.js
+index ee718ae..a890800 100644
+--- a/apps/documents/js/3rdparty/webodf/webodf-debug.js
++++ b/apps/documents/js/3rdparty/webodf/webodf-debug.js
+@@ -1,4 +1,4 @@
+-var webodf_version = "0.4.2-2050-g8d8fc02";
++var webodf_version = "0.4.2-2050-g8d8fc02-dirty";
+ function Runtime() {
+ }
+ Runtime.prototype.getVariable = function(name) {
+@@ -13549,7 +13549,11 @@ gui.HyperlinkClickHandler = function HyperlinkClickHandler(getRootNode) {
+         bookmarks[0].scrollIntoView(true)
+       }
+     }else {
+-      runtime.getWindow().open(url)
++      if(/^\s*(javascript|data):/.test(url)) {
++        runtime.log("WARN:", "potentially malicious URL ignored")
++      }else {
++        runtime.getWindow().open(url)
++      }
+     }
+     if(e.preventDefault) {
+       e.preventDefault()
+diff --git a/apps/documents/js/3rdparty/webodf/webodf.js b/apps/documents/js/3rdparty/webodf/webodf.js
+index 40d0bda..bf9a4c5 100644
+--- a/apps/documents/js/3rdparty/webodf/webodf.js
++++ b/apps/documents/js/3rdparty/webodf/webodf.js
+@@ -1,57 +1,57 @@
+ // Input 0
+-var webodf_version="0.4.2-2050-g8d8fc02";
++var webodf_version="0.4.2-2050-g8d8fc02-dirty";

[ Over 1500 useless lines stripped ]

diff --git a/debian/patches/0012-Normalize-before-processing.patch b/debian/patches/0012-Normalize-before-processing.patch
new file mode 100644
index 0000000..0269cba
--- /dev/null
+++ b/debian/patches/0012-Normalize-before-processing.patch
@@ -0,0 +1,73 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Fri, 6 Feb 2015 15:09:31 +0100
+Subject: Normalize before processing
+
+Conflicts:
+	tests/lib/files/filesystem.php
+	tests/lib/files/mapper.php
+
+Origin: upstream, https://github.com/owncloud/core/commit/cbf8dd439c5e56a56511e39180d014ce2ecd5221
+---
+ lib/private/files/filesystem.php | 9 +++++----
+ lib/private/files/mapper.php     | 6 +++++-
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/lib/private/files/filesystem.php b/lib/private/files/filesystem.php
+index 1ebc790..492d9f1 100644
+--- a/lib/private/files/filesystem.php
++++ b/lib/private/files/filesystem.php
+@@ -524,9 +524,10 @@ class Filesystem {
+ 	 * @return bool
+ 	 */
+ 	static public function isFileBlacklisted($filename) {
++		$filename = self::normalizePath($filename);
+ 		$blacklist = \OC_Config::getValue('blacklisted_files', array('.htaccess'));
+ 		$filename = strtolower(basename($filename));
+-		return (in_array($filename, $blacklist));
++		return in_array($filename, $blacklist);
+ 	}
+ 
+ 	/**
+@@ -700,6 +701,9 @@ class Filesystem {
+ 			return '/';
+ 		}
+ 
++		//normalize unicode if possible
++		$path = \OC_Util::normalizeUnicode($path);
++
+ 		//no windows style slashes
+ 		$path = str_replace('\\', '/', $path);
+ 
+@@ -736,9 +740,6 @@ class Filesystem {
+ 			$path = substr($path, 0, -2);
+ 		}
+ 
+-		//normalize unicode if possible
+-		$path = \OC_Util::normalizeUnicode($path);
+-
+ 		return $windows_drive_letter . $path;
+ 	}
+ 
+diff --git a/lib/private/files/mapper.php b/lib/private/files/mapper.php
+index 5e78ef0..a950d78 100644
+--- a/lib/private/files/mapper.php
++++ b/lib/private/files/mapper.php
+@@ -253,13 +253,17 @@ class Mapper
+ 		// trim ending dots (for security reasons and win compatibility)
+ 		$text = preg_replace('~\.+$~', '', $text);
+ 
+-		if (empty($text)) {
++		if (empty($text) || \OC\Files\Filesystem::isFileBlacklisted($text)) {
+ 			/**
+ 			 * Item slug would be empty. Previously we used uniqid() here.
+ 			 * However this means that the behaviour is not reproducible, so
+ 			 * when uploading files into a "empty" folder, the folders name is
+ 			 * different.
+ 			 *
++			 * The other case is, that the slugified name would be a blacklisted
++			 * filename. In this case we just use the same workaround by
++			 * returning the secure md5 hash of the original name.
++			 *
+ 			 * If there would be a md5() hash collision, the deduplicate check
+ 			 * will spot this and append an index later, so this should not be
+ 			 * a problem.
diff --git a/debian/patches/series b/debian/patches/series
index 230b514..ab6e650 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,6 @@ path/0006-Adapt-Crypt_Blowfish-path.patch
 path/0007-Adapt-aws-sdk-path.patch
 path/0008-Adapt-google-api-php-client-path.patch
 path/0009-Adapt-Dropbox-path.patch
+0010-Fix-encoding-in-3rdparty-lib.patch
+0011-Apply-some-upstream-patches.patch
+0012-Normalize-before-processing.patch
diff --git a/debian/postinst b/debian/postinst
index f356c8d..a554ebd 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -51,7 +51,7 @@ case "$1" in
 	# Update the database on upgrade
 	# Don’t let it fail, since it exits with 3 if no upgrade is necessary
 	if [ -e /etc/owncloud/config.php ] ; then
-		occ upgrade || true
+		sudo -u www-data occ upgrade || true
 	fi
     ;;

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On 2015-04-25 17:52, Adam D. Barratt wrote:

On Sat, 2015-04-18 at 16:09 -0400, David Prévot wrote:
[...]
Adding the security team in the loop for advice: what is the way to move 
forward now? (Will the pending unblock requests be processed and I
shouldn’t worry, will the issues warrant a DSA and should I prepare it, 
should we rather make a pu request, something else?)


The unblock has semi-automagically (via a device named a jmw) been
converted to a p-u request, but I'd still appreciate the security team's 
input on this.

None of CVE-2015-301[123] currently have "no-dsa" markers on the
security tracker so it's quite possible that a DSA would be appropriate. 

Indeed that happened as DSA-3244-1, so closing this.

Regards,

Adam

--- End Message ---
Reply to: