Your message dated Sat, 02 May 2015 12:27:36 +0100 with message-id <e5e99ad7159644ed6076f1a975d8294b@mowgli.jungle.funky-badger.org> and subject line Re: Bug#781274: unblock: owncloud/7.0.4+dfsg-4 has caused the Debian Bug report #781274, regarding pu: package owncloud/7.0.4+dfsg-4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 781274: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781274 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: (pre-approval) unblock: owncloud/7.0.4+dfsg-3
- From: David Prévot <taffit@debian.org>
- Date: Thu, 26 Mar 2015 15:26:37 -0400
- Message-id: <20150326192637.GA30163@mikado.tilapin.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please pre-approve an unblock for the owncloud package It cherry-picks three security fixes from the recently released 7.0.5 version (already in experimental): owncloud (7.0.4+dfsg-3) unstable; urgency=medium * Add gbp config file to follow the jessie branch * Backport security fixes from 7.0.5: - Multiple stored XSS in "contacts" application [OC-SA-2015-001] - Multiple stored XSS in "documents" application [OC-SA-2015-002] - Bypass of file blacklist [OC-SA-2015-004] * Run upgrade script with sudo as www-data user * Depend on php5-cli (it is actually used in postinst) -- David Prévot <taffit@debian.org> Wed, 25 Mar 2015 16:20:32 -0400 I’d also like to shim in two other small changes: - the upgrade script should be run as the same user as the installed data, i.e., www-data by default, instead of root: this recommendation has recently been enforced upstream since the upgrade process may touch data files on top of the potential database changes; - since the php CLI is called during postinst, php5-cli should be a dependency instead of a recommendation (the README.Debian change just drops the now useless explanation why php5-cli was recommended). The attached debdiff stripes away the webodf.js changes from the cherry-picked commit from upstream: this minified JavaScript files is anyway regenerated at build time and is thus not the file included in the actual binary package. unblock owncloud/7.0.4+dfsg-3 Thanks in advance Regards Daviddiff --git a/debian/README.Debian b/debian/README.Debian index 72af84d..10f60aa 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -84,8 +84,6 @@ Some apps, not enabled by default, need the following dependencies: Improve performance: php5-apcu | php5-xcache php5-intl (language translation) -Command line interface: php5-cli - Suggested packages ~~~~~~~~~~~~~~~~~~ diff --git a/debian/changelog b/debian/changelog index 61c2c40..ee5fd9f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +owncloud (7.0.4+dfsg-3) unstable; urgency=medium + + * Add gbp config file to follow the jessie branch + * Backport security fixes from 7.0.5: + - Multiple stored XSS in "contacts" application [OC-SA-2015-001] + - Multiple stored XSS in "documents" application [OC-SA-2015-002] + - Bypass of file blacklist [OC-SA-2015-004] + * Run upgrade script with sudo as www-data user + * Depend on php5-cli (it is actually used in postinst) + + -- David Prévot <taffit@debian.org> Wed, 25 Mar 2015 16:20:32 -0400 + owncloud (7.0.4+dfsg-2) unstable; urgency=medium * Upload to unstable as agreed with the release team diff --git a/debian/control b/debian/control index 193fed7..8b79bb2 100644 --- a/debian/control +++ b/debian/control @@ -44,9 +44,11 @@ Depends: apache2 | httpd, php-symfony-console, php-symfony-routing, php5 (>= 5.3.8), + php5-cli, php5-gd, php5-json, php5-mysql | php5-pgsql | php5-sqlite, + sudo, zendframework, ${misc:Depends} Recommends: exim4 | mail-transport-agent, @@ -55,7 +57,6 @@ Recommends: exim4 | mail-transport-agent, php-dropbox, php-google-api-php-client (<< 1), php5-apcu | php5-xcache, - php5-cli, php5-curl, php5-intl, php5-ldap, diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..4e78e26 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch = jessie +upstream-branch = upstream-jessie diff --git a/debian/patches/0010-Fix-encoding-in-3rdparty-lib.patch b/debian/patches/0010-Fix-encoding-in-3rdparty-lib.patch new file mode 100644 index 0000000..537fa3f --- /dev/null +++ b/debian/patches/0010-Fix-encoding-in-3rdparty-lib.patch @@ -0,0 +1,31 @@ +From: Lukas Reschke <lukas@owncloud.com> +Date: Fri, 6 Feb 2015 15:12:43 +0100 +Subject: Fix encoding in 3rdparty lib + +Origin: upstream, https://github.com/owncloud/contacts/commit/72dcf24061b9639be75851e3746950b61495bc8f +--- + apps/contacts/js/contacts.js | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js +index be551c9..f5d8879 100644 +--- a/apps/contacts/js/contacts.js ++++ b/apps/contacts/js/contacts.js +@@ -1089,7 +1089,7 @@ OC.Contacts = OC.Contacts || {}; + this.$fullelem.find('.groupscontainer').show(); + //this.$groupSelect.find('option').remove(); + $.each(availableGroups, function(idx, group) { +- var $option = $('<option value="' + group.id + '">' + group.name + '</option>'); ++ var $option = $('<option value="' + group.id + '">' + escapeHTML(group.name) + '</option>'); + if(self.inGroup(group.name)) { + $option.attr('selected', 'selected'); + } +@@ -1575,7 +1575,7 @@ OC.Contacts = OC.Contacts || {}; + var input = $editor.find('input').first(); + var params = self.parametersFor(input, true); + $(this).find('.meta').html(params.TYPE.join('/')); +- $(this).find('.adr').html(self.valueFor($editor.find('input').first()).clean('').join(', ')); ++ $(this).find('.adr').text(self.valueFor($editor.find('input').first()).clean('').join(', ')); + $(this).next('.listactions').css('display', 'inline-block'); + $('body').unbind('click', bodyListener); + }); diff --git a/debian/patches/0011-Apply-some-upstream-patches.patch b/debian/patches/0011-Apply-some-upstream-patches.patch new file mode 100644 index 0000000..f9540a4 --- /dev/null +++ b/debian/patches/0011-Apply-some-upstream-patches.patch @@ -0,0 +1,1745 @@ +From: Victor Dubiniuk <victor.dubiniuk@gmail.com> +Date: Mon, 26 Jan 2015 23:51:28 +0300 +Subject: Apply some upstream patches + +Origin: upstream, https://github.com/owncloud/documents/commit/f67a6b11fe97afda9d906e7cfcb8736952b527d3 +--- + .../3rdparty/webodf/editor/widgets/fontPicker.js | 9 +- + .../webodf/editor/widgets/paragraphStyles.js | 11 +- + apps/documents/js/3rdparty/webodf/webodf-debug.js | 8 +- + apps/documents/js/3rdparty/webodf/webodf.js | 1036 ++++++++++---------- + 4 files changed, 536 insertions(+), 528 deletions(-) + +diff --git a/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js b/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js +index 039c21b..372df25 100644 +--- a/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js ++++ b/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js +@@ -36,9 +36,10 @@ + */ + /*global define,require,document */ + define("webodf/editor/widgets/fontPicker", [ +- "dijit/form/Select"], ++ "dijit/form/Select", ++ "dojox/html/entities"], + +- function (Select) { ++ function (Select, htmlEntities) { + "use strict"; + + /** +@@ -101,7 +102,7 @@ define("webodf/editor/widgets/fontPicker", [ + name = documentFonts[i].name; + family = documentFonts[i].family || name; + selectionList.push({ +- label: '<span style="font-family: ' + family + ';">' + name + '</span>', ++ label: '<span style="font-family: ' + htmlEntities.encode(family) + ';">' + htmlEntities.encode(name) + '</span>', + value: name + }); + } +@@ -114,7 +115,7 @@ define("webodf/editor/widgets/fontPicker", [ + // Lastly populate the fonts provided by the editor + for (i = 0; i < editorFonts.length; i += 1) { + selectionList.push({ +- label: '<span style="font-family: ' + editorFonts[i] + ';">' + editorFonts[i] + '</span>', ++ label: '<span style="font-family: ' + htmlEntities.encode(editorFonts[i]) + ';">' + htmlEntities.encode(editorFonts[i]) + '</span>', + value: editorFonts[i] + }); + } +diff --git a/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js b/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js +index 57acaac..0e1acec 100644 +--- a/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js ++++ b/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js +@@ -39,9 +39,12 @@ + /*global define,require */ + + define("webodf/editor/widgets/paragraphStyles", +- ["webodf/editor/EditorSession"], ++ [ ++ "dojox/html/entities", ++ "webodf/editor/EditorSession" ++ ], + +- function (EditorSession) { ++ function (htmlEntities, EditorSession) { + "use strict"; + /** + * @constructor +@@ -99,7 +102,7 @@ define("webodf/editor/widgets/paragraphStyles", + + for (i = 0; i < availableStyles.length; i += 1) { + selectionList.push({ +- label: availableStyles[i].displayName, ++ label: htmlEntities.encode(availableStyles[i].displayName), + value: availableStyles[i].name + }); + } +@@ -120,7 +123,7 @@ define("webodf/editor/widgets/paragraphStyles", + if (select) { + select.addOption({ + value: styleInfo.name, +- label: newStyleElement.getAttributeNS(stylens, 'display-name') ++ label: htmlEntities.encode(newStyleElement.getAttributeNS(stylens, 'display-name')) + }); + } + +diff --git a/apps/documents/js/3rdparty/webodf/webodf-debug.js b/apps/documents/js/3rdparty/webodf/webodf-debug.js +index ee718ae..a890800 100644 +--- a/apps/documents/js/3rdparty/webodf/webodf-debug.js ++++ b/apps/documents/js/3rdparty/webodf/webodf-debug.js +@@ -1,4 +1,4 @@ +-var webodf_version = "0.4.2-2050-g8d8fc02"; ++var webodf_version = "0.4.2-2050-g8d8fc02-dirty"; + function Runtime() { + } + Runtime.prototype.getVariable = function(name) { +@@ -13549,7 +13549,11 @@ gui.HyperlinkClickHandler = function HyperlinkClickHandler(getRootNode) { + bookmarks[0].scrollIntoView(true) + } + }else { +- runtime.getWindow().open(url) ++ if(/^\s*(javascript|data):/.test(url)) { ++ runtime.log("WARN:", "potentially malicious URL ignored") ++ }else { ++ runtime.getWindow().open(url) ++ } + } + if(e.preventDefault) { + e.preventDefault() +diff --git a/apps/documents/js/3rdparty/webodf/webodf.js b/apps/documents/js/3rdparty/webodf/webodf.js +index 40d0bda..bf9a4c5 100644 +--- a/apps/documents/js/3rdparty/webodf/webodf.js ++++ b/apps/documents/js/3rdparty/webodf/webodf.js +@@ -1,57 +1,57 @@ + // Input 0 +-var webodf_version="0.4.2-2050-g8d8fc02"; ++var webodf_version="0.4.2-2050-g8d8fc02-dirty"; [ Over 1500 useless lines stripped ] diff --git a/debian/patches/0012-Normalize-before-processing.patch b/debian/patches/0012-Normalize-before-processing.patch new file mode 100644 index 0000000..0269cba --- /dev/null +++ b/debian/patches/0012-Normalize-before-processing.patch @@ -0,0 +1,73 @@ +From: Lukas Reschke <lukas@owncloud.com> +Date: Fri, 6 Feb 2015 15:09:31 +0100 +Subject: Normalize before processing + +Conflicts: + tests/lib/files/filesystem.php + tests/lib/files/mapper.php + +Origin: upstream, https://github.com/owncloud/core/commit/cbf8dd439c5e56a56511e39180d014ce2ecd5221 +--- + lib/private/files/filesystem.php | 9 +++++---- + lib/private/files/mapper.php | 6 +++++- + 2 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/lib/private/files/filesystem.php b/lib/private/files/filesystem.php +index 1ebc790..492d9f1 100644 +--- a/lib/private/files/filesystem.php ++++ b/lib/private/files/filesystem.php +@@ -524,9 +524,10 @@ class Filesystem { + * @return bool + */ + static public function isFileBlacklisted($filename) { ++ $filename = self::normalizePath($filename); + $blacklist = \OC_Config::getValue('blacklisted_files', array('.htaccess')); + $filename = strtolower(basename($filename)); +- return (in_array($filename, $blacklist)); ++ return in_array($filename, $blacklist); + } + + /** +@@ -700,6 +701,9 @@ class Filesystem { + return '/'; + } + ++ //normalize unicode if possible ++ $path = \OC_Util::normalizeUnicode($path); ++ + //no windows style slashes + $path = str_replace('\\', '/', $path); + +@@ -736,9 +740,6 @@ class Filesystem { + $path = substr($path, 0, -2); + } + +- //normalize unicode if possible +- $path = \OC_Util::normalizeUnicode($path); +- + return $windows_drive_letter . $path; + } + +diff --git a/lib/private/files/mapper.php b/lib/private/files/mapper.php +index 5e78ef0..a950d78 100644 +--- a/lib/private/files/mapper.php ++++ b/lib/private/files/mapper.php +@@ -253,13 +253,17 @@ class Mapper + // trim ending dots (for security reasons and win compatibility) + $text = preg_replace('~\.+$~', '', $text); + +- if (empty($text)) { ++ if (empty($text) || \OC\Files\Filesystem::isFileBlacklisted($text)) { + /** + * Item slug would be empty. Previously we used uniqid() here. + * However this means that the behaviour is not reproducible, so + * when uploading files into a "empty" folder, the folders name is + * different. + * ++ * The other case is, that the slugified name would be a blacklisted ++ * filename. In this case we just use the same workaround by ++ * returning the secure md5 hash of the original name. ++ * + * If there would be a md5() hash collision, the deduplicate check + * will spot this and append an index later, so this should not be + * a problem. diff --git a/debian/patches/series b/debian/patches/series index 230b514..ab6e650 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,6 @@ path/0006-Adapt-Crypt_Blowfish-path.patch path/0007-Adapt-aws-sdk-path.patch path/0008-Adapt-google-api-php-client-path.patch path/0009-Adapt-Dropbox-path.patch +0010-Fix-encoding-in-3rdparty-lib.patch +0011-Apply-some-upstream-patches.patch +0012-Normalize-before-processing.patch diff --git a/debian/postinst b/debian/postinst index f356c8d..a554ebd 100644 --- a/debian/postinst +++ b/debian/postinst @@ -51,7 +51,7 @@ case "$1" in # Update the database on upgrade # Don’t let it fail, since it exits with 3 if no upgrade is necessary if [ -e /etc/owncloud/config.php ] ; then - occ upgrade || true + sudo -u www-data occ upgrade || true fi ;;Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 781274-done@bugs.debian.org
- Cc: David Prévot <taffit@debian.org>, team@security.debian.org
- Subject: Re: Bug#781274: unblock: owncloud/7.0.4+dfsg-4
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 02 May 2015 12:27:36 +0100
- Message-id: <e5e99ad7159644ed6076f1a975d8294b@mowgli.jungle.funky-badger.org>
- In-reply-to: <1429980778.18212.29.camel@adam-barratt.org.uk>
- References: <20150326192637.GA30163@mikado.tilapin.org> <20150412124652.GR16466@betterave.cristau.org> <20150412161527.GA14905@mikado.tilapin.org> <20150413045319.GA31420@mikado.tilapin.org> <20150418200941.GA16148@mikado.tilapin.org> <1429980778.18212.29.camel@adam-barratt.org.uk>
On 2015-04-25 17:52, Adam D. Barratt wrote:On Sat, 2015-04-18 at 16:09 -0400, David Prévot wrote: [...]Adding the security team in the loop for advice: what is the way to moveforward now? (Will the pending unblock requests be processed and Ishouldn’t worry, will the issues warrant a DSA and should I prepare it,should we rather make a pu request, something else?)The unblock has semi-automagically (via a device named a jmw) beenconverted to a p-u request, but I'd still appreciate the security team'sinput on this. None of CVE-2015-301[123] currently have "no-dsa" markers on thesecurity tracker so it's quite possible that a DSA would be appropriate.Indeed that happened as DSA-3244-1, so closing this. Regards, Adam
--- End Message ---