[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#798893: jessie-pu: package php-dropbox/1.0.0-3+deb8u1

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

As already discussed with the security team, please accept the fix for
CVE-2015-4715 in php-dropbox. Source debdiff attached.

As noted in the ownCloud tracker, the issue is only relevant if a server
runs PHP below 5.6.0, or if some default has been changed. Yet, since
the owncloud (and php-dropbox) packages from Jessie can be used (and I
know they are actually used) out of the box on Wheezy, having the fix in
the next point release makes sense.

1: https://owncloud.org/security/advisory/?id=oc-sa-2015-005

Regards

David

diff --git a/debian/changelog b/debian/changelog
index aa86e22..c643681 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-dropbox (1.0.0-3+deb8u1) jessie; urgency=medium
+
+  * Refuse to handle any files containing a @ [CVE-2015-4715]
+  * Track Jessie
+
+ -- David Prévot <taffit@debian.org>  Sat, 05 Sep 2015 14:19:37 -0400
+
 php-dropbox (1.0.0-3) unstable; urgency=medium
 
   * Include ownCloud specific patches
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-Revert-custom-patch-that-can-cause-problems.patch b/debian/patches/0002-Revert-custom-patch-that-can-cause-problems.patch
new file mode 100644
index 0000000..acd912b
--- /dev/null
+++ b/debian/patches/0002-Revert-custom-patch-that-can-cause-problems.patch
@@ -0,0 +1,30 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Tue, 7 Apr 2015 15:12:10 +0200
+Subject: Revert custom patch that can cause problems
+
+Origin: upstream, https://github.com/owncloud/core/commit/7071cf15c25be4a0e4178019c625c57b898e4216
+---
+ Dropbox-1.0.0/Dropbox/OAuth/Curl.php | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/Dropbox-1.0.0/Dropbox/OAuth/Curl.php b/Dropbox-1.0.0/Dropbox/OAuth/Curl.php
+index 6ea6873..9aa6852 100644
+--- a/Dropbox-1.0.0/Dropbox/OAuth/Curl.php
++++ b/Dropbox-1.0.0/Dropbox/OAuth/Curl.php
+@@ -72,8 +72,14 @@ class Dropbox_OAuth_Curl extends Dropbox_OAuth {
+ 		if (strtoupper($method) == 'POST') {
+ 			curl_setopt($ch, CURLOPT_URL, $uri);
+ 			curl_setopt($ch, CURLOPT_POST, true);
+-// 			if (is_array($arguments))
+-// 				$arguments=http_build_query($arguments);
++
++ 			//if (is_array($arguments))
++ 			//	$arguments=http_build_query($arguments);
++ 			foreach ($arguments as $key => $value) {
++ 				if($value[0] === '@') {
++					exit();
++				}
++			}
+ 			curl_setopt($ch, CURLOPT_POSTFIELDS, $arguments);
+ // 			$httpHeaders['Content-Length']=strlen($arguments);
+ 		} else {
diff --git a/debian/patches/series b/debian/patches/series
index 5c66984..a104f36 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Include-ownCloud-specific-patches.patch
+0002-Revert-custom-patch-that-can-cause-problems.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: