Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
As already discussed with the security team, please accept the fixes for
CVE-2015-{471{6..8},6670} in owncloud. Source debdiff attached.
As noted in the ownCloud tracker, CVE-2015-4716 is only relevant on
Windows, yet I’d still like to include its fix in order to avoid making
any assumptions about how safely people are setting their servers: the
one-liner fix is just about sanitizing variables, that should anyway be
a good idea.
1: https://owncloud.org/security/advisory/?id=oc-sa-2015-006
Regards
David
diff --git a/debian/changelog b/debian/changelog
index fe8558d..503bd03 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+owncloud (7.0.4+dfsg-4~deb8u2) jessie; urgency=medium
+
+ * Backport security fixes from 7.0.6 and 7.0.8:
+ - Local file inclusion on MS Windows Platform
+ [OC-SA-2015-006] [CVE-2015-4716]
+ - Resource exhaustion when sanitizing filenames
+ [OC-SA-2015-007] [CVE-2015-4717]
+ - Command injection when using external SMB storage
+ [OC-SA-2015-008] [CVE-2015-4718]
+ - Calendar export: Authorization Bypass Through User-Controlled Key
+ [OC-SA-2015-015] [CVE-2015-6670]
+
+ -- David Prévot <taffit@debian.org> Thu, 03 Sep 2015 19:38:32 -0400
+
owncloud (7.0.4+dfsg-4~deb8u1) jessie-security; urgency=medium
* Upload to jessie-security as agreed with the security team
diff --git a/debian/patches/0013-Clean-application-identifier-before-processing.patch b/debian/patches/0013-Clean-application-identifier-before-processing.patch
new file mode 100644
index 0000000..925066d
--- /dev/null
+++ b/debian/patches/0013-Clean-application-identifier-before-processing.patch
@@ -0,0 +1,22 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Tue, 31 Mar 2015 14:58:24 +0200
+Subject: Clean application identifier before processing
+
+Origin: upstream, https://github.com/owncloud/core/commit/a15710afad054953cc348f2dd719c73b60985bce
+---
+ lib/private/route/router.php | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/private/route/router.php b/lib/private/route/router.php
+index 9c973d7..a6ff51b 100644
+--- a/lib/private/route/router.php
++++ b/lib/private/route/router.php
+@@ -204,6 +204,8 @@ class Router implements IRouter {
+ if (substr($url, 0, 6) === '/apps/') {
+ // empty string / 'apps' / $app / rest of the route
+ list(, , $app,) = explode('/', $url, 4);
++
++ $app = \OC_App::cleanAppId($app);
+ \OC::$REQUESTEDAPP = $app;
+ $this->loadRoutes($app);
+ } else if (substr($url, 0, 6) === '/core/' or substr($url, 0, 10) === '/settings/') {
diff --git a/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch b/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch
new file mode 100644
index 0000000..b9b252d
--- /dev/null
+++ b/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch
@@ -0,0 +1,50 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Fri, 13 Feb 2015 12:49:34 +0100
+Subject: Ensure that passed argument is always a string
+
+Some code paths called the `normalizePath` functionality with types other than a string which resulted in unexpected behaviour.
+
+Thus the function is now manually casting the type to a string and I corrected the usage in list.php as well.
+
+Origin: upstream, https://github.com/owncloud/core/commit/5fa749cd9656ca6eab30bac0ef4e7625b8a8be2e
+---
+ apps/files/ajax/list.php | 2 +-
+ lib/private/files/filesystem.php | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/apps/files/ajax/list.php b/apps/files/ajax/list.php
+index 4908016..21c88e2 100644
+--- a/apps/files/ajax/list.php
++++ b/apps/files/ajax/list.php
+@@ -5,7 +5,7 @@ OCP\JSON::checkLoggedIn();
+ $l = OC_L10N::get('files');
+
+ // Load the files
+-$dir = isset($_GET['dir']) ? $_GET['dir'] : '';
++$dir = isset($_GET['dir']) ? (string)$_GET['dir'] : '';
+ $dir = \OC\Files\Filesystem::normalizePath($dir);
+
+ try {
+diff --git a/lib/private/files/filesystem.php b/lib/private/files/filesystem.php
+index 492d9f1..a4d361d 100644
+--- a/lib/private/files/filesystem.php
++++ b/lib/private/files/filesystem.php
+@@ -694,9 +694,18 @@ class Filesystem {
+ * Fix common problems with a file path
+ * @param string $path
+ * @param bool $stripTrailingSlash
++ * @param bool $isAbsolutePath
+ * @return string
+ */
+ public static function normalizePath($path, $stripTrailingSlash = true, $isAbsolutePath = false) {
++ /**
++ * FIXME: This is a workaround for existing classes and files which call
++ * this function with another type than a valid string. This
++ * conversion should get removed as soon as all existing
++ * function calls have been fixed.
++ */
++ $path = (string)$path;
++
+ if ($path == '') {
+ return '/';
+ }
diff --git a/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch b/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch
new file mode 100644
index 0000000..6fd2127
--- /dev/null
+++ b/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch
@@ -0,0 +1,25 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Mon, 30 Mar 2015 21:51:57 +0200
+Subject: Disallow semicolons in passed commands
+
+Origin: upstream, https://github.com/owncloud/core/commit/200e9d949783efbd57f39acedebc03924c1dfff4
+---
+ apps/files_external/3rdparty/smb4php/smb.php | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/apps/files_external/3rdparty/smb4php/smb.php b/apps/files_external/3rdparty/smb4php/smb.php
+index e325506..7ffdb42 100644
+--- a/apps/files_external/3rdparty/smb4php/smb.php
++++ b/apps/files_external/3rdparty/smb4php/smb.php
+@@ -112,6 +112,11 @@ class smb {
+
+
+ function execute ($command, $purl, $regexp = NULL) {
++ if (strpos($command,';') !== false) {
++ trigger_error('Semicolon not supported in commands');
++ exit();
++ }
++
+ return smb::client ('-d 0 '
+ . escapeshellarg ('//' . $purl['host'] . '/' . $purl['share'])
+ . ' -c ' . escapeshellarg ($command), $purl, $regexp
diff --git a/debian/patches/0016-Clarify-permission-checks.patch b/debian/patches/0016-Clarify-permission-checks.patch
new file mode 100644
index 0000000..9c4e1a3
--- /dev/null
+++ b/debian/patches/0016-Clarify-permission-checks.patch
@@ -0,0 +1,25 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Tue, 21 Jul 2015 14:44:03 +0200
+Subject: Clarify permission checks
+
+Origin: upstream, https://github.com/owncloud/calendar/commit/4e0306adb13b19919e90857eaf7681303cd45414
+---
+ apps/calendar/lib/app.php | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/apps/calendar/lib/app.php b/apps/calendar/lib/app.php
+index 8af0ff3..62e7e22 100644
+--- a/apps/calendar/lib/app.php
++++ b/apps/calendar/lib/app.php
+@@ -50,8 +50,10 @@ class OC_Calendar_App{
+ }
+ }
+ if($security === true && $shared === true) {
+- if(OCP\Share::getItemSharedWithBySource('calendar', $id)) {
++ if(OCP\User::getUser() === $calendar['userid'] || OCP\Share::getItemSharedWithBySource('calendar', $id)) {
+ return $calendar;
++ } else {
++ return false;
+ }
+ }
+ return $calendar;
diff --git a/debian/patches/series b/debian/patches/series
index ab6e650..42ca44e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,7 @@ path/0009-Adapt-Dropbox-path.patch
0010-Fix-encoding-in-3rdparty-lib.patch
0011-Apply-some-upstream-patches.patch
0012-Normalize-before-processing.patch
+0013-Clean-application-identifier-before-processing.patch
+0014-Ensure-that-passed-argument-is-always-a-string.patch
+0015-Disallow-semicolons-in-passed-commands.patch
+0016-Clarify-permission-checks.patch
Attachment:
signature.asc
Description: OpenPGP digital signature