Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, Happy new year! As agreed with the security team, I’d like to fix some recently disclosed but low impact security issues via pu. Even if CVE-2016-1501 (a “Full installation path disclosure”) is not really relevant with a Debian package, the fix is small and sane enough to be worth including IMHO. Please note that #798895 has been superseded by DSA-3373-1 as well as the present request. Thanks in advance for considering. Regards David
diff --git a/debian/changelog b/debian/changelog
index e2e2e21..c3b8c58 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+owncloud (7.0.4+dfsg-4~deb8u4) jessie; urgency=medium
+
+ * Backport security fixes from 7.0.12, 8.0.10, and 8.0.9:
+ - Reflected XSS in OCS provider discovery
+ [oc-sa-2016-001] [CVE-2016-1498]
+ - Disclosure of files that begin with \".v\" due to unchecked return
+ value [oc-sa-2016-003] [CVE-2016-1500]
+ - Information Exposure Through Directory Listing in the file scanner
+ [oc-sa-2016-002] [CVE-2016-1499]
+ - Full installation path disclosure through error message
+ [oc-sa-2016-004] [CVE-2016-1501]
+
+ -- David Prévot <taffit@debian.org> Tue, 05 Jan 2016 22:24:31 -0400
+
owncloud (7.0.4+dfsg-4~deb8u3) jessie-security; urgency=high
* Backport security fixes from 7.0.5, 7.0.7, 8.0.6, and 7.0.9:
diff --git a/debian/patches/0027-Use-XMLWriter-to-generate-response.patch b/debian/patches/0027-Use-XMLWriter-to-generate-response.patch
new file mode 100644
index 0000000..c022c44
--- /dev/null
+++ b/debian/patches/0027-Use-XMLWriter-to-generate-response.patch
@@ -0,0 +1,62 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Mon, 30 Nov 2015 15:40:10 +0100
+Subject: Use XMLWriter to generate response
+
+Gets rid of manual XML generation.
+
+Origin: upstream, https://github.com/owncloud/core/commit/85e068a723c09d0f01ab3e10aa6a3f6a8c4c3227
+---
+ ocs/providers.php | 43 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/ocs/providers.php b/ocs/providers.php
+index 2c62f76..769d210 100644
+--- a/ocs/providers.php
++++ b/ocs/providers.php
+@@ -27,20 +27,29 @@ header('Content-type: application/xml');
+
+ $url=OCP\Util::getServerProtocol().'://'.substr(OCP\Util::getServerHost().OCP\Util::getRequestUri(), 0, -17).'ocs/v1.php/';
+
+-echo('
+-<providers>
+-<provider>
+- <id>ownCloud</id>
+- <location>'.$url.'</location>
+- <name>ownCloud</name>
+- <icon></icon>
+- <termsofuse></termsofuse>
+- <register></register>
+- <services>
+- <config ocsversion="1.7" />
+- <activity ocsversion="1.7" />
+- <cloud ocsversion="1.7" />
+- </services>
+-</provider>
+-</providers>
+-');
++$writer = new XMLWriter();
++$writer->openURI('php://output');
++$writer->startDocument('1.0','UTF-8');
++$writer->setIndent(4);
++$writer->startElement('providers');
++$writer->startElement('provider');
++$writer->writeElement('id', 'ownCloud');
++$writer->writeElement('location', $url);
++$writer->writeElement('name', 'ownCloud');
++$writer->writeElement('icon', '');
++$writer->writeElement('termsofuse', '');
++$writer->writeElement('register', '');
++$writer->startElement('services');
++$writer->startElement('config');
++$writer->writeAttribute('ocsversion', '1.7');
++$writer->endElement();
++$writer->startElement('activity');
++$writer->writeAttribute('ocsversion', '1.7');
++$writer->endElement();
++$writer->startElement('cloud');
++$writer->writeAttribute('ocsversion', '1.7');
++$writer->endElement();
++$writer->endElement();
++$writer->endElement();
++$writer->endDocument();
++$writer->flush();
diff --git a/debian/patches/0028-Handle-non-existing-files-in-version-previews.patch b/debian/patches/0028-Handle-non-existing-files-in-version-previews.patch
new file mode 100644
index 0000000..ec6da15
--- /dev/null
+++ b/debian/patches/0028-Handle-non-existing-files-in-version-previews.patch
@@ -0,0 +1,39 @@
+From: Robin Appelman <icewind@owncloud.com>
+Date: Mon, 14 Dec 2015 15:59:36 +0100
+Subject: Handle non existing files in version previews
+
+Origin: upstream, https://github.com/owncloud/core/commit/f746100e13dcadf8a2b6d311422a1c66c959565c
+---
+ apps/files_versions/ajax/preview.php | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/apps/files_versions/ajax/preview.php b/apps/files_versions/ajax/preview.php
+index bd9b736..1056169 100644
+--- a/apps/files_versions/ajax/preview.php
++++ b/apps/files_versions/ajax/preview.php
+@@ -31,14 +31,18 @@ if($maxX === 0 || $maxY === 0) {
+
+ try {
+ list($user, $file) = \OCA\Files_Versions\Storage::getUidAndFilename($file);
+- $preview = new \OC\Preview($user, 'files_versions', $file.'.v'.$version);
+- $mimetype = \OC_Helper::getFileNameMimeType($file);
+- $preview->setMimetype($mimetype);
+- $preview->setMaxX($maxX);
+- $preview->setMaxY($maxY);
+- $preview->setScalingUp($scalingUp);
++ if (is_null($file)) {
++ \OC_Response::setStatus(404);
++ } else {
++ $preview = new \OC\Preview($user, 'files_versions', $file . '.v' . $version);
++ $mimetype = \OC_Helper::getFileNameMimeType($file);
++ $preview->setMimetype($mimetype);
++ $preview->setMaxX($maxX);
++ $preview->setMaxY($maxY);
++ $preview->setScalingUp($scalingUp);
+
+- $preview->showPreview();
++ $preview->showPreview();
++ }
+ }catch(\Exception $e) {
+ \OC_Response::setStatus(500);
+ \OC_Log::write('core', $e->getmessage(), \OC_Log::DEBUG);
diff --git a/debian/patches/0029-Dont-output-paths-in-scan.php.patch b/debian/patches/0029-Dont-output-paths-in-scan.php.patch
new file mode 100644
index 0000000..572d3c3
--- /dev/null
+++ b/debian/patches/0029-Dont-output-paths-in-scan.php.patch
@@ -0,0 +1,35 @@
+From: Robin Appelman <icewind@owncloud.com>
+Date: Wed, 25 Nov 2015 15:21:01 +0100
+Subject: Dont output paths in scan.php
+
+Origin: backport, https://github.com/owncloud/core/commit/fab59179f1661da4862336fb8ea450c80def26d4
+---
+ apps/files/ajax/scan.php | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/apps/files/ajax/scan.php b/apps/files/ajax/scan.php
+index d5d8848..e6cad5e 100644
+--- a/apps/files/ajax/scan.php
++++ b/apps/files/ajax/scan.php
+@@ -21,7 +21,6 @@ $listener = new ScanListener($eventSource);
+ foreach ($users as $user) {
+ $eventSource->send('user', $user);
+ $scanner = new \OC\Files\Utils\Scanner($user);
+- $scanner->listen('\OC\Files\Utils\Scanner', 'scanFile', array($listener, 'file'));
+ $scanner->listen('\OC\Files\Utils\Scanner', 'scanFolder', array($listener, 'folder'));
+ if ($force) {
+ $scanner->scan($dir);
+@@ -50,13 +49,6 @@ class ScanListener {
+ $this->eventSource = $eventSource;
+ }
+
+- /**
+- * @param string $path
+- */
+- public function folder($path) {
+- $this->eventSource->send('folder', $path);
+- }
+-
+ public function file() {
+ $this->fileCount++;
+ if ($this->fileCount > $this->lastCount + 20) { //send a count update every 20 files
diff --git a/debian/patches/0030-Do-not-print-exception-message.patch b/debian/patches/0030-Do-not-print-exception-message.patch
new file mode 100644
index 0000000..b692dd3
--- /dev/null
+++ b/debian/patches/0030-Do-not-print-exception-message.patch
@@ -0,0 +1,40 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Sun, 25 Oct 2015 19:05:28 +0100
+Subject: Do not print exception message
+
+Origin: upstream, https://github.com/owncloud/core/commit/6897cbebc05fb4daa6b81daaac9b181120fcf529
+---
+ core/avatar/controller.php | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/core/avatar/controller.php b/core/avatar/controller.php
+index ca055f5..6076084 100644
+--- a/core/avatar/controller.php
++++ b/core/avatar/controller.php
+@@ -92,7 +92,7 @@ class Controller {
+ }
+ }
+ } catch (\Exception $e) {
+- \OC_JSON::error(array("data" => array("message" => $e->getMessage()) ));
++ \OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin." )));
+ }
+ }
+
+@@ -107,7 +107,7 @@ class Controller {
+ $avatar->remove();
+ \OC_JSON::success();
+ } catch (\Exception $e) {
+- \OC_JSON::error(array("data" => array("message" => $e->getMessage()) ));
++ \OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin.") ));
+ }
+ }
+
+@@ -158,7 +158,7 @@ class Controller {
+ \OC\Cache::remove('tmpavatar');
+ \OC_JSON::success();
+ } catch (\Exception $e) {
+- \OC_JSON::error(array("data" => array("message" => $e->getMessage()) ));
++ \OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin.") ));
+ }
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 561ad88..618364d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,3 +24,7 @@ path/0009-Adapt-Dropbox-path.patch
0024-Verify-if-path-exists.patch
0025-Verify-if-path-exists-before-processing.patch
0026-Prevent-objectstore-being-set-from-client-side.patch
+0027-Use-XMLWriter-to-generate-response.patch
+0028-Handle-non-existing-files-in-version-previews.patch
+0029-Dont-output-paths-in-scan.php.patch
+0030-Do-not-print-exception-message.patch
Attachment:
signature.asc
Description: PGP signature