[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#798895: marked as done (jessie-pu: package owncloud/7.0.4+dfsg-4~deb8u2)

Your message dated Sat, 23 Jan 2016 13:57:15 +0000
with message-id <1453557435.1835.52.camel@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #798895,
regarding jessie-pu: package owncloud/7.0.4+dfsg-4~deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
798895: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798895
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

As already discussed with the security team, please accept the fixes for
CVE-2015-{471{6..8},6670} in owncloud. Source debdiff attached.

As noted in the ownCloud tracker, CVE-2015-4716 is only relevant on
Windows, yet I’d still like to include its fix in order to avoid making
any assumptions about how safely people are setting their servers: the
one-liner fix is just about sanitizing variables, that should anyway be
a good idea.

1: https://owncloud.org/security/advisory/?id=oc-sa-2015-006

Regards

David

diff --git a/debian/changelog b/debian/changelog
index fe8558d..503bd03 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+owncloud (7.0.4+dfsg-4~deb8u2) jessie; urgency=medium
+
+  * Backport security fixes from 7.0.6 and 7.0.8:
+    - Local file inclusion on MS Windows Platform
+      [OC-SA-2015-006] [CVE-2015-4716]
+    - Resource exhaustion when sanitizing filenames
+      [OC-SA-2015-007] [CVE-2015-4717]
+    - Command injection when using external SMB storage
+      [OC-SA-2015-008] [CVE-2015-4718]
+    - Calendar export: Authorization Bypass Through User-Controlled Key
+      [OC-SA-2015-015] [CVE-2015-6670]
+
+ -- David Prévot <taffit@debian.org>  Thu, 03 Sep 2015 19:38:32 -0400
+
 owncloud (7.0.4+dfsg-4~deb8u1) jessie-security; urgency=medium
 
   * Upload to jessie-security as agreed with the security team
diff --git a/debian/patches/0013-Clean-application-identifier-before-processing.patch b/debian/patches/0013-Clean-application-identifier-before-processing.patch
new file mode 100644
index 0000000..925066d
--- /dev/null
+++ b/debian/patches/0013-Clean-application-identifier-before-processing.patch
@@ -0,0 +1,22 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Tue, 31 Mar 2015 14:58:24 +0200
+Subject: Clean application identifier before processing
+
+Origin: upstream, https://github.com/owncloud/core/commit/a15710afad054953cc348f2dd719c73b60985bce
+---
+ lib/private/route/router.php | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/private/route/router.php b/lib/private/route/router.php
+index 9c973d7..a6ff51b 100644
+--- a/lib/private/route/router.php
++++ b/lib/private/route/router.php
+@@ -204,6 +204,8 @@ class Router implements IRouter {
+ 		if (substr($url, 0, 6) === '/apps/') {
+ 			// empty string / 'apps' / $app / rest of the route
+ 			list(, , $app,) = explode('/', $url, 4);
++
++			$app = \OC_App::cleanAppId($app);
+ 			\OC::$REQUESTEDAPP = $app;
+ 			$this->loadRoutes($app);
+ 		} else if (substr($url, 0, 6) === '/core/' or substr($url, 0, 10) === '/settings/') {
diff --git a/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch b/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch
new file mode 100644
index 0000000..b9b252d
--- /dev/null
+++ b/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch
@@ -0,0 +1,50 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Fri, 13 Feb 2015 12:49:34 +0100
+Subject: Ensure that passed argument is always a string
+
+Some code paths called the `normalizePath` functionality with types other than a string which resulted in unexpected behaviour.
+
+Thus the function is now manually casting the type to a string and I corrected the usage in list.php as well.
+
+Origin: upstream, https://github.com/owncloud/core/commit/5fa749cd9656ca6eab30bac0ef4e7625b8a8be2e
+---
+ apps/files/ajax/list.php         | 2 +-
+ lib/private/files/filesystem.php | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/apps/files/ajax/list.php b/apps/files/ajax/list.php
+index 4908016..21c88e2 100644
+--- a/apps/files/ajax/list.php
++++ b/apps/files/ajax/list.php
+@@ -5,7 +5,7 @@ OCP\JSON::checkLoggedIn();
+ $l = OC_L10N::get('files');
+ 
+ // Load the files
+-$dir = isset($_GET['dir']) ? $_GET['dir'] : '';
++$dir = isset($_GET['dir']) ? (string)$_GET['dir'] : '';
+ $dir = \OC\Files\Filesystem::normalizePath($dir);
+ 
+ try {
+diff --git a/lib/private/files/filesystem.php b/lib/private/files/filesystem.php
+index 492d9f1..a4d361d 100644
+--- a/lib/private/files/filesystem.php
++++ b/lib/private/files/filesystem.php
+@@ -694,9 +694,18 @@ class Filesystem {
+ 	 * Fix common problems with a file path
+ 	 * @param string $path
+ 	 * @param bool $stripTrailingSlash
++	 * @param bool $isAbsolutePath
+ 	 * @return string
+ 	 */
+ 	public static function normalizePath($path, $stripTrailingSlash = true, $isAbsolutePath = false) {
++		/**
++		 * FIXME: This is a workaround for existing classes and files which call
++		 *        this function with another type than a valid string. This
++		 *        conversion should get removed as soon as all existing
++		 *        function calls have been fixed.
++		 */
++		$path = (string)$path;
++
+ 		if ($path == '') {
+ 			return '/';
+ 		}
diff --git a/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch b/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch
new file mode 100644
index 0000000..6fd2127
--- /dev/null
+++ b/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch
@@ -0,0 +1,25 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Mon, 30 Mar 2015 21:51:57 +0200
+Subject: Disallow semicolons in passed commands
+
+Origin: upstream, https://github.com/owncloud/core/commit/200e9d949783efbd57f39acedebc03924c1dfff4
+---
+ apps/files_external/3rdparty/smb4php/smb.php | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/apps/files_external/3rdparty/smb4php/smb.php b/apps/files_external/3rdparty/smb4php/smb.php
+index e325506..7ffdb42 100644
+--- a/apps/files_external/3rdparty/smb4php/smb.php
++++ b/apps/files_external/3rdparty/smb4php/smb.php
+@@ -112,6 +112,11 @@ class smb {
+ 
+ 
+ 	function execute ($command, $purl, $regexp = NULL) {
++		if (strpos($command,';') !== false) {
++			trigger_error('Semicolon not supported in commands');
++			exit();
++		}
++
+ 		return smb::client ('-d 0 '
+ 				. escapeshellarg ('//' . $purl['host'] . '/' . $purl['share'])
+ 				. ' -c ' . escapeshellarg ($command), $purl, $regexp
diff --git a/debian/patches/0016-Clarify-permission-checks.patch b/debian/patches/0016-Clarify-permission-checks.patch
new file mode 100644
index 0000000..9c4e1a3
--- /dev/null
+++ b/debian/patches/0016-Clarify-permission-checks.patch
@@ -0,0 +1,25 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Tue, 21 Jul 2015 14:44:03 +0200
+Subject: Clarify permission checks
+
+Origin: upstream, https://github.com/owncloud/calendar/commit/4e0306adb13b19919e90857eaf7681303cd45414
+---
+ apps/calendar/lib/app.php | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/apps/calendar/lib/app.php b/apps/calendar/lib/app.php
+index 8af0ff3..62e7e22 100644
+--- a/apps/calendar/lib/app.php
++++ b/apps/calendar/lib/app.php
+@@ -50,8 +50,10 @@ class OC_Calendar_App{
+ 			}
+ 		}
+ 		if($security === true && $shared === true) {
+-			if(OCP\Share::getItemSharedWithBySource('calendar', $id)) {
++			if(OCP\User::getUser() === $calendar['userid'] || OCP\Share::getItemSharedWithBySource('calendar', $id)) {
+ 				return $calendar;
++			} else {
++				return false;
+ 			}
+ 		}
+ 		return $calendar;
diff --git a/debian/patches/series b/debian/patches/series
index ab6e650..42ca44e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,7 @@ path/0009-Adapt-Dropbox-path.patch
 0010-Fix-encoding-in-3rdparty-lib.patch
 0011-Apply-some-upstream-patches.patch
 0012-Normalize-before-processing.patch
+0013-Clean-application-identifier-before-processing.patch
+0014-Ensure-that-passed-argument-is-always-a-string.patch
+0015-Disallow-semicolons-in-passed-commands.patch
+0016-Clarify-permission-checks.patch

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam

--- End Message ---
Reply to: