Your message dated Sat, 23 Jan 2016 13:57:15 +0000 with message-id <1453557435.1835.52.camel@adam-barratt.org.uk> and subject line 8.3 point release cleanup has caused the Debian Bug report #798895, regarding jessie-pu: package owncloud/7.0.4+dfsg-4~deb8u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 798895: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798895 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package owncloud/7.0.4+dfsg-4~deb8u2
- From: David Prévot <taffit@debian.org>
- Date: Sun, 13 Sep 2015 16:56:16 -0400
- Message-id: <55F5E2F0.3030900@debian.org>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, As already discussed with the security team, please accept the fixes for CVE-2015-{471{6..8},6670} in owncloud. Source debdiff attached. As noted in the ownCloud tracker, CVE-2015-4716 is only relevant on Windows, yet I’d still like to include its fix in order to avoid making any assumptions about how safely people are setting their servers: the one-liner fix is just about sanitizing variables, that should anyway be a good idea. 1: https://owncloud.org/security/advisory/?id=oc-sa-2015-006 Regards Daviddiff --git a/debian/changelog b/debian/changelog index fe8558d..503bd03 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +owncloud (7.0.4+dfsg-4~deb8u2) jessie; urgency=medium + + * Backport security fixes from 7.0.6 and 7.0.8: + - Local file inclusion on MS Windows Platform + [OC-SA-2015-006] [CVE-2015-4716] + - Resource exhaustion when sanitizing filenames + [OC-SA-2015-007] [CVE-2015-4717] + - Command injection when using external SMB storage + [OC-SA-2015-008] [CVE-2015-4718] + - Calendar export: Authorization Bypass Through User-Controlled Key + [OC-SA-2015-015] [CVE-2015-6670] + + -- David Prévot <taffit@debian.org> Thu, 03 Sep 2015 19:38:32 -0400 + owncloud (7.0.4+dfsg-4~deb8u1) jessie-security; urgency=medium * Upload to jessie-security as agreed with the security team diff --git a/debian/patches/0013-Clean-application-identifier-before-processing.patch b/debian/patches/0013-Clean-application-identifier-before-processing.patch new file mode 100644 index 0000000..925066d --- /dev/null +++ b/debian/patches/0013-Clean-application-identifier-before-processing.patch @@ -0,0 +1,22 @@ +From: Lukas Reschke <lukas@owncloud.com> +Date: Tue, 31 Mar 2015 14:58:24 +0200 +Subject: Clean application identifier before processing + +Origin: upstream, https://github.com/owncloud/core/commit/a15710afad054953cc348f2dd719c73b60985bce +--- + lib/private/route/router.php | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/private/route/router.php b/lib/private/route/router.php +index 9c973d7..a6ff51b 100644 +--- a/lib/private/route/router.php ++++ b/lib/private/route/router.php +@@ -204,6 +204,8 @@ class Router implements IRouter { + if (substr($url, 0, 6) === '/apps/') { + // empty string / 'apps' / $app / rest of the route + list(, , $app,) = explode('/', $url, 4); ++ ++ $app = \OC_App::cleanAppId($app); + \OC::$REQUESTEDAPP = $app; + $this->loadRoutes($app); + } else if (substr($url, 0, 6) === '/core/' or substr($url, 0, 10) === '/settings/') { diff --git a/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch b/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch new file mode 100644 index 0000000..b9b252d --- /dev/null +++ b/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch @@ -0,0 +1,50 @@ +From: Lukas Reschke <lukas@owncloud.com> +Date: Fri, 13 Feb 2015 12:49:34 +0100 +Subject: Ensure that passed argument is always a string + +Some code paths called the `normalizePath` functionality with types other than a string which resulted in unexpected behaviour. + +Thus the function is now manually casting the type to a string and I corrected the usage in list.php as well. + +Origin: upstream, https://github.com/owncloud/core/commit/5fa749cd9656ca6eab30bac0ef4e7625b8a8be2e +--- + apps/files/ajax/list.php | 2 +- + lib/private/files/filesystem.php | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/apps/files/ajax/list.php b/apps/files/ajax/list.php +index 4908016..21c88e2 100644 +--- a/apps/files/ajax/list.php ++++ b/apps/files/ajax/list.php +@@ -5,7 +5,7 @@ OCP\JSON::checkLoggedIn(); + $l = OC_L10N::get('files'); + + // Load the files +-$dir = isset($_GET['dir']) ? $_GET['dir'] : ''; ++$dir = isset($_GET['dir']) ? (string)$_GET['dir'] : ''; + $dir = \OC\Files\Filesystem::normalizePath($dir); + + try { +diff --git a/lib/private/files/filesystem.php b/lib/private/files/filesystem.php +index 492d9f1..a4d361d 100644 +--- a/lib/private/files/filesystem.php ++++ b/lib/private/files/filesystem.php +@@ -694,9 +694,18 @@ class Filesystem { + * Fix common problems with a file path + * @param string $path + * @param bool $stripTrailingSlash ++ * @param bool $isAbsolutePath + * @return string + */ + public static function normalizePath($path, $stripTrailingSlash = true, $isAbsolutePath = false) { ++ /** ++ * FIXME: This is a workaround for existing classes and files which call ++ * this function with another type than a valid string. This ++ * conversion should get removed as soon as all existing ++ * function calls have been fixed. ++ */ ++ $path = (string)$path; ++ + if ($path == '') { + return '/'; + } diff --git a/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch b/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch new file mode 100644 index 0000000..6fd2127 --- /dev/null +++ b/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch @@ -0,0 +1,25 @@ +From: Lukas Reschke <lukas@owncloud.com> +Date: Mon, 30 Mar 2015 21:51:57 +0200 +Subject: Disallow semicolons in passed commands + +Origin: upstream, https://github.com/owncloud/core/commit/200e9d949783efbd57f39acedebc03924c1dfff4 +--- + apps/files_external/3rdparty/smb4php/smb.php | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/apps/files_external/3rdparty/smb4php/smb.php b/apps/files_external/3rdparty/smb4php/smb.php +index e325506..7ffdb42 100644 +--- a/apps/files_external/3rdparty/smb4php/smb.php ++++ b/apps/files_external/3rdparty/smb4php/smb.php +@@ -112,6 +112,11 @@ class smb { + + + function execute ($command, $purl, $regexp = NULL) { ++ if (strpos($command,';') !== false) { ++ trigger_error('Semicolon not supported in commands'); ++ exit(); ++ } ++ + return smb::client ('-d 0 ' + . escapeshellarg ('//' . $purl['host'] . '/' . $purl['share']) + . ' -c ' . escapeshellarg ($command), $purl, $regexp diff --git a/debian/patches/0016-Clarify-permission-checks.patch b/debian/patches/0016-Clarify-permission-checks.patch new file mode 100644 index 0000000..9c4e1a3 --- /dev/null +++ b/debian/patches/0016-Clarify-permission-checks.patch @@ -0,0 +1,25 @@ +From: Lukas Reschke <lukas@owncloud.com> +Date: Tue, 21 Jul 2015 14:44:03 +0200 +Subject: Clarify permission checks + +Origin: upstream, https://github.com/owncloud/calendar/commit/4e0306adb13b19919e90857eaf7681303cd45414 +--- + apps/calendar/lib/app.php | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/apps/calendar/lib/app.php b/apps/calendar/lib/app.php +index 8af0ff3..62e7e22 100644 +--- a/apps/calendar/lib/app.php ++++ b/apps/calendar/lib/app.php +@@ -50,8 +50,10 @@ class OC_Calendar_App{ + } + } + if($security === true && $shared === true) { +- if(OCP\Share::getItemSharedWithBySource('calendar', $id)) { ++ if(OCP\User::getUser() === $calendar['userid'] || OCP\Share::getItemSharedWithBySource('calendar', $id)) { + return $calendar; ++ } else { ++ return false; + } + } + return $calendar; diff --git a/debian/patches/series b/debian/patches/series index ab6e650..42ca44e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,7 @@ path/0009-Adapt-Dropbox-path.patch 0010-Fix-encoding-in-3rdparty-lib.patch 0011-Apply-some-upstream-patches.patch 0012-Normalize-before-processing.patch +0013-Clean-application-identifier-before-processing.patch +0014-Ensure-that-passed-argument-is-always-a-string.patch +0015-Disallow-semicolons-in-passed-commands.patch +0016-Clarify-permission-checks.patchAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: 783355-done@bugs.debian.org, 784944-done@bugs.debian.org, 787021-done@bugs.debian.org, 787423-done@bugs.debian.org, 791403-done@bugs.debian.org, 792468-done@bugs.debian.org, 792806-done@bugs.debian.org, 793556-done@bugs.debian.org, 794940-done@bugs.debian.org, 796281-done@bugs.debian.org, 797170-done@bugs.debian.org, 797710-done@bugs.debian.org, 798028-done@bugs.debian.org, 798584-done@bugs.debian.org, 798749-done@bugs.debian.org, 798889-done@bugs.debian.org, 798890-done@bugs.debian.org, 798891-done@bugs.debian.org, 798892-done@bugs.debian.org, 798893-done@bugs.debian.org, 798895-done@bugs.debian.org, 799033-done@bugs.debian.org, 799070-done@bugs.debian.org, 799229-done@bugs.debian.org, 799230-done@bugs.debian.org, 799369-done@bugs.debian.org, 799477-done@bugs.debian.org, 799758-done@bugs.debian.org, 799777-done@bugs.debian.org, 800006-done@bugs.debian.org, 800664-done@bugs.debian.org, 800793-done@bugs.debian.org, 800881-done@bugs.debian.org, 801095-done@bugs.debian.org, 801098-done@bugs.debian.org, 801100-done@bugs.debian.org, 801304-done@bugs.debian.org, 801318-done@bugs.debian.org, 801441-done@bugs.debian.org, 801580-done@bugs.debian.org, 801743-done@bugs.debian.org, 801851-done@bugs.debian.org, 801892-done@bugs.debian.org, 802851-done@bugs.debian.org, 802879-done@bugs.debian.org, 802900-done@bugs.debian.org, 802942-done@bugs.debian.org, 803362-done@bugs.debian.org, 803467-done@bugs.debian.org, 803490-done@bugs.debian.org, 803569-done@bugs.debian.org, 803678-done@bugs.debian.org, 803730-done@bugs.debian.org, 804157-done@bugs.debian.org, 804172-done@bugs.debian.org, 804208-done@bugs.debian.org, 804381-done@bugs.debian.org, 804383-done@bugs.debian.org, 804734-done@bugs.debian.org, 804885-done@bugs.debian.org, 805024-done@bugs.debian.org, 805127-done@bugs.debian.org, 805190-done@bugs.debian.org, 805214-done@bugs.debian.org, 805260-done@bugs.debian.org, 805293-done@bugs.debian.org, 805383-done@bugs.debian.org, 805634-done@bugs.debian.org, 805721-done@bugs.debian.org, 805894-done@bugs.debian.org, 806129-done@bugs.debian.org, 806165-done@bugs.debian.org, 806247-done@bugs.debian.org, 806252-done@bugs.debian.org, 806338-done@bugs.debian.org, 806529-done@bugs.debian.org, 806640-done@bugs.debian.org, 807129-done@bugs.debian.org, 807140-done@bugs.debian.org, 807142-done@bugs.debian.org, 807273-done@bugs.debian.org, 807280-done@bugs.debian.org, 807467-done@bugs.debian.org, 807489-done@bugs.debian.org, 807515-done@bugs.debian.org, 807576-done@bugs.debian.org, 807612-done@bugs.debian.org, 807828-done@bugs.debian.org, 807917-done@bugs.debian.org, 808559-done@bugs.debian.org, 808890-done@bugs.debian.org, 809200-done@bugs.debian.org, 809255-done@bugs.debian.org, 809258-done@bugs.debian.org, 809307-done@bugs.debian.org, 809534-done@bugs.debian.org, 809561-done@bugs.debian.org, 809688-done@bugs.debian.org, 809757-done@bugs.debian.org, 809824-done@bugs.debian.org, 810004-done@bugs.debian.org, 810111-done@bugs.debian.org, 810130-done@bugs.debian.org, 810542-done@bugs.debian.org, 810760-done@bugs.debian.org, 810887-done@bugs.debian.org, 811132-done@bugs.debian.org, 811320-done@bugs.debian.org, 792779-done@bugs.debian.org
- Subject: 8.3 point release cleanup
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 23 Jan 2016 13:57:15 +0000
- Message-id: <1453557435.1835.52.camel@adam-barratt.org.uk>
Version: 8.3 Hi, The updates referred to in these bugs were included in today's 8.3 Jessie point release. Regards, Adam
--- End Message ---