Bug#810130: marked as done (jessie-pu: package owncloud/7.0.4+dfsg-4~deb8u4)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#810130: marked as done (jessie-pu: package owncloud/7.0.4+dfsg-4~deb8u4)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 23 Jan 2016 14:06:30 +0000
Message-id: <[🔎] handler.810130.D810130.145355744526100.ackdone@bugs.debian.org>
References: <1453557435.1835.52.camel@adam-barratt.org.uk> <[🔎] 20160106193414.GA22310@mikado.tilapin.org>

Your message dated Sat, 23 Jan 2016 13:57:15 +0000
with message-id <1453557435.1835.52.camel@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #810130,
regarding jessie-pu: package owncloud/7.0.4+dfsg-4~deb8u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
810130: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810130
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: jessie-pu: package owncloud/7.0.4+dfsg-4~deb8u4
From: David Prévot <taffit@debian.org>
Date: Wed, 6 Jan 2016 15:34:14 -0400
Message-id: <[🔎] 20160106193414.GA22310@mikado.tilapin.org>

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Happy new year!

As agreed with the security team, I’d like to fix some recently
disclosed but low impact security issues via pu. Even if CVE-2016-1501
(a “Full installation path disclosure”) is not really relevant with a
Debian package, the fix is small and sane enough to be worth including
IMHO.

Please note that #798895 has been superseded by DSA-3373-1 as well as
the present request.

Thanks in advance for considering.

Regards

David

diff --git a/debian/changelog b/debian/changelog
index e2e2e21..c3b8c58 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+owncloud (7.0.4+dfsg-4~deb8u4) jessie; urgency=medium
+
+  * Backport security fixes from 7.0.12, 8.0.10, and 8.0.9:
+    - Reflected XSS in OCS provider discovery
+      [oc-sa-2016-001] [CVE-2016-1498]
+    - Disclosure of files that begin with \".v\" due to unchecked return
+      value [oc-sa-2016-003] [CVE-2016-1500]
+    - Information Exposure Through Directory Listing in the file scanner
+      [oc-sa-2016-002] [CVE-2016-1499]
+    - Full installation path disclosure through error message
+      [oc-sa-2016-004] [CVE-2016-1501]
+
+ -- David Prévot <taffit@debian.org>  Tue, 05 Jan 2016 22:24:31 -0400
+
 owncloud (7.0.4+dfsg-4~deb8u3) jessie-security; urgency=high
 
   * Backport security fixes from 7.0.5, 7.0.7, 8.0.6, and 7.0.9:
diff --git a/debian/patches/0027-Use-XMLWriter-to-generate-response.patch b/debian/patches/0027-Use-XMLWriter-to-generate-response.patch
new file mode 100644
index 0000000..c022c44
--- /dev/null
+++ b/debian/patches/0027-Use-XMLWriter-to-generate-response.patch
@@ -0,0 +1,62 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Mon, 30 Nov 2015 15:40:10 +0100
+Subject: Use XMLWriter to generate response
+
+Gets rid of manual XML generation.
+
+Origin: upstream, https://github.com/owncloud/core/commit/85e068a723c09d0f01ab3e10aa6a3f6a8c4c3227
+---
+ ocs/providers.php | 43 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/ocs/providers.php b/ocs/providers.php
+index 2c62f76..769d210 100644
+--- a/ocs/providers.php
++++ b/ocs/providers.php
+@@ -27,20 +27,29 @@ header('Content-type: application/xml');
+ 
+ $url=OCP\Util::getServerProtocol().'://'.substr(OCP\Util::getServerHost().OCP\Util::getRequestUri(), 0, -17).'ocs/v1.php/';
+ 
+-echo('
+-<providers>
+-<provider>
+- <id>ownCloud</id>
+- <location>'.$url.'</location>
+- <name>ownCloud</name>
+- <icon></icon>
+- <termsofuse></termsofuse>
+- <register></register>
+- <services>
+-   <config ocsversion="1.7" />
+-   <activity ocsversion="1.7" />
+-   <cloud ocsversion="1.7" />
+- </services>
+-</provider>
+-</providers>
+-');
++$writer = new XMLWriter();
++$writer->openURI('php://output');
++$writer->startDocument('1.0','UTF-8');
++$writer->setIndent(4);
++$writer->startElement('providers');
++$writer->startElement('provider');
++$writer->writeElement('id', 'ownCloud');
++$writer->writeElement('location', $url);
++$writer->writeElement('name', 'ownCloud');
++$writer->writeElement('icon', '');
++$writer->writeElement('termsofuse', '');
++$writer->writeElement('register', '');
++$writer->startElement('services');
++$writer->startElement('config');
++$writer->writeAttribute('ocsversion', '1.7');
++$writer->endElement();
++$writer->startElement('activity');
++$writer->writeAttribute('ocsversion', '1.7');
++$writer->endElement();
++$writer->startElement('cloud');
++$writer->writeAttribute('ocsversion', '1.7');
++$writer->endElement();
++$writer->endElement();
++$writer->endElement();
++$writer->endDocument();
++$writer->flush();
diff --git a/debian/patches/0028-Handle-non-existing-files-in-version-previews.patch b/debian/patches/0028-Handle-non-existing-files-in-version-previews.patch
new file mode 100644
index 0000000..ec6da15
--- /dev/null
+++ b/debian/patches/0028-Handle-non-existing-files-in-version-previews.patch
@@ -0,0 +1,39 @@
+From: Robin Appelman <icewind@owncloud.com>
+Date: Mon, 14 Dec 2015 15:59:36 +0100
+Subject: Handle non existing files in version previews
+
+Origin: upstream, https://github.com/owncloud/core/commit/f746100e13dcadf8a2b6d311422a1c66c959565c
+---
+ apps/files_versions/ajax/preview.php | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/apps/files_versions/ajax/preview.php b/apps/files_versions/ajax/preview.php
+index bd9b736..1056169 100644
+--- a/apps/files_versions/ajax/preview.php
++++ b/apps/files_versions/ajax/preview.php
+@@ -31,14 +31,18 @@ if($maxX === 0 || $maxY === 0) {
+ 
+ try {
+ 	list($user, $file) = \OCA\Files_Versions\Storage::getUidAndFilename($file);
+-	$preview = new \OC\Preview($user, 'files_versions', $file.'.v'.$version);
+-	$mimetype = \OC_Helper::getFileNameMimeType($file);
+-	$preview->setMimetype($mimetype);
+-	$preview->setMaxX($maxX);
+-	$preview->setMaxY($maxY);
+-	$preview->setScalingUp($scalingUp);
++	if (is_null($file)) {
++		\OC_Response::setStatus(404);
++	} else {
++		$preview = new \OC\Preview($user, 'files_versions', $file . '.v' . $version);
++		$mimetype = \OC_Helper::getFileNameMimeType($file);
++		$preview->setMimetype($mimetype);
++		$preview->setMaxX($maxX);
++		$preview->setMaxY($maxY);
++		$preview->setScalingUp($scalingUp);
+ 
+-	$preview->showPreview();
++		$preview->showPreview();
++	}
+ }catch(\Exception $e) {
+ 	\OC_Response::setStatus(500);
+ 	\OC_Log::write('core', $e->getmessage(), \OC_Log::DEBUG);
diff --git a/debian/patches/0029-Dont-output-paths-in-scan.php.patch b/debian/patches/0029-Dont-output-paths-in-scan.php.patch
new file mode 100644
index 0000000..572d3c3
--- /dev/null
+++ b/debian/patches/0029-Dont-output-paths-in-scan.php.patch
@@ -0,0 +1,35 @@
+From: Robin Appelman <icewind@owncloud.com>
+Date: Wed, 25 Nov 2015 15:21:01 +0100
+Subject: Dont output paths in scan.php
+
+Origin: backport, https://github.com/owncloud/core/commit/fab59179f1661da4862336fb8ea450c80def26d4
+---
+ apps/files/ajax/scan.php | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/apps/files/ajax/scan.php b/apps/files/ajax/scan.php
+index d5d8848..e6cad5e 100644
+--- a/apps/files/ajax/scan.php
++++ b/apps/files/ajax/scan.php
+@@ -21,7 +21,6 @@ $listener = new ScanListener($eventSource);
+ foreach ($users as $user) {
+ 	$eventSource->send('user', $user);
+ 	$scanner = new \OC\Files\Utils\Scanner($user);
+-	$scanner->listen('\OC\Files\Utils\Scanner', 'scanFile', array($listener, 'file'));
+ 	$scanner->listen('\OC\Files\Utils\Scanner', 'scanFolder', array($listener, 'folder'));
+ 	if ($force) {
+ 		$scanner->scan($dir);
+@@ -50,13 +49,6 @@ class ScanListener {
+ 		$this->eventSource = $eventSource;
+ 	}
+ 
+-	/**
+-	 * @param string $path
+-	 */
+-	public function folder($path) {
+-		$this->eventSource->send('folder', $path);
+-	}
+-
+ 	public function file() {
+ 		$this->fileCount++;
+ 		if ($this->fileCount > $this->lastCount + 20) { //send a count update every 20 files
diff --git a/debian/patches/0030-Do-not-print-exception-message.patch b/debian/patches/0030-Do-not-print-exception-message.patch
new file mode 100644
index 0000000..b692dd3
--- /dev/null
+++ b/debian/patches/0030-Do-not-print-exception-message.patch
@@ -0,0 +1,40 @@
+From: Lukas Reschke <lukas@owncloud.com>
+Date: Sun, 25 Oct 2015 19:05:28 +0100
+Subject: Do not print exception message
+
+Origin: upstream, https://github.com/owncloud/core/commit/6897cbebc05fb4daa6b81daaac9b181120fcf529
+---
+ core/avatar/controller.php | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/core/avatar/controller.php b/core/avatar/controller.php
+index ca055f5..6076084 100644
+--- a/core/avatar/controller.php
++++ b/core/avatar/controller.php
+@@ -92,7 +92,7 @@ class Controller {
+ 				}
+ 			}
+ 		} catch (\Exception $e) {
+-			\OC_JSON::error(array("data" => array("message" => $e->getMessage()) ));
++			\OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin." )));
+ 		}
+ 	}
+ 
+@@ -107,7 +107,7 @@ class Controller {
+ 			$avatar->remove();
+ 			\OC_JSON::success();
+ 		} catch (\Exception $e) {
+-			\OC_JSON::error(array("data" => array("message" => $e->getMessage()) ));
++			\OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin.") ));
+ 		}
+ 	}
+ 
+@@ -158,7 +158,7 @@ class Controller {
+ 			\OC\Cache::remove('tmpavatar');
+ 			\OC_JSON::success();
+ 		} catch (\Exception $e) {
+-			\OC_JSON::error(array("data" => array("message" => $e->getMessage()) ));
++			\OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin.") ));
+ 		}
+ 	}
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 561ad88..618364d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,3 +24,7 @@ path/0009-Adapt-Dropbox-path.patch
 0024-Verify-if-path-exists.patch
 0025-Verify-if-path-exists-before-processing.patch
 0026-Prevent-objectstore-being-set-from-client-side.patch
+0027-Use-XMLWriter-to-generate-response.patch
+0028-Handle-non-existing-files-in-version-previews.patch
+0029-Dont-output-paths-in-scan.php.patch
+0030-Do-not-print-exception-message.patch

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 783355-done@bugs.debian.org, 784944-done@bugs.debian.org, 787021-done@bugs.debian.org, 787423-done@bugs.debian.org, 791403-done@bugs.debian.org, 792468-done@bugs.debian.org, 792806-done@bugs.debian.org, 793556-done@bugs.debian.org, 794940-done@bugs.debian.org, 796281-done@bugs.debian.org, 797170-done@bugs.debian.org, 797710-done@bugs.debian.org, 798028-done@bugs.debian.org, 798584-done@bugs.debian.org, 798749-done@bugs.debian.org, 798889-done@bugs.debian.org, 798890-done@bugs.debian.org, 798891-done@bugs.debian.org, 798892-done@bugs.debian.org, 798893-done@bugs.debian.org, 798895-done@bugs.debian.org, 799033-done@bugs.debian.org, 799070-done@bugs.debian.org, 799229-done@bugs.debian.org, 799230-done@bugs.debian.org, 799369-done@bugs.debian.org, 799477-done@bugs.debian.org, 799758-done@bugs.debian.org, 799777-done@bugs.debian.org, 800006-done@bugs.debian.org, 800664-done@bugs.debian.org, 800793-done@bugs.debian.org, 800881-done@bugs.debian.org, 801095-done@bugs.debian.org, 801098-done@bugs.debian.org, 801100-done@bugs.debian.org, 801304-done@bugs.debian.org, 801318-done@bugs.debian.org, 801441-done@bugs.debian.org, 801580-done@bugs.debian.org, 801743-done@bugs.debian.org, 801851-done@bugs.debian.org, 801892-done@bugs.debian.org, 802851-done@bugs.debian.org, 802879-done@bugs.debian.org, 802900-done@bugs.debian.org, 802942-done@bugs.debian.org, 803362-done@bugs.debian.org, 803467-done@bugs.debian.org, 803490-done@bugs.debian.org, 803569-done@bugs.debian.org, 803678-done@bugs.debian.org, 803730-done@bugs.debian.org, 804157-done@bugs.debian.org, 804172-done@bugs.debian.org, 804208-done@bugs.debian.org, 804381-done@bugs.debian.org, 804383-done@bugs.debian.org, 804734-done@bugs.debian.org, 804885-done@bugs.debian.org, 805024-done@bugs.debian.org, 805127-done@bugs.debian.org, 805190-done@bugs.debian.org, 805214-done@bugs.debian.org, 805260-done@bugs.debian.org, 805293-done@bugs.debian.org, 805383-done@bugs.debian.org, 805634-done@bugs.debian.org, 805721-done@bugs.debian.org, 805894-done@bugs.debian.org, 806129-done@bugs.debian.org, 806165-done@bugs.debian.org, 806247-done@bugs.debian.org, 806252-done@bugs.debian.org, 806338-done@bugs.debian.org, 806529-done@bugs.debian.org, 806640-done@bugs.debian.org, 807129-done@bugs.debian.org, 807140-done@bugs.debian.org, 807142-done@bugs.debian.org, 807273-done@bugs.debian.org, 807280-done@bugs.debian.org, 807467-done@bugs.debian.org, 807489-done@bugs.debian.org, 807515-done@bugs.debian.org, 807576-done@bugs.debian.org, 807612-done@bugs.debian.org, 807828-done@bugs.debian.org, 807917-done@bugs.debian.org, 808559-done@bugs.debian.org, 808890-done@bugs.debian.org, 809200-done@bugs.debian.org, 809255-done@bugs.debian.org, 809258-done@bugs.debian.org, 809307-done@bugs.debian.org, 809534-done@bugs.debian.org, 809561-done@bugs.debian.org, 809688-done@bugs.debian.org, 809757-done@bugs.debian.org, 809824-done@bugs.debian.org, 810004-done@bugs.debian.org, 810111-done@bugs.debian.org, 810130-done@bugs.debian.org, 810542-done@bugs.debian.org, 810760-done@bugs.debian.org, 810887-done@bugs.debian.org, 811132-done@bugs.debian.org, 811320-done@bugs.debian.org, 792779-done@bugs.debian.org

Subject: 8.3 point release cleanup

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 23 Jan 2016 13:57:15 +0000

Message-id: <1453557435.1835.52.camel@adam-barratt.org.uk>
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#810130: jessie-pu: package owncloud/7.0.4+dfsg-4~deb8u4
  - From: David Prévot <taffit@debian.org>

Prev by Date: Bug#810111: marked as done (jessie-pu: package base-files/8+deb8u3)
Next by Date: Bug#810542: marked as done (jessie-pu: package curlftpfs/0.9.2-9~deb8u1)
Previous by thread: Processed: Re: Bug#810130: jessie-pu: package owncloud/7.0.4+dfsg-4~deb8u4
Next by thread: Bug#810136: transition: python3-defaults (python3.5 as default python3)
Index(es):
- Date
- Thread