tags 701115 + pending thanks Dear maintainer,
Prach Pongpanich has prepared an NMU for owncloud (versioned as 4.0.8debian-1.5) and I've uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards. -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Ben Weaver: Ballad of a thin man
diff -Nru owncloud-4.0.8debian/debian/changelog owncloud-4.0.8debian/debian/changelog --- owncloud-4.0.8debian/debian/changelog 2013-01-25 21:36:36.000000000 +0100 +++ owncloud-4.0.8debian/debian/changelog 2013-02-28 19:15:56.000000000 +0100 @@ -1,3 +1,16 @@ +owncloud (4.0.8debian-1.5) unstable; urgency=low + + * Non-maintainer upload. + * Multiple security fixes (Closes: #701115): + + debian/patches/13_oc-sa-2013-003.patch: + - CVE-2013-0297 and CVE-2013-0307: XSS vulnerability + + debian/patches/14_oc-sa-2013-004.patch: + - CVE-2013-0299 and CVE-2013-0301: Multiple CSRF vulnerabilities + + debian/patches/15_oc-sa-2013-006.patch: + - CVE-2013-0303: Multiple code executions + + -- Prach Pongpanich <prach...@gmail.com> Wed, 27 Feb 2013 11:38:52 +0700 + owncloud (4.0.8debian-1.4) unstable; urgency=high * Non-maintainer upload. diff -Nru owncloud-4.0.8debian/debian/patches/13_oc-sa-2013-003.patch owncloud-4.0.8debian/debian/patches/13_oc-sa-2013-003.patch --- owncloud-4.0.8debian/debian/patches/13_oc-sa-2013-003.patch 1970-01-01 01:00:00.000000000 +0100 +++ owncloud-4.0.8debian/debian/patches/13_oc-sa-2013-003.patch 2013-02-28 19:15:56.000000000 +0100 @@ -0,0 +1,32 @@ +Description: Fix multiple cross-site scripting (XSS) vulnerabilities (CVE-2013-0297, CVE-2013-0307) +Origin: upstream +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701115 + +Index: owncloud-4.0.8debian/settings/js/users.js +=================================================================== +--- owncloud-4.0.8debian.orig/settings/js/users.js 2012-10-09 22:10:37.000000000 +0700 ++++ owncloud-4.0.8debian/settings/js/users.js 2013-02-27 11:48:53.000000000 +0700 +@@ -43,7 +43,7 @@ + var addGroup = function(group) { + $('select[multiple]').each(function(index, element) { + if ($(element).find('option[value="'+group +'"]').length == 0) { +- $(element).append('<option value="'+group+'">'+group+'</option>'); ++ $(element).append('<option value="' + escapeHTML(group) + '">' + escapeHTML(group) + '</option>'); + } + }) + }; +Index: owncloud-4.0.8debian/apps/external/templates/settings.php +=================================================================== +--- owncloud-4.0.8debian.orig/apps/external/templates/settings.php 2012-10-09 22:10:37.000000000 +0700 ++++ owncloud-4.0.8debian/apps/external/templates/settings.php 2013-02-27 11:48:53.000000000 +0700 +@@ -6,8 +6,8 @@ + <?php + $sites = OC_External::getSites(); + for($i = 0; $i < sizeof($sites); $i++) { +- echo '<li><input type="text" name="site_name[]" class="site_name" value="'.$sites[$i][0].'" placeholder="'.$l->t('Name').'" /> +- <input type="text" class="site_url" name="site_url[]" value="'.$sites[$i][1].'" placeholder="'.$l->t('URL').'" /> ++ echo '<li><input type="text" name="site_name[]" class="site_name" value="'.OC_Util::sanitizeHTML($sites[$i][0]).'" placeholder="'.$l->t('Name').'" /> ++ <input type="text" class="site_url" name="site_url[]" value="'.OC_Util::sanitizeHTML($sites[$i][1]).'" placeholder="'.$l->t('URL').'" /> + <img class="svg action delete_button" src="'.OCP\image_path("", "actions/delete.svg") .'" title="'.$l->t("Remove site").'" /> + </li>'; + } diff -Nru owncloud-4.0.8debian/debian/patches/14_oc-sa-2013-004.patch owncloud-4.0.8debian/debian/patches/14_oc-sa-2013-004.patch --- owncloud-4.0.8debian/debian/patches/14_oc-sa-2013-004.patch 1970-01-01 01:00:00.000000000 +0100 +++ owncloud-4.0.8debian/debian/patches/14_oc-sa-2013-004.patch 2013-02-28 19:15:56.000000000 +0100 @@ -0,0 +1,126 @@ +Description: Fix multiple cross-site request forgery (CSRF) vulnerabilities (CVE-2013-0299,CVE-2013-0301) +Origin: upstream +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701115 + +--- a/apps/calendar/ajax/settings/guesstimezone.php ++++ b/apps/calendar/ajax/settings/guesstimezone.php +@@ -9,6 +9,7 @@ + + OCP\JSON::checkLoggedIn(); + OCP\JSON::checkAppEnabled('calendar'); ++OCP\JSON::callCheck(); + + $l = OC_L10N::get('calendar'); + +--- a/apps/admin_migrate/settings.php ++++ b/apps/admin_migrate/settings.php +@@ -27,6 +27,8 @@ OCP\App::checkAppEnabled('admin_migrate'); + + // Export? + if (isset($_POST['admin_export'])) { ++ OCP\JSON::callCheck(); ++ + // Create the export zip + $response = json_decode( OC_Migrate::export( null, $_POST['export_type'] ) ); + if( !$response->success ){ +@@ -44,6 +46,7 @@ if (isset($_POST['admin_export'])) { + } + // Import? + } else if( isset($_POST['admin_import']) ){ ++ OCP\JSON::callCheck(); + $from = $_FILES['owncloud_import']['tmp_name']; + + if( !OC_Migrate::import( $from, 'instance' ) ){ +--- a/apps/admin_migrate/templates/settings.php ++++ b/apps/admin_migrate/templates/settings.php +@@ -6,6 +6,7 @@ + </p> + <h3>What would you like to export?</h3> + <p> ++ <input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>" id="requesttoken"> + <input type="radio" name="export_type" value="instance" style="width:20px;" /> ownCloud instance (suitable for import )<br /> + <input type="radio" name="export_type" value="system" style="width:20px;" /> ownCloud system files<br /> + <input type="radio" name="export_type" value="userfiles" style="width:20px;" /> Just user files<br /> +--- a/apps/calendar/ajax/settings/settimezone.php ++++ b/apps/calendar/ajax/settings/settimezone.php +@@ -14,6 +14,7 @@ $l=OC_L10N::get('calendar'); + // Check if we are a user + OCP\JSON::checkLoggedIn(); + OCP\JSON::checkAppEnabled('calendar'); ++OCP\JSON::callCheck(); + + // Get data + if( isset( $_POST['timezone'] ) ){ +--- a/apps/calendar/ajax/settings/timezonedetection.php ++++ b/apps/calendar/ajax/settings/timezonedetection.php +@@ -8,6 +8,8 @@ + + OCP\JSON::checkLoggedIn(); + OCP\JSON::checkAppEnabled('calendar'); ++OCP\JSON::callCheck(); ++ + if(array_key_exists('timezonedetection', $_POST) && $_POST['timezonedetection'] == 'on'){ + OCP\Config::setUserValue(OCP\USER::getUser(), 'calendar', 'timezonedetection', 'true'); + }else{ +--- a/apps/user_ldap/settings.php ++++ b/apps/user_ldap/settings.php +@@ -28,6 +28,8 @@ $params = array('ldap_host', 'ldap_port', 'ldap_dn', 'ldap_agent_password', 'lda + OCP\Util::addscript('user_ldap', 'settings'); + + if ($_POST) { ++ OCP\JSON::callCheck(); ++ + foreach($params as $param){ + if(isset($_POST[$param])){ + if('ldap_agent_password' == $param) { +--- a/apps/user_ldap/templates/settings.php ++++ b/apps/user_ldap/templates/settings.php +@@ -28,6 +28,7 @@ + <p><label for="ldap_email_attr">Email Attribute</label><input type="text" id="ldap_email_attr" name="ldap_email_attr" value="<?php echo $_['ldap_email_attr']; ?>" /></p> + </fieldset> + <input type="submit" value="Save" /> <a href="http://owncloud.org/support/ldap-backend/"; target="_blank"><img src="<?php echo OCP\Util::imagePath('','actions/info.png'); ?>" style="height:1.75ex" /> <?php echo $l->t('Help');?></a> ++ <input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>" id="requesttoken"> + </div> + + </form> +--- a/apps/user_migrate/ajax/export.php ++++ b/apps/user_migrate/ajax/export.php +@@ -25,6 +25,7 @@ + + // Check if we are a user + OCP\JSON::checkLoggedIn(); ++OCP\JSON::callCheck(); + OCP\App::checkAppEnabled('user_migrate'); + // Which operation + if( $_GET['operation']=='create' ){ +--- a/apps/user_migrate/js/export.js ++++ b/apps/user_migrate/js/export.js +@@ -9,7 +9,7 @@ $(document).ready(function(){ + function(result){ + if(result.status == 'success'){ + // Download the file +- window.location = OC.linkTo('user_migrate','ajax/export.php') + '?operation=download'; ++ window.location = OC.linkTo('user_migrate','ajax/export.php') + '?operation=download&requesttoken=' + requesttoken; + $('.loading').hide(); + $('#exportbtn').val(t('user_migrate', 'Export')); + } else { +--- a/apps/user_migrate/settings.php ++++ b/apps/user_migrate/settings.php +@@ -27,6 +27,7 @@ OC_Util::checkLoggedIn(); + + OCP\App::checkAppEnabled('user_migrate'); + if (isset($_POST['user_import'])) { ++ OCP\JSON::callCheck(); + $root = OC::$SERVERROOT . "/"; + $importname = "owncloud_import_" . date("y-m-d_H-i-s"); + +--- a/apps/user_migrate/templates/settings.php ++++ b/apps/user_migrate/templates/settings.php +@@ -14,6 +14,7 @@ + </p> + <p><input type="file" id="owncloud_import" name="owncloud_import" style="width:180px;"><label for="owncloud_import"> <?php echo $l->t('ownCloud User Zip');?></label> + </p> ++ <input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>" id="requesttoken"> + <input type="submit" name="user_import" value="<?php echo $l->t('Import'); ?>" /> + </fieldset> + </form> diff -Nru owncloud-4.0.8debian/debian/patches/15_oc-sa-2013-006.patch owncloud-4.0.8debian/debian/patches/15_oc-sa-2013-006.patch --- owncloud-4.0.8debian/debian/patches/15_oc-sa-2013-006.patch 1970-01-01 01:00:00.000000000 +0100 +++ owncloud-4.0.8debian/debian/patches/15_oc-sa-2013-006.patch 2013-02-28 19:15:56.000000000 +0100 @@ -0,0 +1,74 @@ +Description: Fix a code executions vulnerability (CVE-2013-0303) +Origin: upstream +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701115 + +--- a/core/ajax/translations.php ++++ b/core/ajax/translations.php +@@ -25,6 +25,7 @@ + require_once('../../lib/base.php'); + + $app = $_POST["app"]; ++$app = OC_App::cleanAppId($app); + + $l = OC_L10N::get( $app ); + +--- a/lib/app.php ++++ b/lib/app.php +@@ -38,6 +38,15 @@ class OC_App{ + static private $loadedApps = array(); + + /** ++ * @brief clean the appid ++ * @param $app Appid that needs to be cleaned ++ * @return string ++ */ ++ public static function cleanAppId($app) { ++ return str_replace(array('\0', '/', '\\', '..'), '', $app); ++ } ++ ++ /** + * @brief loads all apps + * @param array $types + * @returns true/false +--- a/lib/base.php ++++ b/lib/base.php +@@ -444,7 +444,7 @@ class OC{ + register_shutdown_function(array('OC_Helper','cleanTmp')); + + //parse the given parameters +- self::$REQUESTEDAPP = (isset($_GET['app']) && trim($_GET['app']) != '' && !is_null($_GET['app'])?str_replace(array('\0', '/', '\\', '..'), '', strip_tags($_GET['app'])):OC_Config::getValue('defaultapp', 'files')); ++ self::$REQUESTEDAPP = (isset($_GET['app']) && trim($_GET['app']) != '' && !is_null($_GET['app'])?OC_App::cleanAppId(strip_tags($_GET['app'])):OC_Config::getValue('defaultapp', 'files')); + if(substr_count(self::$REQUESTEDAPP, '?') != 0){ + $app = substr(self::$REQUESTEDAPP, 0, strpos(self::$REQUESTEDAPP, '?')); + $param = substr(self::$REQUESTEDAPP, strpos(self::$REQUESTEDAPP, '?') + 1); +--- a/lib/l10n.php ++++ b/lib/l10n.php +@@ -77,6 +77,7 @@ class OC_L10N{ + * language. + */ + public function __construct($app, $lang = null){ ++ $app = OC_App::cleanAppId($app); + // Find the right language + if(is_null($lang)){ + $lang = self::findLanguage($app); +--- a/settings/ajax/disableapp.php ++++ b/settings/ajax/disableapp.php +@@ -5,6 +5,6 @@ OC_JSON::checkAdminUser(); + OCP\JSON::callCheck(); + OC_JSON::setContentTypeHeader(); + +-OC_App::disable($_POST['appid']); ++OC_App::disable(OC_App::cleanAppId($_POST['appid'])); + + OC_JSON::success(); +--- a/settings/ajax/enableapp.php ++++ b/settings/ajax/enableapp.php +@@ -6,7 +6,7 @@ OC_JSON::checkAdminUser(); + OCP\JSON::callCheck(); + OC_JSON::setContentTypeHeader(); + +-if(OC_App::enable($_POST['appid'])){ ++if(OC_App::enable(OC_App::cleanAppId($_POST['appid']))){ + OC_JSON::success(); + }else{ + OC_JSON::error(); diff -Nru owncloud-4.0.8debian/debian/patches/series owncloud-4.0.8debian/debian/patches/series --- owncloud-4.0.8debian/debian/patches/series 2013-01-25 21:36:36.000000000 +0100 +++ owncloud-4.0.8debian/debian/patches/series 2013-02-28 19:15:56.000000000 +0100 @@ -12,3 +12,6 @@ 10_oc-sa-2012-006.patch 11_oc-sa-2012-007.patch 12_oc-sa-2013-001.patch +13_oc-sa-2013-003.patch +14_oc-sa-2013-004.patch +15_oc-sa-2013-006.patch
signature.asc
Description: Digital signature
