Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi, As already discussed with the security team, please accept the fix for CVE-2015-4715 in php-dropbox. Source debdiff attached. As noted in the ownCloud tracker, the issue is only relevant if a server runs PHP below 5.6.0, or if some default has been changed. Yet, since the owncloud (and php-dropbox) packages from Jessie can be used (and I know they are actually used) out of the box on Wheezy, having the fix in the next point release makes sense. 1: https://owncloud.org/security/advisory/?id=oc-sa-2015-005 Regards David
diff --git a/debian/changelog b/debian/changelog index aa86e22..c643681 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +php-dropbox (1.0.0-3+deb8u1) jessie; urgency=medium + + * Refuse to handle any files containing a @ [CVE-2015-4715] + * Track Jessie + + -- David Prévot <taf...@debian.org> Sat, 05 Sep 2015 14:19:37 -0400 + php-dropbox (1.0.0-3) unstable; urgency=medium * Include ownCloud specific patches diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..fae4302 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = jessie diff --git a/debian/patches/0002-Revert-custom-patch-that-can-cause-problems.patch b/debian/patches/0002-Revert-custom-patch-that-can-cause-problems.patch new file mode 100644 index 0000000..acd912b --- /dev/null +++ b/debian/patches/0002-Revert-custom-patch-that-can-cause-problems.patch @@ -0,0 +1,30 @@ +From: Lukas Reschke <lu...@owncloud.com> +Date: Tue, 7 Apr 2015 15:12:10 +0200 +Subject: Revert custom patch that can cause problems + +Origin: upstream, https://github.com/owncloud/core/commit/7071cf15c25be4a0e4178019c625c57b898e4216 +--- + Dropbox-1.0.0/Dropbox/OAuth/Curl.php | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/Dropbox-1.0.0/Dropbox/OAuth/Curl.php b/Dropbox-1.0.0/Dropbox/OAuth/Curl.php +index 6ea6873..9aa6852 100644 +--- a/Dropbox-1.0.0/Dropbox/OAuth/Curl.php ++++ b/Dropbox-1.0.0/Dropbox/OAuth/Curl.php +@@ -72,8 +72,14 @@ class Dropbox_OAuth_Curl extends Dropbox_OAuth { + if (strtoupper($method) == 'POST') { + curl_setopt($ch, CURLOPT_URL, $uri); + curl_setopt($ch, CURLOPT_POST, true); +-// if (is_array($arguments)) +-// $arguments=http_build_query($arguments); ++ ++ //if (is_array($arguments)) ++ // $arguments=http_build_query($arguments); ++ foreach ($arguments as $key => $value) { ++ if($value[0] === '@') { ++ exit(); ++ } ++ } + curl_setopt($ch, CURLOPT_POSTFIELDS, $arguments); + // $httpHeaders['Content-Length']=strlen($arguments); + } else { diff --git a/debian/patches/series b/debian/patches/series index 5c66984..a104f36 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0001-Include-ownCloud-specific-patches.patch +0002-Revert-custom-patch-that-can-cause-problems.patch
signature.asc
Description: OpenPGP digital signature
