Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi,
As already discussed with the security team, please accept the fixes for
CVE-2015-{471{6..8},6670} in owncloud. Source debdiff attached.
As noted in the ownCloud tracker, CVE-2015-4716 is only relevant on
Windows, yet I’d still like to include its fix in order to avoid making
any assumptions about how safely people are setting their servers: the
one-liner fix is just about sanitizing variables, that should anyway be
a good idea.
1: https://owncloud.org/security/advisory/?id=oc-sa-2015-006
Regards
David
diff --git a/debian/changelog b/debian/changelog index fe8558d..503bd03 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +owncloud (7.0.4+dfsg-4~deb8u2) jessie; urgency=medium + + * Backport security fixes from 7.0.6 and 7.0.8: + - Local file inclusion on MS Windows Platform + [OC-SA-2015-006] [CVE-2015-4716] + - Resource exhaustion when sanitizing filenames + [OC-SA-2015-007] [CVE-2015-4717] + - Command injection when using external SMB storage + [OC-SA-2015-008] [CVE-2015-4718] + - Calendar export: Authorization Bypass Through User-Controlled Key + [OC-SA-2015-015] [CVE-2015-6670] + + -- David Prévot <taf...@debian.org> Thu, 03 Sep 2015 19:38:32 -0400 + owncloud (7.0.4+dfsg-4~deb8u1) jessie-security; urgency=medium * Upload to jessie-security as agreed with the security team diff --git a/debian/patches/0013-Clean-application-identifier-before-processing.patch b/debian/patches/0013-Clean-application-identifier-before-processing.patch new file mode 100644 index 0000000..925066d --- /dev/null +++ b/debian/patches/0013-Clean-application-identifier-before-processing.patch @@ -0,0 +1,22 @@ +From: Lukas Reschke <lu...@owncloud.com> +Date: Tue, 31 Mar 2015 14:58:24 +0200 +Subject: Clean application identifier before processing + +Origin: upstream, https://github.com/owncloud/core/commit/a15710afad054953cc348f2dd719c73b60985bce +--- + lib/private/route/router.php | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/private/route/router.php b/lib/private/route/router.php +index 9c973d7..a6ff51b 100644 +--- a/lib/private/route/router.php ++++ b/lib/private/route/router.php +@@ -204,6 +204,8 @@ class Router implements IRouter { + if (substr($url, 0, 6) === '/apps/') { + // empty string / 'apps' / $app / rest of the route + list(, , $app,) = explode('/', $url, 4); ++ ++ $app = \OC_App::cleanAppId($app); + \OC::$REQUESTEDAPP = $app; + $this->loadRoutes($app); + } else if (substr($url, 0, 6) === '/core/' or substr($url, 0, 10) === '/settings/') { diff --git a/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch b/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch new file mode 100644 index 0000000..b9b252d --- /dev/null +++ b/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch @@ -0,0 +1,50 @@ +From: Lukas Reschke <lu...@owncloud.com> +Date: Fri, 13 Feb 2015 12:49:34 +0100 +Subject: Ensure that passed argument is always a string + +Some code paths called the `normalizePath` functionality with types other than a string which resulted in unexpected behaviour. + +Thus the function is now manually casting the type to a string and I corrected the usage in list.php as well. + +Origin: upstream, https://github.com/owncloud/core/commit/5fa749cd9656ca6eab30bac0ef4e7625b8a8be2e +--- + apps/files/ajax/list.php | 2 +- + lib/private/files/filesystem.php | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/apps/files/ajax/list.php b/apps/files/ajax/list.php +index 4908016..21c88e2 100644 +--- a/apps/files/ajax/list.php ++++ b/apps/files/ajax/list.php +@@ -5,7 +5,7 @@ OCP\JSON::checkLoggedIn(); + $l = OC_L10N::get('files'); + + // Load the files +-$dir = isset($_GET['dir']) ? $_GET['dir'] : ''; ++$dir = isset($_GET['dir']) ? (string)$_GET['dir'] : ''; + $dir = \OC\Files\Filesystem::normalizePath($dir); + + try { +diff --git a/lib/private/files/filesystem.php b/lib/private/files/filesystem.php +index 492d9f1..a4d361d 100644 +--- a/lib/private/files/filesystem.php ++++ b/lib/private/files/filesystem.php +@@ -694,9 +694,18 @@ class Filesystem { + * Fix common problems with a file path + * @param string $path + * @param bool $stripTrailingSlash ++ * @param bool $isAbsolutePath + * @return string + */ + public static function normalizePath($path, $stripTrailingSlash = true, $isAbsolutePath = false) { ++ /** ++ * FIXME: This is a workaround for existing classes and files which call ++ * this function with another type than a valid string. This ++ * conversion should get removed as soon as all existing ++ * function calls have been fixed. ++ */ ++ $path = (string)$path; ++ + if ($path == '') { + return '/'; + } diff --git a/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch b/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch new file mode 100644 index 0000000..6fd2127 --- /dev/null +++ b/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch @@ -0,0 +1,25 @@ +From: Lukas Reschke <lu...@owncloud.com> +Date: Mon, 30 Mar 2015 21:51:57 +0200 +Subject: Disallow semicolons in passed commands + +Origin: upstream, https://github.com/owncloud/core/commit/200e9d949783efbd57f39acedebc03924c1dfff4 +--- + apps/files_external/3rdparty/smb4php/smb.php | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/apps/files_external/3rdparty/smb4php/smb.php b/apps/files_external/3rdparty/smb4php/smb.php +index e325506..7ffdb42 100644 +--- a/apps/files_external/3rdparty/smb4php/smb.php ++++ b/apps/files_external/3rdparty/smb4php/smb.php +@@ -112,6 +112,11 @@ class smb { + + + function execute ($command, $purl, $regexp = NULL) { ++ if (strpos($command,';') !== false) { ++ trigger_error('Semicolon not supported in commands'); ++ exit(); ++ } ++ + return smb::client ('-d 0 ' + . escapeshellarg ('//' . $purl['host'] . '/' . $purl['share']) + . ' -c ' . escapeshellarg ($command), $purl, $regexp diff --git a/debian/patches/0016-Clarify-permission-checks.patch b/debian/patches/0016-Clarify-permission-checks.patch new file mode 100644 index 0000000..9c4e1a3 --- /dev/null +++ b/debian/patches/0016-Clarify-permission-checks.patch @@ -0,0 +1,25 @@ +From: Lukas Reschke <lu...@owncloud.com> +Date: Tue, 21 Jul 2015 14:44:03 +0200 +Subject: Clarify permission checks + +Origin: upstream, https://github.com/owncloud/calendar/commit/4e0306adb13b19919e90857eaf7681303cd45414 +--- + apps/calendar/lib/app.php | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/apps/calendar/lib/app.php b/apps/calendar/lib/app.php +index 8af0ff3..62e7e22 100644 +--- a/apps/calendar/lib/app.php ++++ b/apps/calendar/lib/app.php +@@ -50,8 +50,10 @@ class OC_Calendar_App{ + } + } + if($security === true && $shared === true) { +- if(OCP\Share::getItemSharedWithBySource('calendar', $id)) { ++ if(OCP\User::getUser() === $calendar['userid'] || OCP\Share::getItemSharedWithBySource('calendar', $id)) { + return $calendar; ++ } else { ++ return false; + } + } + return $calendar; diff --git a/debian/patches/series b/debian/patches/series index ab6e650..42ca44e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,7 @@ path/0009-Adapt-Dropbox-path.patch 0010-Fix-encoding-in-3rdparty-lib.patch 0011-Apply-some-upstream-patches.patch 0012-Normalize-before-processing.patch +0013-Clean-application-identifier-before-processing.patch +0014-Ensure-that-passed-argument-is-always-a-string.patch +0015-Disallow-semicolons-in-passed-commands.patch +0016-Clarify-permission-checks.patch
signature.asc
Description: OpenPGP digital signature
