Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi, Happy new year! As agreed with the security team, I’d like to fix some recently disclosed but low impact security issues via pu. Even if CVE-2016-1501 (a “Full installation path disclosure”) is not really relevant with a Debian package, the fix is small and sane enough to be worth including IMHO. Please note that #798895 has been superseded by DSA-3373-1 as well as the present request. Thanks in advance for considering. Regards David
diff --git a/debian/changelog b/debian/changelog index e2e2e21..c3b8c58 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +owncloud (7.0.4+dfsg-4~deb8u4) jessie; urgency=medium + + * Backport security fixes from 7.0.12, 8.0.10, and 8.0.9: + - Reflected XSS in OCS provider discovery + [oc-sa-2016-001] [CVE-2016-1498] + - Disclosure of files that begin with \".v\" due to unchecked return + value [oc-sa-2016-003] [CVE-2016-1500] + - Information Exposure Through Directory Listing in the file scanner + [oc-sa-2016-002] [CVE-2016-1499] + - Full installation path disclosure through error message + [oc-sa-2016-004] [CVE-2016-1501] + + -- David Prévot <taf...@debian.org> Tue, 05 Jan 2016 22:24:31 -0400 + owncloud (7.0.4+dfsg-4~deb8u3) jessie-security; urgency=high * Backport security fixes from 7.0.5, 7.0.7, 8.0.6, and 7.0.9: diff --git a/debian/patches/0027-Use-XMLWriter-to-generate-response.patch b/debian/patches/0027-Use-XMLWriter-to-generate-response.patch new file mode 100644 index 0000000..c022c44 --- /dev/null +++ b/debian/patches/0027-Use-XMLWriter-to-generate-response.patch @@ -0,0 +1,62 @@ +From: Lukas Reschke <lu...@owncloud.com> +Date: Mon, 30 Nov 2015 15:40:10 +0100 +Subject: Use XMLWriter to generate response + +Gets rid of manual XML generation. + +Origin: upstream, https://github.com/owncloud/core/commit/85e068a723c09d0f01ab3e10aa6a3f6a8c4c3227 +--- + ocs/providers.php | 43 ++++++++++++++++++++++++++----------------- + 1 file changed, 26 insertions(+), 17 deletions(-) + +diff --git a/ocs/providers.php b/ocs/providers.php +index 2c62f76..769d210 100644 +--- a/ocs/providers.php ++++ b/ocs/providers.php +@@ -27,20 +27,29 @@ header('Content-type: application/xml'); + + $url=OCP\Util::getServerProtocol().'://'.substr(OCP\Util::getServerHost().OCP\Util::getRequestUri(), 0, -17).'ocs/v1.php/'; + +-echo(' +-<providers> +-<provider> +- <id>ownCloud</id> +- <location>'.$url.'</location> +- <name>ownCloud</name> +- <icon></icon> +- <termsofuse></termsofuse> +- <register></register> +- <services> +- <config ocsversion="1.7" /> +- <activity ocsversion="1.7" /> +- <cloud ocsversion="1.7" /> +- </services> +-</provider> +-</providers> +-'); ++$writer = new XMLWriter(); ++$writer->openURI('php://output'); ++$writer->startDocument('1.0','UTF-8'); ++$writer->setIndent(4); ++$writer->startElement('providers'); ++$writer->startElement('provider'); ++$writer->writeElement('id', 'ownCloud'); ++$writer->writeElement('location', $url); ++$writer->writeElement('name', 'ownCloud'); ++$writer->writeElement('icon', ''); ++$writer->writeElement('termsofuse', ''); ++$writer->writeElement('register', ''); ++$writer->startElement('services'); ++$writer->startElement('config'); ++$writer->writeAttribute('ocsversion', '1.7'); ++$writer->endElement(); ++$writer->startElement('activity'); ++$writer->writeAttribute('ocsversion', '1.7'); ++$writer->endElement(); ++$writer->startElement('cloud'); ++$writer->writeAttribute('ocsversion', '1.7'); ++$writer->endElement(); ++$writer->endElement(); ++$writer->endElement(); ++$writer->endDocument(); ++$writer->flush(); diff --git a/debian/patches/0028-Handle-non-existing-files-in-version-previews.patch b/debian/patches/0028-Handle-non-existing-files-in-version-previews.patch new file mode 100644 index 0000000..ec6da15 --- /dev/null +++ b/debian/patches/0028-Handle-non-existing-files-in-version-previews.patch @@ -0,0 +1,39 @@ +From: Robin Appelman <icew...@owncloud.com> +Date: Mon, 14 Dec 2015 15:59:36 +0100 +Subject: Handle non existing files in version previews + +Origin: upstream, https://github.com/owncloud/core/commit/f746100e13dcadf8a2b6d311422a1c66c959565c +--- + apps/files_versions/ajax/preview.php | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/apps/files_versions/ajax/preview.php b/apps/files_versions/ajax/preview.php +index bd9b736..1056169 100644 +--- a/apps/files_versions/ajax/preview.php ++++ b/apps/files_versions/ajax/preview.php +@@ -31,14 +31,18 @@ if($maxX === 0 || $maxY === 0) { + + try { + list($user, $file) = \OCA\Files_Versions\Storage::getUidAndFilename($file); +- $preview = new \OC\Preview($user, 'files_versions', $file.'.v'.$version); +- $mimetype = \OC_Helper::getFileNameMimeType($file); +- $preview->setMimetype($mimetype); +- $preview->setMaxX($maxX); +- $preview->setMaxY($maxY); +- $preview->setScalingUp($scalingUp); ++ if (is_null($file)) { ++ \OC_Response::setStatus(404); ++ } else { ++ $preview = new \OC\Preview($user, 'files_versions', $file . '.v' . $version); ++ $mimetype = \OC_Helper::getFileNameMimeType($file); ++ $preview->setMimetype($mimetype); ++ $preview->setMaxX($maxX); ++ $preview->setMaxY($maxY); ++ $preview->setScalingUp($scalingUp); + +- $preview->showPreview(); ++ $preview->showPreview(); ++ } + }catch(\Exception $e) { + \OC_Response::setStatus(500); + \OC_Log::write('core', $e->getmessage(), \OC_Log::DEBUG); diff --git a/debian/patches/0029-Dont-output-paths-in-scan.php.patch b/debian/patches/0029-Dont-output-paths-in-scan.php.patch new file mode 100644 index 0000000..572d3c3 --- /dev/null +++ b/debian/patches/0029-Dont-output-paths-in-scan.php.patch @@ -0,0 +1,35 @@ +From: Robin Appelman <icew...@owncloud.com> +Date: Wed, 25 Nov 2015 15:21:01 +0100 +Subject: Dont output paths in scan.php + +Origin: backport, https://github.com/owncloud/core/commit/fab59179f1661da4862336fb8ea450c80def26d4 +--- + apps/files/ajax/scan.php | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/apps/files/ajax/scan.php b/apps/files/ajax/scan.php +index d5d8848..e6cad5e 100644 +--- a/apps/files/ajax/scan.php ++++ b/apps/files/ajax/scan.php +@@ -21,7 +21,6 @@ $listener = new ScanListener($eventSource); + foreach ($users as $user) { + $eventSource->send('user', $user); + $scanner = new \OC\Files\Utils\Scanner($user); +- $scanner->listen('\OC\Files\Utils\Scanner', 'scanFile', array($listener, 'file')); + $scanner->listen('\OC\Files\Utils\Scanner', 'scanFolder', array($listener, 'folder')); + if ($force) { + $scanner->scan($dir); +@@ -50,13 +49,6 @@ class ScanListener { + $this->eventSource = $eventSource; + } + +- /** +- * @param string $path +- */ +- public function folder($path) { +- $this->eventSource->send('folder', $path); +- } +- + public function file() { + $this->fileCount++; + if ($this->fileCount > $this->lastCount + 20) { //send a count update every 20 files diff --git a/debian/patches/0030-Do-not-print-exception-message.patch b/debian/patches/0030-Do-not-print-exception-message.patch new file mode 100644 index 0000000..b692dd3 --- /dev/null +++ b/debian/patches/0030-Do-not-print-exception-message.patch @@ -0,0 +1,40 @@ +From: Lukas Reschke <lu...@owncloud.com> +Date: Sun, 25 Oct 2015 19:05:28 +0100 +Subject: Do not print exception message + +Origin: upstream, https://github.com/owncloud/core/commit/6897cbebc05fb4daa6b81daaac9b181120fcf529 +--- + core/avatar/controller.php | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/core/avatar/controller.php b/core/avatar/controller.php +index ca055f5..6076084 100644 +--- a/core/avatar/controller.php ++++ b/core/avatar/controller.php +@@ -92,7 +92,7 @@ class Controller { + } + } + } catch (\Exception $e) { +- \OC_JSON::error(array("data" => array("message" => $e->getMessage()) )); ++ \OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin." ))); + } + } + +@@ -107,7 +107,7 @@ class Controller { + $avatar->remove(); + \OC_JSON::success(); + } catch (\Exception $e) { +- \OC_JSON::error(array("data" => array("message" => $e->getMessage()) )); ++ \OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin.") )); + } + } + +@@ -158,7 +158,7 @@ class Controller { + \OC\Cache::remove('tmpavatar'); + \OC_JSON::success(); + } catch (\Exception $e) { +- \OC_JSON::error(array("data" => array("message" => $e->getMessage()) )); ++ \OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin.") )); + } + } + } diff --git a/debian/patches/series b/debian/patches/series index 561ad88..618364d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -24,3 +24,7 @@ path/0009-Adapt-Dropbox-path.patch 0024-Verify-if-path-exists.patch 0025-Verify-if-path-exists-before-processing.patch 0026-Prevent-objectstore-being-set-from-client-side.patch +0027-Use-XMLWriter-to-generate-response.patch +0028-Handle-non-existing-files-in-version-previews.patch +0029-Dont-output-paths-in-scan.php.patch +0030-Do-not-print-exception-message.patch
signature.asc
Description: PGP signature
