tags 703094 + pending thanks Dear maintainer,
I've prepared an NMU for owncloud (versioned as 4.0.8debian-1.6) and uploaded it to DELAYED/3. Please feel free to tell me if I should delay it longer. Regards. -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Various Artists: Scorn Not His Simplicity
diff -Nru owncloud-4.0.8debian/debian/changelog owncloud-4.0.8debian/debian/changelog --- owncloud-4.0.8debian/debian/changelog 2013-02-28 19:15:56.000000000 +0100 +++ owncloud-4.0.8debian/debian/changelog 2013-03-19 17:05:15.000000000 +0100 @@ -1,3 +1,18 @@ +owncloud (4.0.8debian-1.6) unstable; urgency=low + + * Non-maintainer upload. + * Fix "multiple vulnerabilities (oC-SA-2013-009, oC-SA-2013-010)": + add patches taken from upstream git: + + debian/patches/16_oc-sa-2013-010.patch + CVE-2013-1851: user_migrate: Local file disclosure + oC-SA-2013-010, commit edf7162 in stable4 branch + + debian/patches/17_oc-sa-2013-009.patch + CVE-2013-1850: Contacts: Bypass of file blacklist + oC-SA-2013-009, commit fae5bd3 in stable4 branch + (Closes: #703094) + + -- gregor herrmann <gre...@debian.org> Tue, 19 Mar 2013 17:05:08 +0100 + owncloud (4.0.8debian-1.5) unstable; urgency=low * Non-maintainer upload. diff -Nru owncloud-4.0.8debian/debian/patches/16_oc-sa-2013-010.patch owncloud-4.0.8debian/debian/patches/16_oc-sa-2013-010.patch --- owncloud-4.0.8debian/debian/patches/16_oc-sa-2013-010.patch 1970-01-01 01:00:00.000000000 +0100 +++ owncloud-4.0.8debian/debian/patches/16_oc-sa-2013-010.patch 2013-03-15 22:14:28.000000000 +0100 @@ -0,0 +1,39 @@ +From edf7162762fc425df1ec2ce7149c18a0af82a3b8 Mon Sep 17 00:00:00 2001 +From: Lukas Reschke <lu...@statuscode.ch> +Date: Mon, 11 Mar 2013 16:21:26 +0100 +Subject: [PATCH] Check if username is valid and remove slashes from filename + +Backport of #2236 to stable45 +--- + lib/migrate.php | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/lib/migrate.php b/lib/migrate.php +index 8d3610c..8465eed 100644 +--- a/lib/migrate.php ++++ b/lib/migrate.php +@@ -234,11 +234,20 @@ class OC_Migrate{ + OC_Log::write( 'migration', 'User doesn\'t exist', OC_Log::ERROR ); + return json_encode( array( 'success' => false ) ); + } ++ ++ // Check if the username is valid ++ if( preg_match( '/[^a-zA-Z0-9 _\.@\-]/', $json->exporteduser )) { ++ OC_Log::write( 'migration', 'Username is not valid', OC_Log::ERROR ); ++ return json_encode( array( 'success' => false ) ); ++ } ++ + // Copy data + $userfolder = $extractpath . $json->exporteduser; + $newuserfolder = $datadir . '/' . self::$uid; + foreach(scandir($userfolder) as $file){ +- if($file !== '.' && $file !== '..' && is_dir($file)){ ++ if($file !== '.' && $file !== '..' && is_dir($file)) { ++ $file = str_replace(array('/', '\\'), '', $file); ++ + // Then copy the folder over + OC_Helper::copyr($userfolder.'/'.$file, $newuserfolder.'/'.$file); + } +-- +1.7.10.4 + diff -Nru owncloud-4.0.8debian/debian/patches/17_oc-sa-2013-009.patch owncloud-4.0.8debian/debian/patches/17_oc-sa-2013-009.patch --- owncloud-4.0.8debian/debian/patches/17_oc-sa-2013-009.patch 1970-01-01 01:00:00.000000000 +0100 +++ owncloud-4.0.8debian/debian/patches/17_oc-sa-2013-009.patch 2013-03-15 22:15:52.000000000 +0100 @@ -0,0 +1,84 @@ +From fae5bd363b4cc3bd00d1a983ca5aff4a0eb86408 Mon Sep 17 00:00:00 2001 +From: Thomas Tanghus <tho...@tanghus.net> +Date: Sat, 9 Mar 2013 19:26:31 +0100 +Subject: [PATCH] Contacts: Backport filename sanitation and blacklist + checking to stable4. + +--- + apps/contacts/ajax/uploadimport.php | 8 ++++++++ + apps/contacts/import.php | 15 ++++++++++----- + 2 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/apps/contacts/ajax/uploadimport.php b/apps/contacts/ajax/uploadimport.php +index 4c3f5ea..56a966b 100644 +--- a/apps/contacts/ajax/uploadimport.php ++++ b/apps/contacts/ajax/uploadimport.php +@@ -35,7 +35,11 @@ $tmpfile = md5(rand()); + + // If it is a Drag'n'Drop transfer it's handled here. + $fn = (isset($_SERVER['HTTP_X_FILE_NAME']) ? $_SERVER['HTTP_X_FILE_NAME'] : false); ++$fn = strtr($fn, array('/' => '', "\\" => '')); + if($fn) { ++ if(OC_Filesystem::isFileBlacklisted($fn)) { ++ bailOut($l10n->t('Upload of blacklisted file:') . $fn); ++ } + if($view->file_put_contents('/'.$tmpfile, file_get_contents('php://input'))) { + OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile))); + exit(); +@@ -66,6 +70,10 @@ $file=$_FILES['importfile']; + + $tmpfname = tempnam(get_temp_dir(), "occOrig"); + if(file_exists($file['tmp_name'])) { ++ $filename = strtr($file['name'], array('/' => '', "\\" => '')); ++ if(OC_Filesystem::isFileBlacklisted($filename)) { ++ bailOut($l10n->t('Upload of blacklisted file:') . $filename); ++ } + if($view->file_put_contents('/'.$tmpfile, file_get_contents($file['tmp_name']))) { + OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile))); + } else { +diff --git a/apps/contacts/import.php b/apps/contacts/import.php +index 85d4ceb..ffdc438 100644 +--- a/apps/contacts/import.php ++++ b/apps/contacts/import.php +@@ -25,11 +25,16 @@ function writeProgress($pct) { + } + writeProgress('10'); + $view = $file = null; ++$inputfile = strtr($_POST['file'], array('/' => '', "\\" => '')); ++if(OC_Filesystem::isFileBlacklisted($inputfile)) { ++ OCP\JSON::error(array('data' => array('message' => 'Upload of blacklisted file: ' . $inputfile))); ++ exit(); ++} + if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') { + $view = OCP\Files::getStorage('contacts'); +- $file = $view->file_get_contents('/' . $_POST['file']); ++ $file = $view->file_get_contents('/' . $inputfile); + } else { +- $file = OC_Filesystem::file_get_contents($_POST['path'] . '/' . $_POST['file']); ++ $file = OC_Filesystem::file_get_contents($_POST['path'] . '/' . $inputfile); + } + if(!$file) { + OCP\JSON::error(array('message' => 'Import file was empty.')); +@@ -115,7 +120,7 @@ if(count($parts) == 1){ + $imported = 0; + $failed = 0; + if(!count($importready) > 0) { +- OCP\JSON::error(array('data' => (array('message' => 'No contacts to import in .'.$_POST['file'].' Please check if the file is corrupted.')))); ++ OCP\JSON::error(array('data' => (array('message' => 'No contacts to import in .'.$inputfile.' Please check if the file is corrupted.')))); + exit(); + } + foreach($importready as $import){ +@@ -135,8 +140,8 @@ if(is_writable('import_tmp/')){ + unlink($progressfile); + } + if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') { +- if(!$view->unlink('/' . $_POST['file'])) { +- OCP\Util::writeLog('contacts','Import: Error unlinking OC_FilesystemView ' . '/' . $_POST['file'], OCP\Util::ERROR); ++ if(!$view->unlink('/' . $inputfile)) { ++ OCP\Util::writeLog('contacts','Import: Error unlinking OC_FilesystemView ' . '/' . $inputfile, OCP\Util::ERROR); + } + } + OCP\JSON::success(array('data' => array('imported'=>$imported, 'failed'=>$failed))); +-- +1.7.10.4 + diff -Nru owncloud-4.0.8debian/debian/patches/series owncloud-4.0.8debian/debian/patches/series --- owncloud-4.0.8debian/debian/patches/series 2013-02-28 19:15:56.000000000 +0100 +++ owncloud-4.0.8debian/debian/patches/series 2013-03-15 22:17:57.000000000 +0100 @@ -15,3 +15,5 @@ 13_oc-sa-2013-003.patch 14_oc-sa-2013-004.patch 15_oc-sa-2013-006.patch +16_oc-sa-2013-010.patch +17_oc-sa-2013-009.patch
signature.asc
Description: Digital signature