tags 703094 + pending thanks Dear maintainer,
I've prepared an NMU for owncloud (versioned as 4.0.8debian-1.6) and uploaded it to DELAYED/3. Please feel free to tell me if I should delay it longer. Regards. -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Various Artists: Scorn Not His Simplicity
diff -Nru owncloud-4.0.8debian/debian/changelog owncloud-4.0.8debian/debian/changelog
--- owncloud-4.0.8debian/debian/changelog 2013-02-28 19:15:56.000000000 +0100
+++ owncloud-4.0.8debian/debian/changelog 2013-03-19 17:05:15.000000000 +0100
@@ -1,3 +1,18 @@
+owncloud (4.0.8debian-1.6) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix "multiple vulnerabilities (oC-SA-2013-009, oC-SA-2013-010)":
+ add patches taken from upstream git:
+ + debian/patches/16_oc-sa-2013-010.patch
+ CVE-2013-1851: user_migrate: Local file disclosure
+ oC-SA-2013-010, commit edf7162 in stable4 branch
+ + debian/patches/17_oc-sa-2013-009.patch
+ CVE-2013-1850: Contacts: Bypass of file blacklist
+ oC-SA-2013-009, commit fae5bd3 in stable4 branch
+ (Closes: #703094)
+
+ -- gregor herrmann <gre...@debian.org> Tue, 19 Mar 2013 17:05:08 +0100
+
owncloud (4.0.8debian-1.5) unstable; urgency=low
* Non-maintainer upload.
diff -Nru owncloud-4.0.8debian/debian/patches/16_oc-sa-2013-010.patch owncloud-4.0.8debian/debian/patches/16_oc-sa-2013-010.patch
--- owncloud-4.0.8debian/debian/patches/16_oc-sa-2013-010.patch 1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.8debian/debian/patches/16_oc-sa-2013-010.patch 2013-03-15 22:14:28.000000000 +0100
@@ -0,0 +1,39 @@
+From edf7162762fc425df1ec2ce7149c18a0af82a3b8 Mon Sep 17 00:00:00 2001
+From: Lukas Reschke <lu...@statuscode.ch>
+Date: Mon, 11 Mar 2013 16:21:26 +0100
+Subject: [PATCH] Check if username is valid and remove slashes from filename
+
+Backport of #2236 to stable45
+---
+ lib/migrate.php | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/lib/migrate.php b/lib/migrate.php
+index 8d3610c..8465eed 100644
+--- a/lib/migrate.php
++++ b/lib/migrate.php
+@@ -234,11 +234,20 @@ class OC_Migrate{
+ OC_Log::write( 'migration', 'User doesn\'t exist', OC_Log::ERROR );
+ return json_encode( array( 'success' => false ) );
+ }
++
++ // Check if the username is valid
++ if( preg_match( '/[^a-zA-Z0-9 _\.@\-]/', $json->exporteduser )) {
++ OC_Log::write( 'migration', 'Username is not valid', OC_Log::ERROR );
++ return json_encode( array( 'success' => false ) );
++ }
++
+ // Copy data
+ $userfolder = $extractpath . $json->exporteduser;
+ $newuserfolder = $datadir . '/' . self::$uid;
+ foreach(scandir($userfolder) as $file){
+- if($file !== '.' && $file !== '..' && is_dir($file)){
++ if($file !== '.' && $file !== '..' && is_dir($file)) {
++ $file = str_replace(array('/', '\\'), '', $file);
++
+ // Then copy the folder over
+ OC_Helper::copyr($userfolder.'/'.$file, $newuserfolder.'/'.$file);
+ }
+--
+1.7.10.4
+
diff -Nru owncloud-4.0.8debian/debian/patches/17_oc-sa-2013-009.patch owncloud-4.0.8debian/debian/patches/17_oc-sa-2013-009.patch
--- owncloud-4.0.8debian/debian/patches/17_oc-sa-2013-009.patch 1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.8debian/debian/patches/17_oc-sa-2013-009.patch 2013-03-15 22:15:52.000000000 +0100
@@ -0,0 +1,84 @@
+From fae5bd363b4cc3bd00d1a983ca5aff4a0eb86408 Mon Sep 17 00:00:00 2001
+From: Thomas Tanghus <tho...@tanghus.net>
+Date: Sat, 9 Mar 2013 19:26:31 +0100
+Subject: [PATCH] Contacts: Backport filename sanitation and blacklist
+ checking to stable4.
+
+---
+ apps/contacts/ajax/uploadimport.php | 8 ++++++++
+ apps/contacts/import.php | 15 ++++++++++-----
+ 2 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/apps/contacts/ajax/uploadimport.php b/apps/contacts/ajax/uploadimport.php
+index 4c3f5ea..56a966b 100644
+--- a/apps/contacts/ajax/uploadimport.php
++++ b/apps/contacts/ajax/uploadimport.php
+@@ -35,7 +35,11 @@ $tmpfile = md5(rand());
+
+ // If it is a Drag'n'Drop transfer it's handled here.
+ $fn = (isset($_SERVER['HTTP_X_FILE_NAME']) ? $_SERVER['HTTP_X_FILE_NAME'] : false);
++$fn = strtr($fn, array('/' => '', "\\" => ''));
+ if($fn) {
++ if(OC_Filesystem::isFileBlacklisted($fn)) {
++ bailOut($l10n->t('Upload of blacklisted file:') . $fn);
++ }
+ if($view->file_put_contents('/'.$tmpfile, file_get_contents('php://input'))) {
+ OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile)));
+ exit();
+@@ -66,6 +70,10 @@ $file=$_FILES['importfile'];
+
+ $tmpfname = tempnam(get_temp_dir(), "occOrig");
+ if(file_exists($file['tmp_name'])) {
++ $filename = strtr($file['name'], array('/' => '', "\\" => ''));
++ if(OC_Filesystem::isFileBlacklisted($filename)) {
++ bailOut($l10n->t('Upload of blacklisted file:') . $filename);
++ }
+ if($view->file_put_contents('/'.$tmpfile, file_get_contents($file['tmp_name']))) {
+ OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile)));
+ } else {
+diff --git a/apps/contacts/import.php b/apps/contacts/import.php
+index 85d4ceb..ffdc438 100644
+--- a/apps/contacts/import.php
++++ b/apps/contacts/import.php
+@@ -25,11 +25,16 @@ function writeProgress($pct) {
+ }
+ writeProgress('10');
+ $view = $file = null;
++$inputfile = strtr($_POST['file'], array('/' => '', "\\" => ''));
++if(OC_Filesystem::isFileBlacklisted($inputfile)) {
++ OCP\JSON::error(array('data' => array('message' => 'Upload of blacklisted file: ' . $inputfile)));
++ exit();
++}
+ if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') {
+ $view = OCP\Files::getStorage('contacts');
+- $file = $view->file_get_contents('/' . $_POST['file']);
++ $file = $view->file_get_contents('/' . $inputfile);
+ } else {
+- $file = OC_Filesystem::file_get_contents($_POST['path'] . '/' . $_POST['file']);
++ $file = OC_Filesystem::file_get_contents($_POST['path'] . '/' . $inputfile);
+ }
+ if(!$file) {
+ OCP\JSON::error(array('message' => 'Import file was empty.'));
+@@ -115,7 +120,7 @@ if(count($parts) == 1){
+ $imported = 0;
+ $failed = 0;
+ if(!count($importready) > 0) {
+- OCP\JSON::error(array('data' => (array('message' => 'No contacts to import in .'.$_POST['file'].' Please check if the file is corrupted.'))));
++ OCP\JSON::error(array('data' => (array('message' => 'No contacts to import in .'.$inputfile.' Please check if the file is corrupted.'))));
+ exit();
+ }
+ foreach($importready as $import){
+@@ -135,8 +140,8 @@ if(is_writable('import_tmp/')){
+ unlink($progressfile);
+ }
+ if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') {
+- if(!$view->unlink('/' . $_POST['file'])) {
+- OCP\Util::writeLog('contacts','Import: Error unlinking OC_FilesystemView ' . '/' . $_POST['file'], OCP\Util::ERROR);
++ if(!$view->unlink('/' . $inputfile)) {
++ OCP\Util::writeLog('contacts','Import: Error unlinking OC_FilesystemView ' . '/' . $inputfile, OCP\Util::ERROR);
+ }
+ }
+ OCP\JSON::success(array('data' => array('imported'=>$imported, 'failed'=>$failed)));
+--
+1.7.10.4
+
diff -Nru owncloud-4.0.8debian/debian/patches/series owncloud-4.0.8debian/debian/patches/series
--- owncloud-4.0.8debian/debian/patches/series 2013-02-28 19:15:56.000000000 +0100
+++ owncloud-4.0.8debian/debian/patches/series 2013-03-15 22:17:57.000000000 +0100
@@ -15,3 +15,5 @@
13_oc-sa-2013-003.patch
14_oc-sa-2013-004.patch
15_oc-sa-2013-006.patch
+16_oc-sa-2013-010.patch
+17_oc-sa-2013-009.patch
signature.asc
Description: Digital signature
