Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
I'd like to see if it's feasible to upload a targeted fix to testing-proposed- updates to address #696574. This bug has been fixed in unstable already, but given it has a newer upstream version, it's unlikely it will migrate, hence this request. -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
diff -Nru owncloud-4.0.4debian2/debian/changelog owncloud-4.0.4debian2/debian/changelog --- owncloud-4.0.4debian2/debian/changelog 2012-12-05 22:12:11.000000000 +0100 +++ owncloud-4.0.4debian2/debian/changelog 2013-01-04 23:31:11.000000000 +0100 @@ -1,3 +1,14 @@ +owncloud (4.0.4debian2-3.2) testing-proposed-updates; urgency=high + + * Non-maintainer upload. + * Multiple security fixes (Closes: #696574): + + debian/patches/10_oc-sa-2012-006.patch: + - CVE-2012-5665: Auth bypass in user_webdavauth and user_ldap + + debian/patches/11_oc-sa-2012-007.patch: + - CVE-2012-5666: XSS vulnerability in bookmarks + + -- Luca Falavigna <[email protected]> Fri, 04 Jan 2013 23:30:46 +0100 + owncloud (4.0.4debian2-3.1) testing-proposed-updates; urgency=high * Non-maintainer upload, fixes several security issues (Closes: #693990). diff -Nru owncloud-4.0.4debian2/debian/patches/10_oc-sa-2012-006.patch owncloud-4.0.4debian2/debian/patches/10_oc-sa-2012-006.patch --- owncloud-4.0.4debian2/debian/patches/10_oc-sa-2012-006.patch 1970-01-01 01:00:00.000000000 +0100 +++ owncloud-4.0.4debian2/debian/patches/10_oc-sa-2012-006.patch 2013-01-04 23:28:29.000000000 +0100 @@ -0,0 +1,48 @@ +Index: owncloud-4.0.8debian/apps/files_encryption/settings.php +=================================================================== +--- owncloud-4.0.8debian.orig/apps/files_encryption/settings.php 2012-10-09 17:09:46.000000000 +0200 ++++ owncloud-4.0.8debian/apps/files_encryption/settings.php 2012-12-25 16:29:57.110214044 +0100 +@@ -6,6 +6,8 @@ + * See the COPYING-README file. + */ + ++OC_Util::checkAdminUser(); ++ + $tmpl = new OCP\Template( 'files_encryption', 'settings'); + $blackList=explode(',',OCP\Config::getAppValue('files_encryption','type_blacklist','jpg,png,jpeg,avi,mpg,mpeg,mkv,mp3,oga,ogv,ogg')); + $enabled=(OCP\Config::getAppValue('files_encryption','enable_encryption','true')=='true'); +Index: owncloud-4.0.8debian/apps/user_ldap/settings.php +=================================================================== +--- owncloud-4.0.8debian.orig/apps/user_ldap/settings.php 2012-10-09 17:10:37.000000000 +0200 ++++ owncloud-4.0.8debian/apps/user_ldap/settings.php 2012-12-25 16:29:57.114214045 +0100 +@@ -20,6 +20,9 @@ + * License along with this library. If not, see <http://www.gnu.org/licenses/>. + * + */ ++ ++OC_Util::checkAdminUser(); ++ + $params = array('ldap_host', 'ldap_port', 'ldap_dn', 'ldap_agent_password', 'ldap_base', 'ldap_base_users', 'ldap_base_groups', 'ldap_userlist_filter', 'ldap_login_filter', 'ldap_group_filter', 'ldap_display_name', 'ldap_group_display_name', 'ldap_tls', 'ldap_nocase', 'ldap_quota_def', 'ldap_quota_attr', 'ldap_email_attr', 'ldap_group_member_assoc_attribute'); + + OCP\Util::addscript('user_ldap', 'settings'); +Index: owncloud-4.0.8debian/apps/user_migrate/settings.php +=================================================================== +--- owncloud-4.0.8debian.orig/apps/user_migrate/settings.php 2012-10-09 17:10:37.000000000 +0200 ++++ owncloud-4.0.8debian/apps/user_migrate/settings.php 2012-12-25 16:29:57.114214045 +0100 +@@ -22,6 +22,9 @@ + * License along with this library. If not, see <http://www.gnu.org/licenses/>. + * + */ ++ ++OC_Util::checkLoggedIn(); ++ + OCP\App::checkAppEnabled('user_migrate'); + if (isset($_POST['user_import'])) { + $root = OC::$SERVERROOT . "/"; +@@ -86,4 +89,4 @@ + // fill template + $tmpl = new OCP\Template('user_migrate', 'settings'); + return $tmpl->fetchPage(); +-} +\ No newline at end of file ++} diff -Nru owncloud-4.0.4debian2/debian/patches/11_oc-sa-2012-007.patch owncloud-4.0.4debian2/debian/patches/11_oc-sa-2012-007.patch --- owncloud-4.0.4debian2/debian/patches/11_oc-sa-2012-007.patch 1970-01-01 01:00:00.000000000 +0100 +++ owncloud-4.0.4debian2/debian/patches/11_oc-sa-2012-007.patch 2013-01-04 23:28:29.000000000 +0100 @@ -0,0 +1,13 @@ +Index: owncloud-4.0.8debian/apps/bookmarks/js/bookmarks.js +=================================================================== +--- owncloud-4.0.8debian.orig/apps/bookmarks/js/bookmarks.js 2012-10-09 17:10:37.000000000 +0200 ++++ owncloud-4.0.8debian/apps/bookmarks/js/bookmarks.js 2012-12-25 16:25:21.050223382 +0100 +@@ -141,7 +141,7 @@ + var taglist = ''; + for ( var i=0, len=tags.length; i<len; ++i ){ + if(tags[i] != '') +- taglist = taglist + '<a class="bookmark_tag" href="'+replaceQueryString( String(window.location), 'tag', encodeURIComponent(tags[i])) + '">' + tags[i] + '</a> '; ++ taglist = taglist + '<a class="bookmark_tag" href="'+replaceQueryString(escapeHTML(String(window.location)), 'tag', encodeURIComponent(tags[i])) + '">' + tags[i] + '</a> '; + } + if(!hasProtocol(bookmark.url)) { + bookmark.url = 'http://' + bookmark.url; diff -Nru owncloud-4.0.4debian2/debian/patches/series owncloud-4.0.4debian2/debian/patches/series --- owncloud-4.0.4debian2/debian/patches/series 2012-12-04 22:43:34.000000000 +0100 +++ owncloud-4.0.4debian2/debian/patches/series 2013-01-04 23:28:29.000000000 +0100 @@ -19,3 +19,5 @@ 07_oc-sa-2012-002.patch 08_oc-sa-2012-004.patch 09_oc-sa-2012-005.patch +10_oc-sa-2012-006.patch +11_oc-sa-2012-007.patch
