Bug#684426: marked as done ([owncloud] Users can overwrite read-only shared files owned by other users via WebDAV)

[Debian Bug Tracking System]

Your message dated Fri, 10 Aug 2012 06:03:21 +0000
with message-id <e1szijd-00060h...@franck.debian.org>
and subject line Bug#684426: fixed in owncloud 4.0.5debian2-2
has caused the Debian Bug report #684426,
regarding [owncloud] Users can overwrite read-only shared files owned by other 
users via WebDAV
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
684426: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684426
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: owncloud
Version: 4.0.5debian2-1
Severity: grave
Tags: patch security
X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org

--- Please enter the report below this line. ---
Hi,

I stumbled over a security bug in owncloud with the result of data loss
or modification, depending on the configuration of owncloud.

It is possible for regular users of owncloud to overwrite files that are
shared by another owncloud user via WebDAV.

If version control is activated user1 could revert the file to its
previous state, but if it's not activated, user1's data is lost.

Find attached a patch that should fix the security flaw for owncloud
4.0.5debian2-1.

Cheers - Fuddl

--- System information. ---
Architecture: amd64
Kernel:       Linux 3.2.0-3-amd64

Debian Release: wheezy/sid
  500 unstable        ftp.de.debian.org 
    1 experimental    ftp.de.debian.org 

--- Package information. ---
Package's Depends field is empty.

Package's Recommends field is empty.

Package's Suggests field is empty.




From 05648dac619942dfccc76180d30fcd79364355ec Mon Sep 17 00:00:00 2001
From: Michael Gapczynski <mt...@owncloud.com>
Date: Wed, 8 Aug 2012 11:25:24 -0400
Subject: [PATCH] Don't return file handle if the mode supports writing and
 the file is not writable

---
 apps/files_sharing/sharedstorage.php |   19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

Index: owncloud-4.0.5debian2/apps/files_sharing/sharedstorage.php
===================================================================
--- owncloud-4.0.5debian2.orig/apps/files_sharing/sharedstorage.php	2012-07-19 18:50:49.000000000 +0200
+++ owncloud-4.0.5debian2/apps/files_sharing/sharedstorage.php	2012-08-09 11:29:58.000000000 +0200
@@ -416,6 +416,25 @@
 	public function fopen($path, $mode) {
 		$source = $this->getSource($path);
 		if ($source) {
+                       switch ($mode) {
+                               case 'r+':
+                               case 'rb+':
+                               case 'w+':
+                               case 'wb+':
+                               case 'x+':
+                               case 'xb+':
+                               case 'a+':
+                               case 'ab+':
+                               case 'w':
+                               case 'wb':
+                               case 'x':
+                               case 'xb':
+                               case 'a':
+                               case 'ab':
+                                       if (!$this->is_writable($path)) {
+                                               return false;
+                                       }
+                       }
 			$storage = OC_Filesystem::getStorage($source);
 			return $storage->fopen($this->getInternalPath($source), $mode);
 		}

signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

Source: owncloud
Source-Version: 4.0.5debian2-2

We believe that the bug you reported is fixed in the latest version of
owncloud, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Mueller <thomas.muel...@tmit.eu> (supplier of updated owncloud package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 09 Aug 2012 23:29:25 +0200
Source: owncloud
Binary: owncloud owncloud-mysql owncloud-sqlite
Architecture: source all
Version: 4.0.5debian2-2
Distribution: unstable
Urgency: high
Maintainer: ownCloud for Debian maintainers 
<pkg-owncloud-maintain...@lists.alioth.debian.org>
Changed-By: Thomas Mueller <thomas.muel...@tmit.eu>
Description: 
 owncloud   - cloud storage for files, music, contacts, calendars and many more
 owncloud-mysql - meta-package providing MySQL dependencies for ownCloud
 owncloud-sqlite - meta-package providing SQLite dependencies for ownCloud
Closes: 684426
Changes: 
 owncloud (4.0.5debian2-2) unstable; urgency=high
 .
   * debian/patches:
     - Added fix_writing_to_shared_readonly.diff to fix WebDAV write access to
       shared files (Closes: #684426)
   * debian/rules:
     - Remove experimental feature 'files_external'
Checksums-Sha1: 
 0812a3f8ebca2ebd8bbdee8690f7dac790274449 1508 owncloud_4.0.5debian2-2.dsc
 c03841c260db182ae82f7b287db6be777806bbc6 37364 
owncloud_4.0.5debian2-2.debian.tar.gz
 649a3eab656ca5d023292483d7631f00977487b7 2208342 
owncloud_4.0.5debian2-2_all.deb
 d1df7ba03a67bc6cd76aa3a8be95bb05e8606613 28866 
owncloud-mysql_4.0.5debian2-2_all.deb
 23e9f4c96f81e6469f7856d657a5245733c9ecc7 53342 
owncloud-sqlite_4.0.5debian2-2_all.deb
Checksums-Sha256: 
 514278011c7db4d7fecc95731917b04c7cbb4903779348e161593063cd09ab16 1508 
owncloud_4.0.5debian2-2.dsc
 edb40eee902c90d36d9f137c3b8395e61d6cb0ffedd0476c0015b5f721088d30 37364 
owncloud_4.0.5debian2-2.debian.tar.gz
 ca342b48ceb9b78c5f85ef28ed937e71c6e6716d2755a7474758ca6b136020a2 2208342 
owncloud_4.0.5debian2-2_all.deb
 def4ec2cd71c41b09568bfa444054138f16f058cb689b6d0f0a06b9ce40525e9 28866 
owncloud-mysql_4.0.5debian2-2_all.deb
 cef42995a9efe477863daf4b3eeb7371e7c874b61eb5ea038304e54f5d1e97bd 53342 
owncloud-sqlite_4.0.5debian2-2_all.deb
Files: 
 b83a2d254ae75eff21bbedfc19dca199 1508 web extra owncloud_4.0.5debian2-2.dsc
 55c9ca2df18d9f208b4fdcec1934401c 37364 web extra 
owncloud_4.0.5debian2-2.debian.tar.gz
 2a7bab123e178011740fb8510cdd8b58 2208342 web extra 
owncloud_4.0.5debian2-2_all.deb
 2342a05c82ca59de605db05aa2e6d6dc 28866 web extra 
owncloud-mysql_4.0.5debian2-2_all.deb
 8fab020206a4b4662371f08b11d4aa22 53342 web extra 
owncloud-sqlite_4.0.5debian2-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlAkMJoACgkQOB0qx4EksQBBUwCeKU722RgakULZq1YcTOoOYdWw
524Aniq1hYwCJh9ssjdAU2cqMvnayhwy
=efj/
-----END PGP SIGNATURE-----

--- End Message ---