tags 693990 +patch
thanks
On Thu, Nov 22, 2012 at 05:50:20PM +0100, Ansgar Burchardt wrote:
> The new upstream release 4.0.9 / 4.5.2 fixes multiple security issues.
> >From the changelog[1]:
>
> [1] <http://owncloud.org/changelog/>
Attached is a NMU candidate debdiff, extracting the applicable changes
from 4.0.9.
Michael
diff -Nru owncloud-4.0.8debian/debian/changelog
owncloud-4.0.8debian/debian/changelog
--- owncloud-4.0.8debian/debian/changelog 2012-10-11 14:45:06.000000000
+0200
+++ owncloud-4.0.8debian/debian/changelog 2012-11-25 12:57:05.000000000
+0100
@@ -1,3 +1,14 @@
+owncloud (4.0.8debian-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * debian/patches/06_oc-sa-2012-001.patch: Fix multiple XSS vulnerabilities.
+ * debian/patches/07_oc-sa-2012-002.patch: Fix timing attack.
+ * debian/patches/08_oc-sa-2012-004.patch: Fix code execution in migrate.php.
+ * debian/patches/09_oc-sa-2012-005.patch: Fix code execution in
+ filesystem.php.
+
+ -- Michael Banck <mba...@debian.org> Sun, 25 Nov 2012 12:26:01 +0100
+
owncloud (4.0.8debian-1) unstable; urgency=low
* New upstream bugfix release
diff -Nru owncloud-4.0.8debian/debian/patches/06_oc-sa-2012-001.patch
owncloud-4.0.8debian/debian/patches/06_oc-sa-2012-001.patch
--- owncloud-4.0.8debian/debian/patches/06_oc-sa-2012-001.patch 1970-01-01
01:00:00.000000000 +0100
+++ owncloud-4.0.8debian/debian/patches/06_oc-sa-2012-001.patch 2012-11-25
12:57:46.000000000 +0100
@@ -0,0 +1,49 @@
+Index: owncloud-4.0.8debian/3rdparty/fullcalendar/js/fullcalendar.js
+===================================================================
+--- owncloud-4.0.8debian.orig/3rdparty/fullcalendar/js/fullcalendar.js
2012-11-25 12:56:19.273752054 +0100
++++ owncloud-4.0.8debian/3rdparty/fullcalendar/js/fullcalendar.js
2012-11-25 12:56:22.161766368 +0100
+@@ -4662,7 +4662,7 @@
+ "</span>";
+ }
+ html +=
+- "<span class='fc-event-title'>" + event.title +
"</span>" +
++ "<span class='fc-event-title'>" +
htmlEscape(event.title) + "</span>" +
+ "</div>";
+ if (seg.isEnd && isEventResizable(event)) {
+ html +=
+@@ -5220,5 +5220,5 @@
+ };
+
+ }
+-
++
+ })(jQuery);
+Index: owncloud-4.0.8debian/apps/files/js/filelist.js
+===================================================================
+--- owncloud-4.0.8debian.orig/apps/files/js/filelist.js 2012-11-25
12:56:19.273752054 +0100
++++ owncloud-4.0.8debian/apps/files/js/filelist.js 2012-11-25
12:56:22.161766368 +0100
+@@ -14,9 +14,9 @@
+ var extension=false;
+ }
+ html+='<td class="filename"
style="background-image:url('+img+')"><input type="checkbox" />';
+- html+='<a class="name"
href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/,
'>')+'/'+name+'"><span class="nametext">'+basename
++ html+='<a class="name"
href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/,
'>')+'/'+escapeHTML(name)+'"><span class="nametext">'+escapeHTML(basename);
+ if(extension){
+- html+='<span class="extension">'+extension+'</span>';
++ html+='<span
class="extension">'+escapeHTML(extension)+'</span>';
+ }
+ html+='</span></a></td>';
+ if(size!='Pending'){
+Index: owncloud-4.0.8debian/apps/files_versions/js/versions.js
+===================================================================
+--- owncloud-4.0.8debian.orig/apps/files_versions/js/versions.js
2012-11-25 12:56:19.273752054 +0100
++++ owncloud-4.0.8debian/apps/files_versions/js/versions.js 2012-11-25
12:56:22.161766368 +0100
+@@ -36,7 +36,7 @@
+
+ var historyUrl = OC.linkTo('files_versions', 'history.php') +
'?path='+encodeURIComponent( $( '#dir' ).val() ).replace( /%2F/g, '/'
)+'/'+encodeURIComponent( filename );
+
+- var html = '<div id="dropdown" class="drop" data-file="'+files+'">';
++ var html = '<div id="dropdown" class="drop"
data-file="'+escapeHTML(files)+'">';
+ html += '<div id="private">';
+ html += '<select data-placeholder="Saved versions" id="found_versions"
class="chzen-select" style="width:16em;">';
+ html += '<option value=""></option>';
diff -Nru owncloud-4.0.8debian/debian/patches/07_oc-sa-2012-002.patch
owncloud-4.0.8debian/debian/patches/07_oc-sa-2012-002.patch
--- owncloud-4.0.8debian/debian/patches/07_oc-sa-2012-002.patch 1970-01-01
01:00:00.000000000 +0100
+++ owncloud-4.0.8debian/debian/patches/07_oc-sa-2012-002.patch 2012-11-25
12:57:50.000000000 +0100
@@ -0,0 +1,34 @@
+commit 99cd922b82ca7684967ec3533fcdd5af32c0edc7
+Author: Lukas Reschke <lu...@statuscode.ch>
+Date: Sun Oct 14 12:12:55 2012 +0200
+
+ Doublehash the token to prevent timing attacks
+
+Index: owncloud-4.0.8debian/core/lostpassword/index.php
+===================================================================
+--- owncloud-4.0.8debian.orig/core/lostpassword/index.php 2012-11-25
12:57:44.838176326 +0100
++++ owncloud-4.0.8debian/core/lostpassword/index.php 2012-11-25
12:57:49.474199345 +0100
+@@ -13,8 +13,8 @@
+ // Someone lost their password:
+ if (isset($_POST['user'])) {
+ if (OC_User::userExists($_POST['user'])) {
+- $token = hash("sha256",
$_POST['user'].OC_Util::generate_random_bytes(10));
+- OC_Preferences::setValue($_POST['user'], 'owncloud',
'lostpassword', $token);
++ $token = hash("sha256",
OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));
++ OC_Preferences::setValue($_POST['user'], 'owncloud',
'lostpassword', hash("sha256", $token)); // Hash the token again to prevent
timing attacks
+ $email = OC_Preferences::getValue($_POST['user'], 'settings',
'email', '');
+ if (!empty($email) and isset($_POST['sectoken']) and
isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {
+ $link = OC_Helper::linkToAbsolute('core/lostpassword',
'resetpassword.php').'?user='.urlencode($_POST['user']).'&token='.$token;
+Index: owncloud-4.0.8debian/core/lostpassword/resetpassword.php
+===================================================================
+--- owncloud-4.0.8debian.orig/core/lostpassword/resetpassword.php
2012-11-25 12:57:44.838176326 +0100
++++ owncloud-4.0.8debian/core/lostpassword/resetpassword.php 2012-11-25
12:57:49.474199345 +0100
+@@ -10,7 +10,7 @@
+ require_once('../../lib/base.php');
+
+ // Someone wants to reset their password:
+-if(isset($_GET['token']) && isset($_GET['user']) &&
OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') ===
$_GET['token']) {
++if(isset($_GET['token']) && isset($_GET['user']) &&
OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') ===
hash("sha256", $_GET['token'])) {
+ if (isset($_POST['password'])) {
+ if (OC_User::setPassword($_GET['user'], $_POST['password'])) {
+ OC_Preferences::deleteKey($_GET['user'], 'owncloud',
'lostpassword');
diff -Nru owncloud-4.0.8debian/debian/patches/08_oc-sa-2012-004.patch
owncloud-4.0.8debian/debian/patches/08_oc-sa-2012-004.patch
--- owncloud-4.0.8debian/debian/patches/08_oc-sa-2012-004.patch 1970-01-01
01:00:00.000000000 +0100
+++ owncloud-4.0.8debian/debian/patches/08_oc-sa-2012-004.patch 2012-11-25
12:57:53.000000000 +0100
@@ -0,0 +1,91 @@
+Index: owncloud-4.0.8debian/lib/migrate.php
+===================================================================
+--- owncloud-4.0.8debian.orig/lib/migrate.php 2012-11-25 12:57:40.610155372
+0100
++++ owncloud-4.0.8debian/lib/migrate.php 2012-11-25 12:57:52.078212228
+0100
+@@ -199,8 +199,8 @@
+ // Get export_info.json
+ $scan = scandir( $extractpath );
+ // Check for export_info.json
+- if( !in_array( 'export_info.json', $scan ) ){
+- OC_Log::write( 'migration', 'Invalid import file,
export_info.json note found', OC_Log::ERROR );
++ if( !in_array( 'export_info.json', $scan ) ) {
++ OC_Log::write( 'migration', 'Invalid import file,
export_info.json not found', OC_Log::ERROR );
+ return json_encode( array( 'success' => false ) );
+ }
+ $json = json_decode( file_get_contents( $extractpath .
'export_info.json' ) );
+@@ -235,12 +235,19 @@
+ return json_encode( array( 'success' =>
false ) );
+ }
+ // Copy data
+- if( !self::copy_r( $extractpath .
$json->exporteduser, $datadir . '/' . self::$uid ) ){
+- return json_encode( array( 'success' =>
false ) );
++ $userfolder = $extractpath .
$json->exporteduser;
++ $newuserfolder = $datadir . '/' . self::$uid;
++ foreach(scandir($userfolder) as $file){
++ if($file !== '.' && $file !== '..' &&
is_dir($file)){
++ // Then copy the folder over
++
OC_Helper::copyr($userfolder.'/'.$file, $newuserfolder.'/'.$file);
++ }
+ }
+ // Import user app data
+- if( !$appsimported = self::importAppData(
$extractpath . $json->exporteduser . '/migration.db', $json, self::$uid ) ){
+- return json_encode( array( 'success' =>
false ) );
++ if(file_exists($extractpath .
$json->exporteduser . '/migration.db')){
++ if( !$appsimported =
self::importAppData( $extractpath . $json->exporteduser . '/migration.db',
$json, self::$uid ) ) {
++ return json_encode( array(
'success' => false ) );
++ }
+ }
+ // All done!
+ if( !self::unlink_r( $extractpath ) ){
+@@ -305,37 +312,6 @@
+ }
+
+ /**
+- * @brief copies recursively
+- * @param $path string path to source folder
+- * @param $dest string path to destination
+- * @return bool
+- */
+- private static function copy_r( $path, $dest ){
+- if( is_dir($path) ){
+- @mkdir( $dest );
+- $objects = scandir( $path );
+- if( sizeof( $objects ) > 0 ){
+- foreach( $objects as $file ){
+- if( $file == "." || $file == ".." ||
$file == ".htaccess")
+- continue;
+- // go on
+- if( is_dir( $path . '/' . $file ) ){
+- self::copy_r( $path .'/' .
$file, $dest . '/' . $file );
+- } else {
+- copy( $path . '/' . $file,
$dest . '/' . $file );
+- }
+- }
+- }
+- return true;
+- }
+- elseif( is_file( $path ) ){
+- return copy( $path, $dest );
+- } else {
+- return false;
+- }
+- }
+-
+- /**
+ * @brief tries to extract the import zip
+ * @param $path string path to the zip
+ * @return string path to extract location (with a trailing slash) or
false on failure
+Index: owncloud-4.0.8debian/lib/helper.php
+===================================================================
+--- owncloud-4.0.8debian.orig/lib/helper.php 2012-11-25 12:57:40.610155372
+0100
++++ owncloud-4.0.8debian/lib/helper.php 2012-11-25 12:57:52.078212228
+0100
+@@ -309,7 +309,8 @@
+ self::copyr("$src/$file",
"$dest/$file");
+ }
+ }
+- }elseif(file_exists($src)){
++
++ }elseif(file_exists($src) &&
!OC_Filesystem::isFileBlacklisted($src)) {
+ copy($src, $dest);
+ }
+ }
diff -Nru owncloud-4.0.8debian/debian/patches/09_oc-sa-2012-005.patch
owncloud-4.0.8debian/debian/patches/09_oc-sa-2012-005.patch
--- owncloud-4.0.8debian/debian/patches/09_oc-sa-2012-005.patch 1970-01-01
01:00:00.000000000 +0100
+++ owncloud-4.0.8debian/debian/patches/09_oc-sa-2012-005.patch 2012-11-25
12:57:54.000000000 +0100
@@ -0,0 +1,52 @@
+Index: owncloud-4.0.8debian/lib/filesystem.php
+===================================================================
+--- owncloud-4.0.8debian.orig/lib/filesystem.php 2012-11-25
12:57:34.022122706 +0100
++++ owncloud-4.0.8debian/lib/filesystem.php 2012-11-25 12:57:53.858221067
+0100
+@@ -361,12 +361,16 @@
+ * @return bool
+ */
+ static public function isValidPath($path){
++ $path = str_replace('\\', '/', $path);
+ if(!$path || $path[0]!=='/'){
+ $path='/'.$path;
+ }
+ if(strstr($path,'/../') || strrchr($path, '/') === '/..' ){
+ return false;
+ }
++ if(self::isFileBlacklisted($path)){
++ return false;
++ }
+ return true;
+ }
+
+@@ -375,21 +379,23 @@
+ * Listens to write and rename hooks
+ * @param array $data from hook
+ */
+- static public function isBlacklisted($data){
+- $blacklist = array('.htaccess');
++ static public function isBlacklisted($data) {
+ if (isset($data['path'])) {
+ $path = $data['path'];
+ } else if (isset($data['newpath'])) {
+ $path = $data['newpath'];
+ }
+ if (isset($path)) {
+- $filename = strtolower(basename($path));
+- if (in_array($filename, $blacklist)) {
+- $data['run'] = false;
+- }
++ $data['run'] = !self::isFileBlacklisted($path);
+ }
+ }
+-
++
++ static public function isFileBlacklisted($path){
++ $blacklist = array('.htaccess');
++ $filename = strtolower(basename($path));
++ return in_array($filename, $blacklist);
++ }
++
+ /**
+ * following functions are equivalent to their php builtin equivalents
for arguments/return values.
+ */
diff -Nru owncloud-4.0.8debian/debian/patches/series
owncloud-4.0.8debian/debian/patches/series
--- owncloud-4.0.8debian/debian/patches/series 2012-10-11 14:17:07.000000000
+0200
+++ owncloud-4.0.8debian/debian/patches/series 2012-11-25 12:39:57.000000000
+0100
@@ -5,4 +5,7 @@
fix_tar_require.diff
fix_sabre_requires.diff
fix_config.php_mode.diff
-
+06_oc-sa-2012-001.patch
+07_oc-sa-2012-002.patch
+08_oc-sa-2012-004.patch
+09_oc-sa-2012-005.patch
