Hi, On Sun, Nov 25, 2012 at 01:02:20PM +0100, Michael Banck wrote: > Attached is a NMU candidate debdiff, extracting the applicable changes > from 4.0.9.
Attached is the final debdiff. Cheers, Michael
diff -Nru owncloud-4.0.8debian/debian/changelog owncloud-4.0.8debian/debian/changelog --- owncloud-4.0.8debian/debian/changelog 2012-10-11 14:45:06.000000000 +0200 +++ owncloud-4.0.8debian/debian/changelog 2012-11-25 17:37:58.000000000 +0100 @@ -1,3 +1,14 @@ +owncloud (4.0.8debian-1.1) unstable; urgency=high + + * Non-maintainer upload, fixes several security issues (Closes: #693990). + * debian/patches/06_oc-sa-2012-001.patch: Fix multiple XSS vulnerabilities. + * debian/patches/07_oc-sa-2012-002.patch: Fix timing attack. + * debian/patches/08_oc-sa-2012-004.patch: Fix code execution in migrate.php. + * debian/patches/09_oc-sa-2012-005.patch: Fix code execution in + filesystem.php. + + -- Michael Banck <mba...@debian.org> Sun, 25 Nov 2012 12:26:01 +0100 + owncloud (4.0.8debian-1) unstable; urgency=low * New upstream bugfix release diff -Nru owncloud-4.0.8debian/debian/patches/06_oc-sa-2012-001.patch owncloud-4.0.8debian/debian/patches/06_oc-sa-2012-001.patch --- owncloud-4.0.8debian/debian/patches/06_oc-sa-2012-001.patch 1970-01-01 01:00:00.000000000 +0100 +++ owncloud-4.0.8debian/debian/patches/06_oc-sa-2012-001.patch 2012-11-25 12:57:46.000000000 +0100 @@ -0,0 +1,49 @@ +Index: owncloud-4.0.8debian/3rdparty/fullcalendar/js/fullcalendar.js +=================================================================== +--- owncloud-4.0.8debian.orig/3rdparty/fullcalendar/js/fullcalendar.js 2012-11-25 12:56:19.273752054 +0100 ++++ owncloud-4.0.8debian/3rdparty/fullcalendar/js/fullcalendar.js 2012-11-25 12:56:22.161766368 +0100 +@@ -4662,7 +4662,7 @@ + "</span>"; + } + html += +- "<span class='fc-event-title'>" + event.title + "</span>" + ++ "<span class='fc-event-title'>" + htmlEscape(event.title) + "</span>" + + "</div>"; + if (seg.isEnd && isEventResizable(event)) { + html += +@@ -5220,5 +5220,5 @@ + }; + + } +- ++ + })(jQuery); +Index: owncloud-4.0.8debian/apps/files/js/filelist.js +=================================================================== +--- owncloud-4.0.8debian.orig/apps/files/js/filelist.js 2012-11-25 12:56:19.273752054 +0100 ++++ owncloud-4.0.8debian/apps/files/js/filelist.js 2012-11-25 12:56:22.161766368 +0100 +@@ -14,9 +14,9 @@ + var extension=false; + } + html+='<td class="filename" style="background-image:url('+img+')"><input type="checkbox" />'; +- html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/, '>')+'/'+name+'"><span class="nametext">'+basename ++ html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/, '>')+'/'+escapeHTML(name)+'"><span class="nametext">'+escapeHTML(basename); + if(extension){ +- html+='<span class="extension">'+extension+'</span>'; ++ html+='<span class="extension">'+escapeHTML(extension)+'</span>'; + } + html+='</span></a></td>'; + if(size!='Pending'){ +Index: owncloud-4.0.8debian/apps/files_versions/js/versions.js +=================================================================== +--- owncloud-4.0.8debian.orig/apps/files_versions/js/versions.js 2012-11-25 12:56:19.273752054 +0100 ++++ owncloud-4.0.8debian/apps/files_versions/js/versions.js 2012-11-25 12:56:22.161766368 +0100 +@@ -36,7 +36,7 @@ + + var historyUrl = OC.linkTo('files_versions', 'history.php') + '?path='+encodeURIComponent( $( '#dir' ).val() ).replace( /%2F/g, '/' )+'/'+encodeURIComponent( filename ); + +- var html = '<div id="dropdown" class="drop" data-file="'+files+'">'; ++ var html = '<div id="dropdown" class="drop" data-file="'+escapeHTML(files)+'">'; + html += '<div id="private">'; + html += '<select data-placeholder="Saved versions" id="found_versions" class="chzen-select" style="width:16em;">'; + html += '<option value=""></option>'; diff -Nru owncloud-4.0.8debian/debian/patches/07_oc-sa-2012-002.patch owncloud-4.0.8debian/debian/patches/07_oc-sa-2012-002.patch --- owncloud-4.0.8debian/debian/patches/07_oc-sa-2012-002.patch 1970-01-01 01:00:00.000000000 +0100 +++ owncloud-4.0.8debian/debian/patches/07_oc-sa-2012-002.patch 2012-11-25 13:13:56.000000000 +0100 @@ -0,0 +1,28 @@ +Index: owncloud-4.0.8debian/core/lostpassword/index.php +=================================================================== +--- owncloud-4.0.8debian.orig/core/lostpassword/index.php 2012-11-25 12:57:44.838176326 +0100 ++++ owncloud-4.0.8debian/core/lostpassword/index.php 2012-11-25 12:57:49.474199345 +0100 +@@ -13,8 +13,8 @@ + // Someone lost their password: + if (isset($_POST['user'])) { + if (OC_User::userExists($_POST['user'])) { +- $token = hash("sha256", $_POST['user'].OC_Util::generate_random_bytes(10)); +- OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token); ++ $token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', '')); ++ OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks + $email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', ''); + if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) { + $link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php').'?user='.urlencode($_POST['user']).'&token='.$token; +Index: owncloud-4.0.8debian/core/lostpassword/resetpassword.php +=================================================================== +--- owncloud-4.0.8debian.orig/core/lostpassword/resetpassword.php 2012-11-25 12:57:44.838176326 +0100 ++++ owncloud-4.0.8debian/core/lostpassword/resetpassword.php 2012-11-25 12:57:49.474199345 +0100 +@@ -10,7 +10,7 @@ + require_once('../../lib/base.php'); + + // Someone wants to reset their password: +-if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === $_GET['token']) { ++if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === hash("sha256", $_GET['token'])) { + if (isset($_POST['password'])) { + if (OC_User::setPassword($_GET['user'], $_POST['password'])) { + OC_Preferences::deleteKey($_GET['user'], 'owncloud', 'lostpassword'); diff -Nru owncloud-4.0.8debian/debian/patches/08_oc-sa-2012-004.patch owncloud-4.0.8debian/debian/patches/08_oc-sa-2012-004.patch --- owncloud-4.0.8debian/debian/patches/08_oc-sa-2012-004.patch 1970-01-01 01:00:00.000000000 +0100 +++ owncloud-4.0.8debian/debian/patches/08_oc-sa-2012-004.patch 2012-11-25 12:57:53.000000000 +0100 @@ -0,0 +1,91 @@ +Index: owncloud-4.0.8debian/lib/migrate.php +=================================================================== +--- owncloud-4.0.8debian.orig/lib/migrate.php 2012-11-25 12:57:40.610155372 +0100 ++++ owncloud-4.0.8debian/lib/migrate.php 2012-11-25 12:57:52.078212228 +0100 +@@ -199,8 +199,8 @@ + // Get export_info.json + $scan = scandir( $extractpath ); + // Check for export_info.json +- if( !in_array( 'export_info.json', $scan ) ){ +- OC_Log::write( 'migration', 'Invalid import file, export_info.json note found', OC_Log::ERROR ); ++ if( !in_array( 'export_info.json', $scan ) ) { ++ OC_Log::write( 'migration', 'Invalid import file, export_info.json not found', OC_Log::ERROR ); + return json_encode( array( 'success' => false ) ); + } + $json = json_decode( file_get_contents( $extractpath . 'export_info.json' ) ); +@@ -235,12 +235,19 @@ + return json_encode( array( 'success' => false ) ); + } + // Copy data +- if( !self::copy_r( $extractpath . $json->exporteduser, $datadir . '/' . self::$uid ) ){ +- return json_encode( array( 'success' => false ) ); ++ $userfolder = $extractpath . $json->exporteduser; ++ $newuserfolder = $datadir . '/' . self::$uid; ++ foreach(scandir($userfolder) as $file){ ++ if($file !== '.' && $file !== '..' && is_dir($file)){ ++ // Then copy the folder over ++ OC_Helper::copyr($userfolder.'/'.$file, $newuserfolder.'/'.$file); ++ } + } + // Import user app data +- if( !$appsimported = self::importAppData( $extractpath . $json->exporteduser . '/migration.db', $json, self::$uid ) ){ +- return json_encode( array( 'success' => false ) ); ++ if(file_exists($extractpath . $json->exporteduser . '/migration.db')){ ++ if( !$appsimported = self::importAppData( $extractpath . $json->exporteduser . '/migration.db', $json, self::$uid ) ) { ++ return json_encode( array( 'success' => false ) ); ++ } + } + // All done! + if( !self::unlink_r( $extractpath ) ){ +@@ -305,37 +312,6 @@ + } + + /** +- * @brief copies recursively +- * @param $path string path to source folder +- * @param $dest string path to destination +- * @return bool +- */ +- private static function copy_r( $path, $dest ){ +- if( is_dir($path) ){ +- @mkdir( $dest ); +- $objects = scandir( $path ); +- if( sizeof( $objects ) > 0 ){ +- foreach( $objects as $file ){ +- if( $file == "." || $file == ".." || $file == ".htaccess") +- continue; +- // go on +- if( is_dir( $path . '/' . $file ) ){ +- self::copy_r( $path .'/' . $file, $dest . '/' . $file ); +- } else { +- copy( $path . '/' . $file, $dest . '/' . $file ); +- } +- } +- } +- return true; +- } +- elseif( is_file( $path ) ){ +- return copy( $path, $dest ); +- } else { +- return false; +- } +- } +- +- /** + * @brief tries to extract the import zip + * @param $path string path to the zip + * @return string path to extract location (with a trailing slash) or false on failure +Index: owncloud-4.0.8debian/lib/helper.php +=================================================================== +--- owncloud-4.0.8debian.orig/lib/helper.php 2012-11-25 12:57:40.610155372 +0100 ++++ owncloud-4.0.8debian/lib/helper.php 2012-11-25 12:57:52.078212228 +0100 +@@ -309,7 +309,8 @@ + self::copyr("$src/$file", "$dest/$file"); + } + } +- }elseif(file_exists($src)){ ++ ++ }elseif(file_exists($src) && !OC_Filesystem::isFileBlacklisted($src)) { + copy($src, $dest); + } + } diff -Nru owncloud-4.0.8debian/debian/patches/09_oc-sa-2012-005.patch owncloud-4.0.8debian/debian/patches/09_oc-sa-2012-005.patch --- owncloud-4.0.8debian/debian/patches/09_oc-sa-2012-005.patch 1970-01-01 01:00:00.000000000 +0100 +++ owncloud-4.0.8debian/debian/patches/09_oc-sa-2012-005.patch 2012-11-25 12:57:54.000000000 +0100 @@ -0,0 +1,52 @@ +Index: owncloud-4.0.8debian/lib/filesystem.php +=================================================================== +--- owncloud-4.0.8debian.orig/lib/filesystem.php 2012-11-25 12:57:34.022122706 +0100 ++++ owncloud-4.0.8debian/lib/filesystem.php 2012-11-25 12:57:53.858221067 +0100 +@@ -361,12 +361,16 @@ + * @return bool + */ + static public function isValidPath($path){ ++ $path = str_replace('\\', '/', $path); + if(!$path || $path[0]!=='/'){ + $path='/'.$path; + } + if(strstr($path,'/../') || strrchr($path, '/') === '/..' ){ + return false; + } ++ if(self::isFileBlacklisted($path)){ ++ return false; ++ } + return true; + } + +@@ -375,21 +379,23 @@ + * Listens to write and rename hooks + * @param array $data from hook + */ +- static public function isBlacklisted($data){ +- $blacklist = array('.htaccess'); ++ static public function isBlacklisted($data) { + if (isset($data['path'])) { + $path = $data['path']; + } else if (isset($data['newpath'])) { + $path = $data['newpath']; + } + if (isset($path)) { +- $filename = strtolower(basename($path)); +- if (in_array($filename, $blacklist)) { +- $data['run'] = false; +- } ++ $data['run'] = !self::isFileBlacklisted($path); + } + } +- ++ ++ static public function isFileBlacklisted($path){ ++ $blacklist = array('.htaccess'); ++ $filename = strtolower(basename($path)); ++ return in_array($filename, $blacklist); ++ } ++ + /** + * following functions are equivalent to their php builtin equivalents for arguments/return values. + */ diff -Nru owncloud-4.0.8debian/debian/patches/series owncloud-4.0.8debian/debian/patches/series --- owncloud-4.0.8debian/debian/patches/series 2012-10-11 14:17:07.000000000 +0200 +++ owncloud-4.0.8debian/debian/patches/series 2012-11-25 12:39:57.000000000 +0100 @@ -5,4 +5,7 @@ fix_tar_require.diff fix_sabre_requires.diff fix_config.php_mode.diff - +06_oc-sa-2012-001.patch +07_oc-sa-2012-002.patch +08_oc-sa-2012-004.patch +09_oc-sa-2012-005.patch