Your message dated Fri, 10 Aug 2012 06:03:21 +0000 with message-id <e1szijd-00060h...@franck.debian.org> and subject line Bug#684426: fixed in owncloud 4.0.5debian2-2 has caused the Debian Bug report #684426, regarding [owncloud] Users can overwrite read-only shared files owned by other users via WebDAV to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 684426: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684426 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: owncloud Version: 4.0.5debian2-1 Severity: grave Tags: patch security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org --- Please enter the report below this line. --- Hi, I stumbled over a security bug in owncloud with the result of data loss or modification, depending on the configuration of owncloud. It is possible for regular users of owncloud to overwrite files that are shared by another owncloud user via WebDAV. If version control is activated user1 could revert the file to its previous state, but if it's not activated, user1's data is lost. Find attached a patch that should fix the security flaw for owncloud 4.0.5debian2-1. Cheers - Fuddl --- System information. --- Architecture: amd64 Kernel: Linux 3.2.0-3-amd64 Debian Release: wheezy/sid 500 unstable ftp.de.debian.org 1 experimental ftp.de.debian.org --- Package information. --- Package's Depends field is empty. Package's Recommends field is empty. Package's Suggests field is empty.From 05648dac619942dfccc76180d30fcd79364355ec Mon Sep 17 00:00:00 2001 From: Michael Gapczynski <mt...@owncloud.com> Date: Wed, 8 Aug 2012 11:25:24 -0400 Subject: [PATCH] Don't return file handle if the mode supports writing and the file is not writable --- apps/files_sharing/sharedstorage.php | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) Index: owncloud-4.0.5debian2/apps/files_sharing/sharedstorage.php =================================================================== --- owncloud-4.0.5debian2.orig/apps/files_sharing/sharedstorage.php 2012-07-19 18:50:49.000000000 +0200 +++ owncloud-4.0.5debian2/apps/files_sharing/sharedstorage.php 2012-08-09 11:29:58.000000000 +0200 @@ -416,6 +416,25 @@ public function fopen($path, $mode) { $source = $this->getSource($path); if ($source) { + switch ($mode) { + case 'r+': + case 'rb+': + case 'w+': + case 'wb+': + case 'x+': + case 'xb+': + case 'a+': + case 'ab+': + case 'w': + case 'wb': + case 'x': + case 'xb': + case 'a': + case 'ab': + if (!$this->is_writable($path)) { + return false; + } + } $storage = OC_Filesystem::getStorage($source); return $storage->fopen($this->getInternalPath($source), $mode); }signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---Source: owncloud Source-Version: 4.0.5debian2-2 We believe that the bug you reported is fixed in the latest version of owncloud, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 684...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Mueller <thomas.muel...@tmit.eu> (supplier of updated owncloud package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 09 Aug 2012 23:29:25 +0200 Source: owncloud Binary: owncloud owncloud-mysql owncloud-sqlite Architecture: source all Version: 4.0.5debian2-2 Distribution: unstable Urgency: high Maintainer: ownCloud for Debian maintainers <pkg-owncloud-maintain...@lists.alioth.debian.org> Changed-By: Thomas Mueller <thomas.muel...@tmit.eu> Description: owncloud - cloud storage for files, music, contacts, calendars and many more owncloud-mysql - meta-package providing MySQL dependencies for ownCloud owncloud-sqlite - meta-package providing SQLite dependencies for ownCloud Closes: 684426 Changes: owncloud (4.0.5debian2-2) unstable; urgency=high . * debian/patches: - Added fix_writing_to_shared_readonly.diff to fix WebDAV write access to shared files (Closes: #684426) * debian/rules: - Remove experimental feature 'files_external' Checksums-Sha1: 0812a3f8ebca2ebd8bbdee8690f7dac790274449 1508 owncloud_4.0.5debian2-2.dsc c03841c260db182ae82f7b287db6be777806bbc6 37364 owncloud_4.0.5debian2-2.debian.tar.gz 649a3eab656ca5d023292483d7631f00977487b7 2208342 owncloud_4.0.5debian2-2_all.deb d1df7ba03a67bc6cd76aa3a8be95bb05e8606613 28866 owncloud-mysql_4.0.5debian2-2_all.deb 23e9f4c96f81e6469f7856d657a5245733c9ecc7 53342 owncloud-sqlite_4.0.5debian2-2_all.deb Checksums-Sha256: 514278011c7db4d7fecc95731917b04c7cbb4903779348e161593063cd09ab16 1508 owncloud_4.0.5debian2-2.dsc edb40eee902c90d36d9f137c3b8395e61d6cb0ffedd0476c0015b5f721088d30 37364 owncloud_4.0.5debian2-2.debian.tar.gz ca342b48ceb9b78c5f85ef28ed937e71c6e6716d2755a7474758ca6b136020a2 2208342 owncloud_4.0.5debian2-2_all.deb def4ec2cd71c41b09568bfa444054138f16f058cb689b6d0f0a06b9ce40525e9 28866 owncloud-mysql_4.0.5debian2-2_all.deb cef42995a9efe477863daf4b3eeb7371e7c874b61eb5ea038304e54f5d1e97bd 53342 owncloud-sqlite_4.0.5debian2-2_all.deb Files: b83a2d254ae75eff21bbedfc19dca199 1508 web extra owncloud_4.0.5debian2-2.dsc 55c9ca2df18d9f208b4fdcec1934401c 37364 web extra owncloud_4.0.5debian2-2.debian.tar.gz 2a7bab123e178011740fb8510cdd8b58 2208342 web extra owncloud_4.0.5debian2-2_all.deb 2342a05c82ca59de605db05aa2e6d6dc 28866 web extra owncloud-mysql_4.0.5debian2-2_all.deb 8fab020206a4b4662371f08b11d4aa22 53342 web extra owncloud-sqlite_4.0.5debian2-2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlAkMJoACgkQOB0qx4EksQBBUwCeKU722RgakULZq1YcTOoOYdWw 524Aniq1hYwCJh9ssjdAU2cqMvnayhwy =efj/ -----END PGP SIGNATURE-----
--- End Message ---