Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
Hi, On Wed, Dec 12, 2012 at 09:20:38PM +0100, Julien Cristau wrote: On Wed, Dec 12, 2012 at 19:44:38 +, Adam D. Barratt wrote: On Mon, 2012-12-10 at 20:14 +0100, Julien Cristau wrote: On Wed, Dec 5, 2012 at 22:18:54 +0100, Michael Banck wrote: On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote: As far as I can tell this escapeHTML function is not defined in the current version? Upstream git has it in core/js/js.js. Attached is a new candidate debdiff. Assuming this is tested, go ahead. +Index: owncloud-4.0.4debian2/core/js/js.js [...] ++function escapeHTML(s) { [...] +Index: owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js [...] +- span class='fc-event-title' + event.title + /span + ++ span class='fc-event-title' + htmlEscape(event.title) + /span + Should the htmlEscape() call in that last hunk be escapeHTML()? iirc fullcalendar has its own preexisting escape function, with a different name. Yes: mba@hartree:~/debian/bsp/owncloud-4.0.4debian2$ grep -r htmlEscape * | head -1 3rdparty/fullcalendar/js/fullcalendar.js:function htmlEscape(s) { mba@hartree:~/debian/bsp/owncloud-4.0.4debian2$ Cheers, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
Control: tags -1 + moreinfo On Mon, 2012-12-10 at 20:14 +0100, Julien Cristau wrote: On Wed, Dec 5, 2012 at 22:18:54 +0100, Michael Banck wrote: On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote: As far as I can tell this escapeHTML function is not defined in the current version? Upstream git has it in core/js/js.js. Attached is a new candidate debdiff. Assuming this is tested, go ahead. +Index: owncloud-4.0.4debian2/core/js/js.js [...] ++function escapeHTML(s) { [...] +Index: owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js [...] +- span class='fc-event-title' + event.title + /span + ++ span class='fc-event-title' + htmlEscape(event.title) + /span + Should the htmlEscape() call in that last hunk be escapeHTML()? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
On Wed, Dec 12, 2012 at 19:44:38 +, Adam D. Barratt wrote: Control: tags -1 + moreinfo On Mon, 2012-12-10 at 20:14 +0100, Julien Cristau wrote: On Wed, Dec 5, 2012 at 22:18:54 +0100, Michael Banck wrote: On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote: As far as I can tell this escapeHTML function is not defined in the current version? Upstream git has it in core/js/js.js. Attached is a new candidate debdiff. Assuming this is tested, go ahead. +Index: owncloud-4.0.4debian2/core/js/js.js [...] ++function escapeHTML(s) { [...] +Index: owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js [...] +- span class='fc-event-title' + event.title + /span + ++ span class='fc-event-title' + htmlEscape(event.title) + /span + Should the htmlEscape() call in that last hunk be escapeHTML()? iirc fullcalendar has its own preexisting escape function, with a different name. Cheers, Julien signature.asc Description: Digital signature
Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
On Wed, Dec 5, 2012 at 22:18:54 +0100, Michael Banck wrote: Hi, On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote: As far as I can tell this escapeHTML function is not defined in the current version? Upstream git has it in core/js/js.js. Attached is a new candidate debdiff. Assuming this is tested, go ahead. Cheers, Julien signature.asc Description: Digital signature
Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
On Tue, Dec 4, 2012 at 23:45:19 +0100, Michael Banck wrote: +Index: owncloud-4.0.4debian2/apps/files/js/filelist.js +=== +--- owncloud-4.0.4debian2.orig/apps/files/js/filelist.js 2012-12-04 22:47:26.810080751 +0100 owncloud-4.0.4debian2/apps/files/js/filelist.js 2012-12-04 22:47:26.874081078 +0100 +@@ -14,9 +14,9 @@ + var extension=false; + } + html+='td class=filename style=background-image:url('+img+')input type=checkbox /'; +-html+='a class=name href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//, 'gt;')+'/'+name+'span class=nametext'+basename ++html+='a class=name href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//, 'gt;')+'/'+escapeHTML(name)+'span class=nametext'+escapeHTML(basename); + if(extension){ +-html+='span class=extension'+extension+'/span'; ++html+='span class=extension'+escapeHTML(extension)+'/span'; + } + html+='/span/a/td'; + if(size!='Pending'){ As far as I can tell this escapeHTML function is not defined in the current version? Upstream git has it in core/js/js.js. Cheers, Julien signature.asc Description: Digital signature
Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
Hi, On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote: On Tue, Dec 4, 2012 at 23:45:19 +0100, Michael Banck wrote: +Index: owncloud-4.0.4debian2/apps/files/js/filelist.js +=== +--- owncloud-4.0.4debian2.orig/apps/files/js/filelist.js 2012-12-04 22:47:26.810080751 +0100 owncloud-4.0.4debian2/apps/files/js/filelist.js2012-12-04 22:47:26.874081078 +0100 +@@ -14,9 +14,9 @@ + var extension=false; + } + html+='td class=filename style=background-image:url('+img+')input type=checkbox /'; +- html+='a class=name href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//, 'gt;')+'/'+name+'span class=nametext'+basename ++ html+='a class=name href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//, 'gt;')+'/'+escapeHTML(name)+'span class=nametext'+escapeHTML(basename); + if(extension){ +- html+='span class=extension'+extension+'/span'; ++ html+='span class=extension'+escapeHTML(extension)+'/span'; + } + html+='/span/a/td'; + if(size!='Pending'){ As far as I can tell this escapeHTML function is not defined in the current version? Upstream git has it in core/js/js.js. Good catch, this was added in 4.0.9, but not mentioned in the security advisories AFAICT - so I have to fixup unstable as well :-/ Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
Hi, On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote: As far as I can tell this escapeHTML function is not defined in the current version? Upstream git has it in core/js/js.js. Attached is a new candidate debdiff. Cheers, Michael diff -Nru owncloud-4.0.4debian2/debian/changelog owncloud-4.0.4debian2/debian/changelog --- owncloud-4.0.4debian2/debian/changelog 2012-09-22 18:36:17.0 +0200 +++ owncloud-4.0.4debian2/debian/changelog 2012-12-05 22:12:11.0 +0100 @@ -1,3 +1,17 @@ +owncloud (4.0.4debian2-3.1) testing-proposed-updates; urgency=high + + * Non-maintainer upload, fixes several security issues (Closes: #693990). + * debian/patches/06_oc-sa-2012-001.patch: Fix multiple XSS vulnerabilities. + * debian/patches/07_oc-sa-2012-002.patch: Fix timing attack. + * debian/patches/08_oc-sa-2012-004.patch: Fix code execution in migrate.php. + * debian/patches/09_oc-sa-2012-005.patch: Fix code execution in +filesystem.php. + * debian/patches/07_oc-sa-2012-002.patch: Backport generate_random_bytes() +function from 4.0.8 release. + * debian/patches/06_oc-sa-2012-001.patch: Include escapeHTML() function. + + -- Michael Banck mba...@debian.org Wed, 05 Dec 2012 21:25:00 +0100 + owncloud (4.0.4debian2-3) testing-proposed-updates; urgency=high * debian/patches: diff -Nru owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch --- owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch 1970-01-01 01:00:00.0 +0100 +++ owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch 2012-12-05 21:24:39.0 +0100 @@ -0,0 +1,69 @@ +Index: owncloud-4.0.4debian2/core/js/js.js +=== +--- owncloud-4.0.4debian2.orig/core/js/js.js 2012-06-26 21:54:07.0 +0200 owncloud-4.0.4debian2/core/js/js.js2012-12-05 21:24:29.624785142 +0100 +@@ -29,6 +29,15 @@ + } + t.cache={}; + ++/* ++* Sanitizes a HTML string ++* @param string ++* @return Sanitized string ++*/ ++function escapeHTML(s) { ++ return s.toString().split('').join('amp;').split('').join('lt;').split('').join('quot;'); ++} ++ + OC={ + webroot:oc_webroot, + appswebroot:oc_appswebroot, +Index: owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js +=== +--- owncloud-4.0.4debian2.orig/3rdparty/fullcalendar/js/fullcalendar.js 2012-12-04 22:43:43.296931413 +0100 owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js 2012-12-05 21:24:29.624785142 +0100 +@@ -4662,7 +4662,7 @@ + /span; + } + html += +- span class='fc-event-title' + event.title + /span + ++ span class='fc-event-title' + htmlEscape(event.title) + /span + + /div; + if (seg.isEnd isEventResizable(event)) { + html += +@@ -5220,5 +5220,5 @@ + }; + + } +- ++ + })(jQuery); +Index: owncloud-4.0.4debian2/apps/files/js/filelist.js +=== +--- owncloud-4.0.4debian2.orig/apps/files/js/filelist.js 2012-12-05 21:24:29.348783708 +0100 owncloud-4.0.4debian2/apps/files/js/filelist.js2012-12-05 21:24:29.628785159 +0100 +@@ -14,9 +14,9 @@ + var extension=false; + } + html+='td class=filename style=background-image:url('+img+')input type=checkbox /'; +- html+='a class=name href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//, 'gt;')+'/'+name+'span class=nametext'+basename ++ html+='a class=name href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//, 'gt;')+'/'+escapeHTML(name)+'span class=nametext'+escapeHTML(basename); + if(extension){ +- html+='span class=extension'+extension+'/span'; ++ html+='span class=extension'+escapeHTML(extension)+'/span'; + } + html+='/span/a/td'; + if(size!='Pending'){ +Index: owncloud-4.0.4debian2/apps/files_versions/js/versions.js +=== +--- owncloud-4.0.4debian2.orig/apps/files_versions/js/versions.js 2012-12-04 22:43:43.296931413 +0100 owncloud-4.0.4debian2/apps/files_versions/js/versions.js 2012-12-05 21:24:29.628785159 +0100 +@@ -36,7 +36,7 @@ + + var historyUrl = OC.linkTo('files_versions', 'history.php') + '?path='+encodeURIComponent( $( '#dir' ).val() ).replace( /%2F/g, '/' )+'/'+encodeURIComponent( filename ); + +- var html = 'div id=dropdown class=drop data-file='+files+''; ++ var html = 'div
Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, I would like to ask pre-approval to upload owncloud 4.0.4debian2-3.1 to testing-proposed-updates. It fixes bug #693990 (multiple security issues). The debdiff is attached. This bug has been fixed in unstable with a similar patch in version 4.0.8debian-1.1. I had to adopt 07_oc-sa-2012-002.patch and backport a helper function from the unstable upstream version. Cheers, Michael diff -Nru owncloud-4.0.4debian2/debian/changelog owncloud-4.0.4debian2/debian/changelog --- owncloud-4.0.4debian2/debian/changelog 2012-09-22 18:36:17.0 +0200 +++ owncloud-4.0.4debian2/debian/changelog 2012-12-04 22:45:50.0 +0100 @@ -1,3 +1,16 @@ +owncloud (4.0.4debian2-3.1) testing-proposed-updates; urgency=high + + * Non-maintainer upload, fixes several security issues (Closes: #693990). + * debian/patches/06_oc-sa-2012-001.patch: Fix multiple XSS vulnerabilities. + * debian/patches/07_oc-sa-2012-002.patch: Fix timing attack. + * debian/patches/08_oc-sa-2012-004.patch: Fix code execution in migrate.php. + * debian/patches/09_oc-sa-2012-005.patch: Fix code execution in +filesystem.php. + * debian/pathes/07_oc-sa-2012-002.patch: Backport generate_random_bytes() +function from 4.0.8 release. + + -- Michael Banck mba...@debian.org Tue, 04 Dec 2012 22:22:39 +0100 + owncloud (4.0.4debian2-3) testing-proposed-updates; urgency=high * debian/patches: diff -Nru owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch --- owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch 1970-01-01 01:00:00.0 +0100 +++ owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch 2012-12-04 22:47:34.0 +0100 @@ -0,0 +1,49 @@ +Index: owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js +=== +--- owncloud-4.0.4debian2.orig/3rdparty/fullcalendar/js/fullcalendar.js 2012-12-04 22:43:43.296931413 +0100 owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js 2012-12-04 22:47:26.874081078 +0100 +@@ -4662,7 +4662,7 @@ + /span; + } + html += +- span class='fc-event-title' + event.title + /span + ++ span class='fc-event-title' + htmlEscape(event.title) + /span + + /div; + if (seg.isEnd isEventResizable(event)) { + html += +@@ -5220,5 +5220,5 @@ + }; + + } +- ++ + })(jQuery); +Index: owncloud-4.0.4debian2/apps/files/js/filelist.js +=== +--- owncloud-4.0.4debian2.orig/apps/files/js/filelist.js 2012-12-04 22:47:26.810080751 +0100 owncloud-4.0.4debian2/apps/files/js/filelist.js2012-12-04 22:47:26.874081078 +0100 +@@ -14,9 +14,9 @@ + var extension=false; + } + html+='td class=filename style=background-image:url('+img+')input type=checkbox /'; +- html+='a class=name href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//, 'gt;')+'/'+name+'span class=nametext'+basename ++ html+='a class=name href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//, 'gt;')+'/'+escapeHTML(name)+'span class=nametext'+escapeHTML(basename); + if(extension){ +- html+='span class=extension'+extension+'/span'; ++ html+='span class=extension'+escapeHTML(extension)+'/span'; + } + html+='/span/a/td'; + if(size!='Pending'){ +Index: owncloud-4.0.4debian2/apps/files_versions/js/versions.js +=== +--- owncloud-4.0.4debian2.orig/apps/files_versions/js/versions.js 2012-12-04 22:43:43.296931413 +0100 owncloud-4.0.4debian2/apps/files_versions/js/versions.js 2012-12-04 22:47:26.874081078 +0100 +@@ -36,7 +36,7 @@ + + var historyUrl = OC.linkTo('files_versions', 'history.php') + '?path='+encodeURIComponent( $( '#dir' ).val() ).replace( /%2F/g, '/' )+'/'+encodeURIComponent( filename ); + +- var html = 'div id=dropdown class=drop data-file='+files+''; ++ var html = 'div id=dropdown class=drop data-file='+escapeHTML(files)+''; + html += 'div id=private'; + html += 'select data-placeholder=Saved versions id=found_versions class=chzen-select style=width:16em;'; + html += 'option value=/option'; diff -Nru owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch --- owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch 1970-01-01