Processed: Re: Bug#697414: tpu: owncloud/4.0.4debian2-3.2 (pre-approval)

2013-01-04 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #697414 [release.debian.org] tpu: owncloud/4.0.4debian2-3.2 (pre-approval)
Added tag(s) confirmed.

-- 
697414: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697414
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/handler.s.b697414.135733976820090.transcr...@bugs.debian.org

Bug#697414: tpu: owncloud/4.0.4debian2-3.2 (pre-approval)

2013-01-04 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Fri, 2013-01-04 at 23:35 +0100, Luca Falavigna wrote:
> I'd like to see if it's feasible to upload a targeted fix to testing-proposed-
> updates to address #696574.
> 
> This bug has been fixed in unstable already, but given it has a newer upstream
> version, it's unlikely it will migrate, hence this request.

It is indeed very unlikely, hence the previous tpu upload. Please go
ahead; thanks.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1357339758.6386.13.ca...@jacala.jungle.funky-badger.org

Bug#697414: tpu: owncloud/4.0.4debian2-3.2 (pre-approval)

2013-01-04 Thread Luca Falavigna 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

I'd like to see if it's feasible to upload a targeted fix to testing-proposed-
updates to address #696574.

This bug has been fixed in unstable already, but given it has a newer upstream
version, it's unlikely it will migrate, hence this request.

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
diff -Nru owncloud-4.0.4debian2/debian/changelog owncloud-4.0.4debian2/debian/changelog
--- owncloud-4.0.4debian2/debian/changelog	2012-12-05 22:12:11.0 +0100
+++ owncloud-4.0.4debian2/debian/changelog	2013-01-04 23:31:11.0 +0100
@@ -1,3 +1,14 @@
+owncloud (4.0.4debian2-3.2) testing-proposed-updates; urgency=high
+
+  * Non-maintainer upload.
+  * Multiple security fixes (Closes: #696574):
++ debian/patches/10_oc-sa-2012-006.patch:
+  - CVE-2012-5665: Auth bypass in user_webdavauth and user_ldap
++ debian/patches/11_oc-sa-2012-007.patch:
+  - CVE-2012-5666: XSS vulnerability in bookmarks
+
+ -- Luca Falavigna   Fri, 04 Jan 2013 23:30:46 +0100
+
 owncloud (4.0.4debian2-3.1) testing-proposed-updates; urgency=high
 
   * Non-maintainer upload, fixes several security issues (Closes: #693990).
diff -Nru owncloud-4.0.4debian2/debian/patches/10_oc-sa-2012-006.patch owncloud-4.0.4debian2/debian/patches/10_oc-sa-2012-006.patch
--- owncloud-4.0.4debian2/debian/patches/10_oc-sa-2012-006.patch	1970-01-01 01:00:00.0 +0100
+++ owncloud-4.0.4debian2/debian/patches/10_oc-sa-2012-006.patch	2013-01-04 23:28:29.0 +0100
@@ -0,0 +1,48 @@
+Index: owncloud-4.0.8debian/apps/files_encryption/settings.php
+===
+--- owncloud-4.0.8debian.orig/apps/files_encryption/settings.php	2012-10-09 17:09:46.0 +0200
 owncloud-4.0.8debian/apps/files_encryption/settings.php	2012-12-25 16:29:57.110214044 +0100
+@@ -6,6 +6,8 @@
+  * See the COPYING-README file.
+  */
+ 
++OC_Util::checkAdminUser();
++
+ $tmpl = new OCP\Template( 'files_encryption', 'settings');
+ $blackList=explode(',',OCP\Config::getAppValue('files_encryption','type_blacklist','jpg,png,jpeg,avi,mpg,mpeg,mkv,mp3,oga,ogv,ogg'));
+ $enabled=(OCP\Config::getAppValue('files_encryption','enable_encryption','true')=='true');
+Index: owncloud-4.0.8debian/apps/user_ldap/settings.php
+===
+--- owncloud-4.0.8debian.orig/apps/user_ldap/settings.php	2012-10-09 17:10:37.0 +0200
 owncloud-4.0.8debian/apps/user_ldap/settings.php	2012-12-25 16:29:57.114214045 +0100
+@@ -20,6 +20,9 @@
+  * License along with this library.  If not, see .
+  *
+  */
++
++OC_Util::checkAdminUser();
++
+ $params = array('ldap_host', 'ldap_port', 'ldap_dn', 'ldap_agent_password', 'ldap_base', 'ldap_base_users', 'ldap_base_groups', 'ldap_userlist_filter', 'ldap_login_filter', 'ldap_group_filter', 'ldap_display_name', 'ldap_group_display_name', 'ldap_tls', 'ldap_nocase', 'ldap_quota_def', 'ldap_quota_attr', 'ldap_email_attr', 'ldap_group_member_assoc_attribute');
+ 
+ OCP\Util::addscript('user_ldap', 'settings');
+Index: owncloud-4.0.8debian/apps/user_migrate/settings.php
+===
+--- owncloud-4.0.8debian.orig/apps/user_migrate/settings.php	2012-10-09 17:10:37.0 +0200
 owncloud-4.0.8debian/apps/user_migrate/settings.php	2012-12-25 16:29:57.114214045 +0100
+@@ -22,6 +22,9 @@
+  * License along with this library.  If not, see .
+  *
+  */
++
++OC_Util::checkLoggedIn();
++
+ OCP\App::checkAppEnabled('user_migrate');
+ if (isset($_POST['user_import'])) {
+ 	$root = OC::$SERVERROOT . "/";
+@@ -86,4 +89,4 @@
+ 	// fill template
+ 	$tmpl = new OCP\Template('user_migrate', 'settings');
+ 	return $tmpl->fetchPage();
+-}
+\ No newline at end of file
++}
diff -Nru owncloud-4.0.4debian2/debian/patches/11_oc-sa-2012-007.patch owncloud-4.0.4debian2/debian/patches/11_oc-sa-2012-007.patch
--- owncloud-4.0.4debian2/debian/patches/11_oc-sa-2012-007.patch	1970-01-01 01:00:00.0 +0100
+++ owncloud-4.0.4debian2/debian/patches/11_oc-sa-2012-007.patch	2013-01-04 23:28:29.0 +0100
@@ -0,0 +1,13 @@
+Index: owncloud-4.0.8debian/apps/bookmarks/js/bookmarks.js
+===
+--- owncloud-4.0.8debian.orig/apps/bookmarks/js/bookmarks.js	2012-10-09 17:10:37.0 +0200
 owncloud-4.0.8debian/apps/bookmarks/js/bookmarks.js	2012-12-25 16:25:21.050223382 +0100
+@@ -141,7 +141,7 @@
+ 	var taglist = '';
+ 	for ( var i=0, len=tags.length; i' + tags[i] + ' ';
++			taglist = taglist + '' + tags[i] + ' ';
+ 	}
+ 	if(!hasProtocol(bookmark.url)) {
+ 		bookmark.url = 'http://' + bookmark.url;
diff -Nru owncloud-4.0.4debi