[Pkg-owncloud-commits] [SCM] owncloud.git branch, master, updated. debian/4.0.8debian-1.5-24-ge40196f

David Prévot taffit at debian.org
Fri Mar 22 23:36:17 UTC 2013 

The following commit has been merged in the master branch:
commit 4338654a015c1690cb82dc1e5cb780fd436246a0
Author: gregor herrmann <gregoa at debian.org>
Date:   Tue Mar 19 17:05:08 2013 +0100

    Imported Debian patch 4.0.8debian-1.6

diff --git a/debian/changelog b/debian/changelog
index cfe7bd8..0eff11c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+owncloud (4.0.8debian-1.6) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix "multiple vulnerabilities (oC-SA-2013-009, oC-SA-2013-010)":
+    add patches taken from upstream git:
+    + debian/patches/16_oc-sa-2013-010.patch
+      CVE-2013-1851: user_migrate: Local file disclosure
+      oC-SA-2013-010, commit edf7162 in stable4 branch
+    + debian/patches/17_oc-sa-2013-009.patch
+      CVE-2013-1850: Contacts: Bypass of file blacklist
+      oC-SA-2013-009, commit fae5bd3 in stable4 branch
+    (Closes: #703094)
+
+ -- gregor herrmann <gregoa at debian.org>  Tue, 19 Mar 2013 17:05:08 +0100
+
 owncloud (4.0.8debian-1.5) unstable; urgency=low
 
   * Non-maintainer upload.
diff --git a/debian/patches/16_oc-sa-2013-010.patch b/debian/patches/16_oc-sa-2013-010.patch
new file mode 100644
index 0000000..c7af69a
--- /dev/null
+++ b/debian/patches/16_oc-sa-2013-010.patch
@@ -0,0 +1,39 @@
+From edf7162762fc425df1ec2ce7149c18a0af82a3b8 Mon Sep 17 00:00:00 2001
+From: Lukas Reschke <lukas at statuscode.ch>
+Date: Mon, 11 Mar 2013 16:21:26 +0100
+Subject: [PATCH] Check if username is valid and remove slashes from filename
+
+Backport of #2236 to stable45
+---
+ lib/migrate.php |   11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/lib/migrate.php b/lib/migrate.php
+index 8d3610c..8465eed 100644
+--- a/lib/migrate.php
++++ b/lib/migrate.php
+@@ -234,11 +234,20 @@ class OC_Migrate{
+ 					OC_Log::write( 'migration', 'User doesn\'t exist', OC_Log::ERROR );
+ 					return json_encode( array( 'success' => false ) );
+ 				}
++
++				// Check if the username is valid
++				if( preg_match( '/[^a-zA-Z0-9 _\.@\-]/', $json->exporteduser )) {
++					OC_Log::write( 'migration', 'Username is not valid', OC_Log::ERROR );
++					return json_encode( array( 'success' => false ) );
++				}
++
+ 				// Copy data
+ 				$userfolder = $extractpath . $json->exporteduser;
+ 				$newuserfolder = $datadir . '/' . self::$uid;
+ 				foreach(scandir($userfolder) as $file){
+-					if($file !== '.' && $file !== '..' && is_dir($file)){
++					if($file !== '.' && $file !== '..' && is_dir($file)) {
++						$file = str_replace(array('/', '\\'), '',  $file);
++
+ 						// Then copy the folder over
+ 						OC_Helper::copyr($userfolder.'/'.$file, $newuserfolder.'/'.$file);
+ 					}
+-- 
+1.7.10.4
+
diff --git a/debian/patches/17_oc-sa-2013-009.patch b/debian/patches/17_oc-sa-2013-009.patch
new file mode 100644
index 0000000..95c3053
--- /dev/null
+++ b/debian/patches/17_oc-sa-2013-009.patch
@@ -0,0 +1,84 @@
+From fae5bd363b4cc3bd00d1a983ca5aff4a0eb86408 Mon Sep 17 00:00:00 2001
+From: Thomas Tanghus <thomas at tanghus.net>
+Date: Sat, 9 Mar 2013 19:26:31 +0100
+Subject: [PATCH] Contacts: Backport filename sanitation and blacklist
+ checking to stable4.
+
+---
+ apps/contacts/ajax/uploadimport.php |    8 ++++++++
+ apps/contacts/import.php            |   15 ++++++++++-----
+ 2 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/apps/contacts/ajax/uploadimport.php b/apps/contacts/ajax/uploadimport.php
+index 4c3f5ea..56a966b 100644
+--- a/apps/contacts/ajax/uploadimport.php
++++ b/apps/contacts/ajax/uploadimport.php
+@@ -35,7 +35,11 @@ $tmpfile = md5(rand());
+ 
+ // If it is a Drag'n'Drop transfer it's handled here.
+ $fn = (isset($_SERVER['HTTP_X_FILE_NAME']) ? $_SERVER['HTTP_X_FILE_NAME'] : false);
++$fn = strtr($fn, array('/' => '', "\\" => ''));
+ if($fn) {
++	if(OC_Filesystem::isFileBlacklisted($fn)) {
++		bailOut($l10n->t('Upload of blacklisted file:') . $fn);
++	}
+ 	if($view->file_put_contents('/'.$tmpfile, file_get_contents('php://input'))) {
+ 		OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile)));
+ 		exit();
+@@ -66,6 +70,10 @@ $file=$_FILES['importfile'];
+ 
+ $tmpfname = tempnam(get_temp_dir(), "occOrig");
+ if(file_exists($file['tmp_name'])) {
++	$filename = strtr($file['name'], array('/' => '', "\\" => ''));
++	if(OC_Filesystem::isFileBlacklisted($filename)) {
++		bailOut($l10n->t('Upload of blacklisted file:') . $filename);
++	}
+ 	if($view->file_put_contents('/'.$tmpfile, file_get_contents($file['tmp_name']))) {
+ 		OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile)));
+ 	} else {
+diff --git a/apps/contacts/import.php b/apps/contacts/import.php
+index 85d4ceb..ffdc438 100644
+--- a/apps/contacts/import.php
++++ b/apps/contacts/import.php
+@@ -25,11 +25,16 @@ function writeProgress($pct) {
+ }
+ writeProgress('10');
+ $view = $file = null;
++$inputfile = strtr($_POST['file'], array('/' => '', "\\" => ''));
++if(OC_Filesystem::isFileBlacklisted($inputfile)) {
++	OCP\JSON::error(array('data' => array('message' => 'Upload of blacklisted file: ' . $inputfile)));
++	exit();
++}
+ if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') {
+ 	$view = OCP\Files::getStorage('contacts');
+-	$file = $view->file_get_contents('/' . $_POST['file']);
++	$file = $view->file_get_contents('/' . $inputfile);
+ } else {
+-	$file = OC_Filesystem::file_get_contents($_POST['path'] . '/' . $_POST['file']);
++	$file = OC_Filesystem::file_get_contents($_POST['path'] . '/' . $inputfile);
+ }
+ if(!$file) {
+ 	OCP\JSON::error(array('message' => 'Import file was empty.'));
+@@ -115,7 +120,7 @@ if(count($parts) == 1){
+ $imported = 0;
+ $failed = 0;
+ if(!count($importready) > 0) {
+-	OCP\JSON::error(array('data' => (array('message' => 'No contacts to import in .'.$_POST['file'].' Please check if the file is corrupted.'))));
++	OCP\JSON::error(array('data' => (array('message' => 'No contacts to import in .'.$inputfile.' Please check if the file is corrupted.'))));
+ 	exit();
+ }
+ foreach($importready as $import){
+@@ -135,8 +140,8 @@ if(is_writable('import_tmp/')){
+ 	unlink($progressfile);
+ }
+ if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') {
+-	if(!$view->unlink('/' . $_POST['file'])) {
+-		OCP\Util::writeLog('contacts','Import: Error unlinking OC_FilesystemView ' . '/' . $_POST['file'], OCP\Util::ERROR);
++	if(!$view->unlink('/' . $inputfile)) {
++		OCP\Util::writeLog('contacts','Import: Error unlinking OC_FilesystemView ' . '/' . $inputfile, OCP\Util::ERROR);
+ 	}
+ }
+ OCP\JSON::success(array('data' => array('imported'=>$imported, 'failed'=>$failed)));
+-- 
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 478f829..703aa9c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,5 @@ fix_config.php_mode.diff
 13_oc-sa-2013-003.patch
 14_oc-sa-2013-004.patch
 15_oc-sa-2013-006.patch
+16_oc-sa-2013-010.patch
+17_oc-sa-2013-009.patch

-- 
owncloud.git

More information about the Pkg-owncloud-commits mailing list