[Pkg-owncloud-maintainers] Bug#693990: Bug #693990: owncloud: multiple security issues

Michael Banck mbanck at debian.org
Sun Nov 25 12:02:20 UTC 2012 

tags 693990 +patch
thanks

On Thu, Nov 22, 2012 at 05:50:20PM +0100, Ansgar Burchardt wrote:
> The new upstream release 4.0.9 / 4.5.2 fixes multiple security issues.
> >From the changelog[1]:
> 
>   [1] <http://owncloud.org/changelog/>

Attached is a NMU candidate debdiff, extracting the applicable changes
from 4.0.9.


Michael
-------------- next part --------------
diff -Nru owncloud-4.0.8debian/debian/changelog owncloud-4.0.8debian/debian/changelog
--- owncloud-4.0.8debian/debian/changelog	2012-10-11 14:45:06.000000000 +0200
+++ owncloud-4.0.8debian/debian/changelog	2012-11-25 12:57:05.000000000 +0100
@@ -1,3 +1,14 @@
+owncloud (4.0.8debian-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * debian/patches/06_oc-sa-2012-001.patch: Fix multiple XSS vulnerabilities.
+  * debian/patches/07_oc-sa-2012-002.patch: Fix timing attack.
+  * debian/patches/08_oc-sa-2012-004.patch: Fix code execution in migrate.php.
+  * debian/patches/09_oc-sa-2012-005.patch: Fix code execution in
+    filesystem.php.
+
+ -- Michael Banck <mbanck at debian.org>  Sun, 25 Nov 2012 12:26:01 +0100
+
 owncloud (4.0.8debian-1) unstable; urgency=low
 
   * New upstream bugfix release
diff -Nru owncloud-4.0.8debian/debian/patches/06_oc-sa-2012-001.patch owncloud-4.0.8debian/debian/patches/06_oc-sa-2012-001.patch
--- owncloud-4.0.8debian/debian/patches/06_oc-sa-2012-001.patch	1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.8debian/debian/patches/06_oc-sa-2012-001.patch	2012-11-25 12:57:46.000000000 +0100
@@ -0,0 +1,49 @@
+Index: owncloud-4.0.8debian/3rdparty/fullcalendar/js/fullcalendar.js
+===================================================================
+--- owncloud-4.0.8debian.orig/3rdparty/fullcalendar/js/fullcalendar.js	2012-11-25 12:56:19.273752054 +0100
++++ owncloud-4.0.8debian/3rdparty/fullcalendar/js/fullcalendar.js	2012-11-25 12:56:22.161766368 +0100
+@@ -4662,7 +4662,7 @@
+ 					"</span>";
+ 			}
+ 			html +=
+-				"<span class='fc-event-title'>" + event.title + "</span>" +
++				"<span class='fc-event-title'>" + htmlEscape(event.title) + "</span>" +
+ 				"</div>";
+ 			if (seg.isEnd && isEventResizable(event)) {
+ 				html +=
+@@ -5220,5 +5220,5 @@
+ 	};
+ 	
+ }
+-
++
+ })(jQuery);
+Index: owncloud-4.0.8debian/apps/files/js/filelist.js
+===================================================================
+--- owncloud-4.0.8debian.orig/apps/files/js/filelist.js	2012-11-25 12:56:19.273752054 +0100
++++ owncloud-4.0.8debian/apps/files/js/filelist.js	2012-11-25 12:56:22.161766368 +0100
+@@ -14,9 +14,9 @@
+ 			var extension=false;
+ 		}
+ 		html+='<td class="filename" style="background-image:url('+img+')"><input type="checkbox" />';
+-		html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/, '>')+'/'+name+'"><span class="nametext">'+basename
++		html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/, '>')+'/'+escapeHTML(name)+'"><span class="nametext">'+escapeHTML(basename);
+ 		if(extension){
+-			html+='<span class="extension">'+extension+'</span>';
++			html+='<span class="extension">'+escapeHTML(extension)+'</span>';
+ 		}
+ 		html+='</span></a></td>';
+ 		if(size!='Pending'){
+Index: owncloud-4.0.8debian/apps/files_versions/js/versions.js
+===================================================================
+--- owncloud-4.0.8debian.orig/apps/files_versions/js/versions.js	2012-11-25 12:56:19.273752054 +0100
++++ owncloud-4.0.8debian/apps/files_versions/js/versions.js	2012-11-25 12:56:22.161766368 +0100
+@@ -36,7 +36,7 @@
+ 	
+ 	var historyUrl = OC.linkTo('files_versions', 'history.php') + '?path='+encodeURIComponent( $( '#dir' ).val() ).replace( /%2F/g, '/' )+'/'+encodeURIComponent( filename );
+ 	
+-	var html = '<div id="dropdown" class="drop" data-file="'+files+'">';
++	var html = '<div id="dropdown" class="drop" data-file="'+escapeHTML(files)+'">';
+ 	html += '<div id="private">';
+ 	html += '<select data-placeholder="Saved versions" id="found_versions" class="chzen-select" style="width:16em;">';
+ 	html += '<option value=""></option>';
diff -Nru owncloud-4.0.8debian/debian/patches/07_oc-sa-2012-002.patch owncloud-4.0.8debian/debian/patches/07_oc-sa-2012-002.patch
--- owncloud-4.0.8debian/debian/patches/07_oc-sa-2012-002.patch	1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.8debian/debian/patches/07_oc-sa-2012-002.patch	2012-11-25 12:57:50.000000000 +0100
@@ -0,0 +1,34 @@
+commit 99cd922b82ca7684967ec3533fcdd5af32c0edc7
+Author: Lukas Reschke <lukas at statuscode.ch>
+Date:   Sun Oct 14 12:12:55 2012 +0200
+
+    Doublehash the token to prevent timing attacks
+
+Index: owncloud-4.0.8debian/core/lostpassword/index.php
+===================================================================
+--- owncloud-4.0.8debian.orig/core/lostpassword/index.php	2012-11-25 12:57:44.838176326 +0100
++++ owncloud-4.0.8debian/core/lostpassword/index.php	2012-11-25 12:57:49.474199345 +0100
+@@ -13,8 +13,8 @@
+ // Someone lost their password:
+ if (isset($_POST['user'])) {
+ 	if (OC_User::userExists($_POST['user'])) {
+-		$token = hash("sha256", $_POST['user'].OC_Util::generate_random_bytes(10));
+-		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
++		$token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));
++		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks
+ 		$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
+ 		if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {
+ 			$link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php').'?user='.urlencode($_POST['user']).'&token='.$token;
+Index: owncloud-4.0.8debian/core/lostpassword/resetpassword.php
+===================================================================
+--- owncloud-4.0.8debian.orig/core/lostpassword/resetpassword.php	2012-11-25 12:57:44.838176326 +0100
++++ owncloud-4.0.8debian/core/lostpassword/resetpassword.php	2012-11-25 12:57:49.474199345 +0100
+@@ -10,7 +10,7 @@
+ require_once('../../lib/base.php');
+ 
+ // Someone wants to reset their password:
+-if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === $_GET['token']) {
++if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === hash("sha256", $_GET['token'])) {
+ 	if (isset($_POST['password'])) {
+ 		if (OC_User::setPassword($_GET['user'], $_POST['password'])) {
+ 			OC_Preferences::deleteKey($_GET['user'], 'owncloud', 'lostpassword');
diff -Nru owncloud-4.0.8debian/debian/patches/08_oc-sa-2012-004.patch owncloud-4.0.8debian/debian/patches/08_oc-sa-2012-004.patch
--- owncloud-4.0.8debian/debian/patches/08_oc-sa-2012-004.patch	1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.8debian/debian/patches/08_oc-sa-2012-004.patch	2012-11-25 12:57:53.000000000 +0100
@@ -0,0 +1,91 @@
+Index: owncloud-4.0.8debian/lib/migrate.php
+===================================================================
+--- owncloud-4.0.8debian.orig/lib/migrate.php	2012-11-25 12:57:40.610155372 +0100
++++ owncloud-4.0.8debian/lib/migrate.php	2012-11-25 12:57:52.078212228 +0100
+@@ -199,8 +199,8 @@
+ 		// Get export_info.json
+ 		$scan = scandir( $extractpath );
+ 		// Check for export_info.json
+-		if( !in_array( 'export_info.json', $scan ) ){
+-			OC_Log::write( 'migration', 'Invalid import file, export_info.json note found', OC_Log::ERROR );
++		if( !in_array( 'export_info.json', $scan ) ) {
++			OC_Log::write( 'migration', 'Invalid import file, export_info.json not found', OC_Log::ERROR );
+ 			return json_encode( array( 'success' => false ) );
+ 		}
+ 		$json = json_decode( file_get_contents( $extractpath . 'export_info.json' ) );
+@@ -235,12 +235,19 @@
+ 					return json_encode( array( 'success' => false ) );
+ 				}
+ 				// Copy data
+-				if( !self::copy_r( $extractpath . $json->exporteduser, $datadir . '/' . self::$uid ) ){
+-					return json_encode( array( 'success' => false ) );
++				$userfolder = $extractpath . $json->exporteduser;
++				$newuserfolder = $datadir . '/' . self::$uid;
++				foreach(scandir($userfolder) as $file){
++					if($file !== '.' && $file !== '..' && is_dir($file)){
++						// Then copy the folder over
++						OC_Helper::copyr($userfolder.'/'.$file, $newuserfolder.'/'.$file);
++					}
+ 				}
+ 				// Import user app data
+-				if( !$appsimported = self::importAppData( $extractpath . $json->exporteduser . '/migration.db', $json, self::$uid ) ){
+-					return json_encode( array( 'success' => false ) );
++				if(file_exists($extractpath . $json->exporteduser . '/migration.db')){
++					if( !$appsimported = self::importAppData( $extractpath . $json->exporteduser . '/migration.db', $json, self::$uid ) ) {
++						return json_encode( array( 'success' => false ) );
++					}
+ 				}
+ 				// All done!
+ 				if( !self::unlink_r( $extractpath ) ){
+@@ -305,37 +312,6 @@
+ 	}
+ 
+ 	/**
+-	* @brief copies recursively
+-	* @param $path string path to source folder
+-	* @param $dest string path to destination
+-	* @return bool
+-	*/
+-	private static function copy_r( $path, $dest ){
+-		if( is_dir($path) ){
+-			@mkdir( $dest );
+-			$objects = scandir( $path );
+-			if( sizeof( $objects ) > 0 ){
+-				foreach( $objects as $file ){
+-					if( $file == "." || $file == ".." || $file == ".htaccess")
+-					continue;
+-					// go on
+-					if( is_dir( $path . '/' . $file ) ){
+-						self::copy_r( $path  .'/' . $file, $dest . '/' . $file );
+-					} else {
+-						copy( $path . '/' . $file, $dest . '/' . $file );
+-					}
+-				}
+-			}
+-			return true;
+-		}
+-		elseif( is_file( $path ) ){
+-			return copy( $path, $dest );
+-		} else {
+-			return false;
+-		}
+-	}
+-
+-	/**
+ 	* @brief tries to extract the import zip
+ 	* @param $path string path to the zip
+ 	* @return string path to extract location (with a trailing slash) or false on failure
+Index: owncloud-4.0.8debian/lib/helper.php
+===================================================================
+--- owncloud-4.0.8debian.orig/lib/helper.php	2012-11-25 12:57:40.610155372 +0100
++++ owncloud-4.0.8debian/lib/helper.php	2012-11-25 12:57:52.078212228 +0100
+@@ -309,7 +309,8 @@
+ 					self::copyr("$src/$file", "$dest/$file");
+ 				}
+ 			}
+-		}elseif(file_exists($src)){
++
++		}elseif(file_exists($src) && !OC_Filesystem::isFileBlacklisted($src)) {
+ 			copy($src, $dest);
+ 		}
+ 	}
diff -Nru owncloud-4.0.8debian/debian/patches/09_oc-sa-2012-005.patch owncloud-4.0.8debian/debian/patches/09_oc-sa-2012-005.patch
--- owncloud-4.0.8debian/debian/patches/09_oc-sa-2012-005.patch	1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.8debian/debian/patches/09_oc-sa-2012-005.patch	2012-11-25 12:57:54.000000000 +0100
@@ -0,0 +1,52 @@
+Index: owncloud-4.0.8debian/lib/filesystem.php
+===================================================================
+--- owncloud-4.0.8debian.orig/lib/filesystem.php	2012-11-25 12:57:34.022122706 +0100
++++ owncloud-4.0.8debian/lib/filesystem.php	2012-11-25 12:57:53.858221067 +0100
+@@ -361,12 +361,16 @@
+ 	 * @return bool
+ 	 */
+ 	static public function isValidPath($path){
++		$path = str_replace('\\', '/', $path);
+ 		if(!$path || $path[0]!=='/'){
+ 			$path='/'.$path;
+ 		}
+ 		if(strstr($path,'/../') || strrchr($path, '/') === '/..' ){
+ 			return false;
+ 		}
++		if(self::isFileBlacklisted($path)){
++			return false;
++		}
+ 		return true;
+ 	}
+ 	
+@@ -375,21 +379,23 @@
+ 	 * Listens to write and rename hooks
+ 	 * @param array $data from hook
+ 	 */
+-	static public function isBlacklisted($data){
+-		$blacklist = array('.htaccess');
++	static public function isBlacklisted($data) {
+ 		if (isset($data['path'])) {
+ 			$path = $data['path'];
+ 		} else if (isset($data['newpath'])) {
+ 			$path = $data['newpath'];
+ 		}
+ 		if (isset($path)) {
+-			$filename = strtolower(basename($path));
+-			if (in_array($filename, $blacklist)) {
+-				$data['run'] = false;
+-			}
++			$data['run'] = !self::isFileBlacklisted($path);
+ 		}
+ 	}
+-	
++
++	static public function isFileBlacklisted($path){
++		$blacklist = array('.htaccess');
++		$filename = strtolower(basename($path));
++		return in_array($filename, $blacklist);
++	}
++
+ 	/**
+ 	 * following functions are equivalent to their php builtin equivalents for arguments/return values.
+ 	 */
diff -Nru owncloud-4.0.8debian/debian/patches/series owncloud-4.0.8debian/debian/patches/series
--- owncloud-4.0.8debian/debian/patches/series	2012-10-11 14:17:07.000000000 +0200
+++ owncloud-4.0.8debian/debian/patches/series	2012-11-25 12:39:57.000000000 +0100
@@ -5,4 +5,7 @@
 fix_tar_require.diff
 fix_sabre_requires.diff
 fix_config.php_mode.diff
-
+06_oc-sa-2012-001.patch
+07_oc-sa-2012-002.patch
+08_oc-sa-2012-004.patch
+09_oc-sa-2012-005.patch

More information about the Pkg-owncloud-maintainers mailing list