Bug 16491 - owncloud new security issues fixed upstream in 8.0.5
Summary: owncloud new security issues fixed upstream in 8.0.5
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/654545/
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-07-29 13:25 CEST by David Walser
Modified: 2015-08-14 18:33 CEST (History)
6 users (show)

See Also:
Source RPM: owncloud-8.0.3-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-07-29 13:25:18 CEST
ownCloud 8.0.5 has been released on July 6:
https://owncloud.org/changelog/

It fixed security issues, as did 8.0.4 and 6.0.8, as can be seen here:
https://owncloud.org/security/advisories/

It would be nice to address the long-standing packaging issues too (see Bug 16179)

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-29 13:25:34 CEST

CC: (none) => mageia
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-07-30 15:51:14 CEST
owncloud-8.0.5-1.mga6 uploaded for Cauldron.

Version: Cauldron => 5
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 2 Nicolas Lécureuil 2015-08-02 15:20:03 CEST
available on mga5 updates_testing
Comment 3 David Walser 2015-08-03 23:59:19 CEST
(In reply to Nicolas Lécureuil from comment #2)
> available on mga5 updates_testing

It shouldn't have had a subrel added.  Also, it doesn't include the fixes that blino committed in Cauldron.
Comment 4 Nicolas Lécureuil 2015-08-04 00:22:47 CEST
just added blino's changes.
Comment 5 David Walser 2015-08-04 00:42:29 CEST
Thanks Nicolas and Olivier!

Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated owncloud package fixes security vulnerabilities:

In ownCloud before 6.0.8 and 8.0.4, a bug in the SDK used to connect ownCloud
against the Dropbox server might allow the owner of "Dropbox.com" to gain
access to any files on the ownCloud server if an external Dropbox storage was
mounted (CVE-2015-4715).

In ownCloud before 6.0.8 and 8.0.4, the sanitization component for filenames
was vulnerable to DoS when parsing specially crafted file names passed via
specific endpoints. Effectively this lead to a endless loop filling the log
file until the system is not anymore responsive (CVE-2015-4717).

In ownCloud before 6.0.8 and 8.0.4, the external SMB storage of ownCloud was
not properly neutralizing all special elements which allows an adversary to
execute arbitrary SMB commands. This was caused by improperly sanitizing the
";" character which is interpreted as command separator by smbclient (the
used software to connect to SMB shared by ownCloud). Effectively this allows
an attacker to gain access to any file on the system or overwrite it, finally
leading to a PHP code execution in the case of ownCloudâs config file
(CVE-2015-4718).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4715
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4717
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4718
https://owncloud.org/security/advisory/?id=oc-sa-2015-005
https://owncloud.org/security/advisory/?id=oc-sa-2015-007
https://owncloud.org/security/advisory/?id=oc-sa-2015-008
http://owncloud.org/changelog/
========================

Updated packages in core/updates_testing:
========================
owncloud-6.0.9-1.mga4
owncloud-8.0.5-1.2.mga5

from SRPMS:
owncloud-6.0.9-1.mga4.src.rpm
owncloud-8.0.5-1.2.mga5.src.rpm

CC: (none) => mageia
Assignee: mageia => qa-bugs

Comment 6 Herman Viaene 2015-08-04 14:14:36 CEST
MGA4-32 on Acer D620 Xfce.
No installation issues.
After installation make sure httpd is running. 
Point browser to http://localhost/owncloud.
I was able to define an administrator id and password, and then look at the contents of the server.
Pointing firefox on another PC, which was not prepared for this test, to http://<PCundertest>/owncloud results in an Owncloud page, stating that the server was being acceessed from an untrusted domain, not defined in config/config.php. This indicates that the server was accessed succesfully from the LAN.

CC: (none) => herman.viaene
Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK

Comment 7 William Kenney 2015-08-04 17:54:23 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
owncloud

default install of owncloud

[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.7-1.mga4.noarch is already installed

http://localhost/owncloud gets me the initialization page.
Create admin account Username, Password, Group, Contact, Organization
Username: testown
Password: testcloud
Group: test
Contact: wilcal
Organization: International
I can create an event in the calendar.
I can add music and pictures.
I can create a document
I can log out and log back in.

192.168.1.140/owncloud server can be seen by another M5 system on the LAN.

install owncloud from updates_testing

[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.9-1.mga4.noarch is already installed

Start owncloud: http://localhost/owncloud/
owncloud takes a second to update.

Create new Group, Contact, Organization
Username: testown  ( is still valid )
Password: testcloud  ( is still valid )
Group: test1
Contact: wilcal1
Organization: International1
I can create a new event in the calendar and edit an old one
I can add more music and pictures.
I can create a new document and edit an old one.
I can log out and log back in.

192.168.1.140/owncloud server can be seen by another M5 system on the LAN.

CC: (none) => wilcal.int

Comment 8 William Kenney 2015-08-04 18:27:13 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
owncloud

default install of owncloud

[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.7-1.mga4.noarch is already installed

http://localhost/owncloud gets me the initialization page.
Create admin account Username, Password, Group, Contact, Organization
Username: testown
Password: testcloud
Group: test
Contact: wilcal
Organization: International
I can create an event in the calendar.
I can add music and pictures.
I can create, and edit, a document
I can log out and log back in.

192.168.1.142/owncloud server can be seen by another M5 system on the LAN.

install owncloud from updates_testing

[root@localhost wilcal]# urpmi owncloud
Package owncloud-6.0.9-1.mga4.noarch is already installed

Start owncloud: http://localhost/owncloud/
owncloud takes a second to update.

Create new Group, Contact, Organization
Username: testown  ( is still valid )
Password: testcloud  ( is still valid )
Group: test1
Contact: wilcal1
Organization: International1
I can create a new event in the calendar and edit an old one
I can add more music and pictures.
I can create a new document and edit an old one.
I can log out and log back in.

192.168.1.142/owncloud server can be seen by another M5 system on the LAN.
William Kenney 2015-08-04 18:27:28 CEST

Whiteboard: MGA4TOO MGA4-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK

Comment 9 William Kenney 2015-08-04 18:40:53 CEST
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
owncloud

default install of owncloud

[root@localhost wilcal]# urpmi owncloud
Package owncloud-8.0.3-1.mga5.noarch is already installed

http://localhost/owncloud gets me a blank white page.

I donno what happened????
Comment 10 William Kenney 2015-08-04 20:06:07 CEST
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
owncloud

default install of owncloud

[root@localhost wilcal]# urpmi owncloud
Package owncloud-8.0.3-1.mga5.noarch is already installed

Ya, same thing here.

http://localhost/owncloud gets me a blank white page.

What happened????
Dave Hodgins 2015-08-04 23:43:06 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK advisory

Comment 11 Olivier Blin 2015-08-11 18:07:31 CEST
Is it the same if you add a trailing slash ?
http://localhost/owncloud/

Anything in the log files from /var/log/httpd/ ?
Or in /var/lib/owncloud/owncloud.log ?
Comment 12 William Kenney 2015-08-12 18:48:44 CEST
In VirtualBox, M5, KDE, 32-bit

After all the updates to Firefox and everything else:

Package(s) under test:
owncloud

default install of owncloud

[root@localhost wilcal]# urpmi owncloud
Package owncloud-8.0.3-1.mga5.noarch is already installed

http://localhost/owncloud or http://localhost/owncloud/ works the same

http://localhost/owncloud gets me the initialization page.
Create admin account Username, Password, Group, Contact, Organization
Username: testown
Password: testcloud
Group: test
Contact: wilcal
Organization: International
I can add music and pictures.
I can create a document
I can log out and log back in.

192.168.1.143/owncloud server can be seen by another M5 system on the LAN.

install owncloud from updates_testing

[root@localhost wilcal]# urpmi owncloud
Package owncloud-8.0.5-1.2.mga5.noarch is already installed

Start owncloud: http://localhost/owncloud/
owncloud takes a second to update.

Create new Group, Contact, Organization
Username: testown  ( is still valid )
Password: testcloud  ( is still valid )
Group: test1
Contact: wilcal1
Organization: International1
I can add more music and pictures.
I can create a new document and edit an old one.
I can log out and log back in.

192.168.1.143/owncloud server can be seen by another M5 system on the LAN.
William Kenney 2015-08-12 18:49:03 CEST

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK advisory => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK advisory

Comment 13 William Kenney 2015-08-12 19:13:28 CEST
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
owncloud

default install of owncloud

[root@localhost wilcal]# urpmi owncloud
Package owncloud-8.0.3-1.mga5.noarch is already installed

http://localhost/owncloud or http://localhost/owncloud/ works the same

http://localhost/owncloud gets me the initialization page.
Create admin account Username, Password, Group, Contact, Organization
Username: testown
Password: testcloud
Group: test
Contact: wilcal
Organization: International
I can add music and pictures.
I can create a document
I can log out and log back in.

192.168.1.141/owncloud server can be seen by another M5 system on the LAN.

install owncloud from updates_testing

[root@localhost wilcal]# urpmi owncloud
Package owncloud-8.0.5-1.2.mga5.noarch is already installed

Start owncloud: http://localhost/owncloud/
owncloud takes a second to update.

Create new Group, Contact, Organization
Username: testown  ( is still valid )
Password: testcloud  ( is still valid )
Group: test1
Contact: wilcal1
Organization: International1
I can add more music and pictures.
I can create a folder "Videos" add videos to it and play them.
I can create a new document and edit an old one.
I can log out and log back in.

192.168.1.141/owncloud server can be seen by another M5 system on the LAN.
William Kenney 2015-08-12 19:13:49 CEST

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK advisory => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OKadvisory

Comment 14 William Kenney 2015-08-12 19:14:39 CEST
This update works fine.
Testing complete for MGA4 & MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Mageia Robot 2015-08-13 22:57:23 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0314.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-08-14 18:33:50 CEST

URL: (none) => http://lwn.net/Vulnerabilities/654545/


Note You need to log in before you can comment on or make changes to this bug.