Bug 23497 - nextcloud new security issue CVE-2018-3780
Summary: nextcloud new security issue CVE-2018-3780
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-08-28 22:50 CEST by David Walser
Modified: 2018-10-14 02:59 CEST (History)
5 users (show)

See Also:
Source RPM: nextcloud-13.0.4-1.mga6.noarch.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-08-28 22:50:32 CEST
openSUSE has issued an advisory on August 26:
https://lists.opensuse.org/opensuse-updates/2018-08/msg00154.html

The issue is fixed upstream in 13.0.5.
Comment 1 José Jorge 2018-09-07 20:57:46 CEST
As version 13.0.6 is out, I have pushed it directly.
Comment 2 José Jorge 2018-09-07 21:01:11 CEST
Advisory:
Nextcloud has issued a security fix for CVE-2018-3780 and several other bugfixes with version 13.0.5 and 13.0.6.


SRPM :

nextcloud-13.0.6-1.mga6.srpm

RPMS :

nextcloud-13.0.6-1.mga6.noarch.rpm
nextcloud-mysql-13.0.6-1.mga6.noarch.rpm
nextcloud-postgresql-13.0.6-1.mga6.noarch.rpm
nextcloud-sqlite-13.0.6-1.mga6.noarch.rpm

CC: (none) => lists.jjorge
Status: NEW => ASSIGNED
Assignee: lists.jjorge => qa-bugs

Comment 3 David Walser 2018-09-07 21:48:29 CEST
The advisory should say what the CVE actually is, i.e.:

A missing sanitization of search results for an autocomplete field could lead
to a stored XSS requiring user-interaction. The missing sanitization only
affected user names, hence malicious search results could only be crafted by
authenticated users (CVE-2018-3780).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3780
https://nextcloud.com/security/advisory/?id=NC-SA-2018-008
https://nextcloud.com/changelog/#latest13
https://lists.opensuse.org/opensuse-updates/2018-08/msg00154.html
Comment 4 Brian Rockwell 2018-09-15 23:22:55 CEST
$ uname -a
Linux localhost.localdomain 4.14.69-desktop-1.mga6 #1 SMP Wed Sep 12 10:35:26 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux


The following 48 packages are going to be installed:

- apache-2.4.27-1.1.mga6.x86_64
- apache-mod_php-5.6.38-1.mga6.x86_64
- lib64apr-util1_0-1.5.4-8.mga6.x86_64
- lib64apr1_0-1.5.2-2.1.mga6.x86_64
- lib64json2-0.12.1-1.mga6.x86_64
- lib64mbfl1-1.3.2-1.mga6.x86_64
- lib64onig2-5.9.6-2.mga6.x86_64
- lib64php5_common5-5.6.38-1.mga6.x86_64
- lib64t1lib5-5.1.2-19.mga6.x86_64
- lib64zip4-1.1.3-1.1.mga6.x86_64
- nextcloud-13.0.6-1.mga6.noarch
- nextcloud-mysql-13.0.6-1.mga6.noarch
- nextcloud-sqlite-13.0.6-1.mga6.noarch
- php-ctype-5.6.38-1.mga6.x86_64
- php-curl-5.6.38-1.mga6.x86_64
- php-dom-5.6.38-1.mga6.x86_64
- php-exif-5.6.38-1.mga6.x86_64
- php-fileinfo-5.6.38-1.mga6.x86_64
- php-filter-5.6.38-1.mga6.x86_64
- php-ftp-5.6.38-1.mga6.x86_64
- php-gd-5.6.38-1.mga6.x86_64
- php-gettext-5.6.38-1.mga6.x86_64
- php-hash-5.6.38-1.mga6.x86_64
- php-iconv-5.6.38-1.mga6.x86_64
- php-ini-5.6.38-1.mga6.x86_64
- php-json-5.6.38-1.mga6.x86_64
- php-ldap-5.6.38-1.mga6.x86_64
- php-mbstring-5.6.38-1.mga6.x86_64
- php-mysqlnd-5.6.38-1.mga6.x86_64
- php-openssl-5.6.38-1.mga6.x86_64
- php-pcntl-5.6.38-1.mga6.x86_64
- php-pdo-5.6.38-1.mga6.x86_64
- php-pdo_mysql-5.6.38-1.mga6.x86_64
- php-pdo_sqlite-5.6.38-1.mga6.x86_64
- php-posix-5.6.38-1.mga6.x86_64
- php-session-5.6.38-1.mga6.x86_64
- php-suhosin-0.9.38-1.mga6.x86_64
- php-sysvsem-5.6.38-1.mga6.x86_64
- php-sysvshm-5.6.38-1.mga6.x86_64
- php-timezonedb-2017.2-1.mga6.x86_64
- php-tokenizer-5.6.38-1.mga6.x86_64
- php-xml-5.6.38-1.mga6.x86_64
- php-xmlreader-5.6.38-1.mga6.x86_64
- php-xmlwriter-5.6.38-1.mga6.x86_64
- php-zip-5.6.38-1.mga6.x86_64
- php-zlib-5.6.38-1.mga6.x86_64
- t1lib-config-5.1.2-19.mga6.x86_64
- webserver-base-2.0-10.mga6.noarch

169MB of additional disk space will be used.

41MB of packages will be retrieved.

--------

running sqlite

Installed properly, I was able to set up nextcloud with two users.  Uploaded files and interfaced the with nextcloud app.  All working as designed.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => brtians1

Comment 5 Thomas Andrews 2018-10-01 21:58:02 CEST
Since no one else has stepped forward on this one, I'm inclined to say that Brian's test is sufficient. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-10-14 01:46:11 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2018-10-14 02:59:40 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0394.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.