Bug 464192 (CVE-2013-1890)

Summary:	<www-apps/owncloud-5.0.3-r1: multiple security issues (CVE-2013-{1890,1893})
Product:	Gentoo Security	Reporter:	Dennis Schridde <dschridde+gentoobugs>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	alexxy, kroemmelbein, voyageur, web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://owncloud.org/changelog/
Whiteboard:	~3 [noglsa]
Package list:		Runtime testing required:	---

Description Dennis Schridde 2013-04-02 13:03:43 UTC

Version 5.0.2 was released and contains a fix for a very annoying file-conflict bug: https://github.com/owncloud/mirall/issues/446#issuecomment-15773371

Because of this bug, I set the severity to normal instead of the usual enhancement.

Reproducible: Always

Comment 1 Dennis Schridde 2013-04-02 13:40:57 UTC

This release fixes a critical bug, so I put the severity back to "normal" as stated in the original report.

Comment 2 Bernard Cafarelli gentoo-dev

2013-04-03 07:58:45 UTC

Thanks for the report! I follow upstream releases list and I am waiting for 5.0.3 (due today or tomorrow)  which fixes upgrades from 5.0.0 before adding to tree.

Re-assigning to security though, as changelog for 5.0.1 mentions 2 security issues (no details available yet, but they should only affect the 5.x branch)

Comment 3 Frank Krömmelbein 2013-04-03 12:16:52 UTC

The new version is now available:

Version 5.0.3 April 3th 2013

    Correctly handle .part files
    Improve PostgreSQL support
    Fix database upgrading from old versions
    Improved app styles

Comment 4 Bernard Cafarelli gentoo-dev

2013-04-03 13:16:34 UTC

And it is in portage CVS, please wait for the next sync and you should have it

@security, vulnerabilities are not yet public:
http://owncloud.org/about/security/advisories/oC-SA-2013-011/
http://owncloud.org/about/security/advisories/oC-SA-2013-012/
previous 5.x versions removed from tree

Comment 5 Thomas Beutin 2013-04-04 03:13:40 UTC

An update from 5.0.0 -> 5.0.3 using postgres fails:

Updating ownCloud to version 5.0.3, this may take a while.

Turned on maintenance mode
Updated database
SQLSTATE[42703]: Undefined column: 7 ERROR: column "{DAV:}getetag" does not exist LINE 1: ...id" = $1 AND propertypath = $2 AND propertyname = "{DAV:}get... ^

see here: https://github.com/owncloud/core/issues/2709

(sorry if this should be a new bug)

Comment 6 Bernard Cafarelli gentoo-dev

2013-04-04 09:41:54 UTC

A working 5.0.3 for the bump would be nicer :)

From the bugreport, this patch should fix the problem, can you test?
https://github.com/owncloud/core/commit/e75406e7120271ebfecf2260b95040509dfcf168.diff

I'll make a 5.0.3-r1 with it if it works for you (I only have mysql setups around)

Comment 7 Bernard Cafarelli gentoo-dev

2013-04-04 16:01:30 UTC

Patch added after positive feedback from upstream bug (https://github.com/owncloud/core/issues/2666) in 5.0.3-r1

Vulnerabilities now have CVE ids: CVE-2013-1890 and CVE-2013-1893

Comment 8 Thomas Beutin 2013-04-04 17:38:18 UTC

The change - applied to the live webtree - works for me.

Comment 9 Sean Amoss (RETIRED) gentoo-dev

2013-04-06 21:02:10 UTC

Thanks, everyone.
Closing noglsa for ~arch only issue.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2014-06-08 00:32:15 UTC

CVE-2013-1893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1893):
  SQL injection vulnerability in addressbookprovider.php in ownCloud Server
  before 5.0.1 allows remote authenticated users to execute arbitrary SQL
  commands via unspecified vectors, related to the contacts application.

CVE-2013-1890 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1890):
  Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server
  before 5.0.1 allow remote attackers to inject arbitrary web script or HTML
  via the (1) new_name parameter to apps/bookmarks/ajax/renameTag.php or (2)
  multiple unspecified parameters to unknown files in apps/contacts/ajax/.