Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 797253 (CVE-2021-32653, CVE-2021-32654, CVE-2021-32655, CVE-2021-32656, CVE-2021-32657) - <www-apps/nextcloud-{19.0.12,20.0.10,21.0.2}: multiple vulnerabilities (CVE-2021-{32653,32654,32655,32656,32657})
Summary: <www-apps/nextcloud-{19.0.12,20.0.10,21.0.2}: multiple vulnerabilities (CVE-2...
Status: CONFIRMED
Alias: CVE-2021-32653, CVE-2021-32654, CVE-2021-32655, CVE-2021-32656, CVE-2021-32657
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: CVE-2021-32678, CVE-2021-32679, CVE-2021-32680, CVE-2021-32688, CVE-2021-32703, CVE-2021-32705, CVE-2021-32725, CVE-2021-32726, CVE-2021-32734
Blocks:
  Show dependency tree
 
Reported: 2021-06-21 02:47 UTC by John Helmert III
Modified: 2021-07-20 22:26 UTC (History)
3 users (show)

See Also:
Package list:
www-apps/nextcloud-20.0.10
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-06-21 02:47:32 UTC
CVE-2021-32656 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j875-vr2q-h6x6):

Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate server user added as a federated share. This happens because Nextcloud supports sharing registered users with other Nextcloud servers, which can be done automatically when selecting the "Add server automatically once a federated share was created successfully" setting. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2 As a workaround, disable "Add server automatically once a federated share was created successfully" in the Nextcloud settings.

CVE-2021-32657 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fx62-q47f-f665):

Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user may be able to break the user administration page. This would disallow administrators to administrate users on the Nextcloud instance. The vulnerability is fixed in versions 19.0.11, 20.0.10, and 21.0.2. As a workaround, administrators can use the OCC command line tool to administrate the Nextcloud users.


Please stabilize 20.0.10.
Comment 1 John Helmert III gentoo-dev Security 2021-06-21 02:48:58 UTC
CVE-2021-32654:

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing.

CVE-2021-32655:

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges. The vulnerability is patched in versions 19.0.11, 20.0.10 and 21.0.2. No workarounds are known to exist.
Comment 2 John Helmert III gentoo-dev Security 2021-06-21 02:53:35 UTC
CVE-2021-32653:

Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.
Comment 3 Larry the Git Cow gentoo-dev 2021-06-21 22:18:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4097965ae6371905873ae3979ed61bf265e560ab

commit 4097965ae6371905873ae3979ed61bf265e560ab
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-06-21 22:18:18 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-06-21 22:18:38 +0000

    www-apps/nextcloud: drop security vulnerable versions
    
    Bug: https://bugs.gentoo.org/797253
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                 |  3 --
 www-apps/nextcloud/nextcloud-19.0.10.ebuild | 43 -----------------------------
 www-apps/nextcloud/nextcloud-20.0.9.ebuild  | 43 -----------------------------
 www-apps/nextcloud/nextcloud-21.0.1.ebuild  | 43 -----------------------------
 4 files changed, 132 deletions(-)
Comment 4 Bernard Cafarelli gentoo-dev 2021-06-21 22:20:19 UTC
I cleaned 19.x and 21.x, for 20 we will need to stabilize newer 20.0.10 (I preferred to wait for normal stabilization to switch stable to new major version 21)
Comment 5 Agostino Sarubbo gentoo-dev 2021-06-22 06:47:22 UTC
ALLARCHES stable. Closing.
Comment 6 Larry the Git Cow gentoo-dev 2021-06-22 06:57:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4f1e773ccac55ceaf77c3a16f8cd19e9c6e930f

commit b4f1e773ccac55ceaf77c3a16f8cd19e9c6e930f
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-06-22 06:57:25 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-06-22 06:57:25 +0000

    www-apps/nextcloud: drop vulnerable 20.x version
    
    Bug: https://bugs.gentoo.org/797253
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                |  1 -
 www-apps/nextcloud/nextcloud-20.0.8.ebuild | 43 ------------------------------
 2 files changed, 44 deletions(-)
Comment 7 John Helmert III gentoo-dev Security 2021-06-22 14:10:21 UTC
(In reply to Agostino Sarubbo from comment #5)
> ALLARCHES stable. Closing.

We've hit this bug before, right?
Comment 8 NATTkA bot gentoo-dev 2021-07-20 19:56:23 UTC
Unable to check for sanity:

> no match for package: www-apps/nextcloud-20.0.10
Comment 9 Bernard Cafarelli gentoo-dev 2021-07-20 19:59:49 UTC
20.0.10 was dropped for bug 802096 (newer vulnerability)