797253 – (CVE-2021-32653, CVE-2021-32654, CVE-2021-32655, CVE-2021-32656, CVE-2021-32657) <www-apps/nextcloud-{19.0.12,20.0.10,21.0.2}: multiple vulnerabilities (CVE-2021-{32653,32654,32655,32656,32657})

Bug 797253 (CVE-2021-32653, CVE-2021-32654, CVE-2021-32655, CVE-2021-32656, CVE-2021-32657) - <www-apps/nextcloud-{19.0.12,20.0.10,21.0.2}: multiple vulnerabilities (CVE-2021-{32653,32654,32655,32656,32657})

Summary: <www-apps/nextcloud-{19.0.12,20.0.10,21.0.2}: multiple vulnerabilities (CVE-2...

Status:	RESOLVED FIXED

Alias:	CVE-2021-32653, CVE-2021-32654, CVE-2021-32655, CVE-2021-32656, CVE-2021-32657

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	CVE-2021-32678, CVE-2021-32679, CVE-2021-32680, CVE-2021-32688, CVE-2021-32703, CVE-2021-32705, CVE-2021-32725, CVE-2021-32726, CVE-2021-32734
Blocks:
	Show dependency tree

Reported:	2021-06-21 02:47 UTC by John Helmert III
Modified:	2022-08-10 22:35 UTC (History)
CC List:	3 users (show)

See Also:
Package list:	www-apps/nextcloud-20.0.10
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-06-21 02:47:32 UTC

CVE-2021-32656 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j875-vr2q-h6x6):

Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate server user added as a federated share. This happens because Nextcloud supports sharing registered users with other Nextcloud servers, which can be done automatically when selecting the "Add server automatically once a federated share was created successfully" setting. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2 As a workaround, disable "Add server automatically once a federated share was created successfully" in the Nextcloud settings.

CVE-2021-32657 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fx62-q47f-f665):

Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user may be able to break the user administration page. This would disallow administrators to administrate users on the Nextcloud instance. The vulnerability is fixed in versions 19.0.11, 20.0.10, and 21.0.2. As a workaround, administrators can use the OCC command line tool to administrate the Nextcloud users.


Please stabilize 20.0.10.

Comment 1 John Helmert III archtester

2021-06-21 02:48:58 UTC

CVE-2021-32654:

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing.

CVE-2021-32655:

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges. The vulnerability is patched in versions 19.0.11, 20.0.10 and 21.0.2. No workarounds are known to exist.

Comment 2 John Helmert III archtester

2021-06-21 02:53:35 UTC

CVE-2021-32653:

Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.

Comment 3 Larry the Git Cow gentoo-dev

2021-06-21 22:18:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4097965ae6371905873ae3979ed61bf265e560ab

commit 4097965ae6371905873ae3979ed61bf265e560ab
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-06-21 22:18:18 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-06-21 22:18:38 +0000

    www-apps/nextcloud: drop security vulnerable versions
    
    Bug: https://bugs.gentoo.org/797253
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                 |  3 --
 www-apps/nextcloud/nextcloud-19.0.10.ebuild | 43 -----------------------------
 www-apps/nextcloud/nextcloud-20.0.9.ebuild  | 43 -----------------------------
 www-apps/nextcloud/nextcloud-21.0.1.ebuild  | 43 -----------------------------
 4 files changed, 132 deletions(-)

Comment 4 Bernard Cafarelli gentoo-dev

2021-06-21 22:20:19 UTC

I cleaned 19.x and 21.x, for 20 we will need to stabilize newer 20.0.10 (I preferred to wait for normal stabilization to switch stable to new major version 21)

Comment 5 Agostino Sarubbo gentoo-dev

2021-06-22 06:47:22 UTC

ALLARCHES stable. Closing.

Comment 6 Larry the Git Cow gentoo-dev

2021-06-22 06:57:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4f1e773ccac55ceaf77c3a16f8cd19e9c6e930f

commit b4f1e773ccac55ceaf77c3a16f8cd19e9c6e930f
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-06-22 06:57:25 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-06-22 06:57:25 +0000

    www-apps/nextcloud: drop vulnerable 20.x version
    
    Bug: https://bugs.gentoo.org/797253
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                |  1 -
 www-apps/nextcloud/nextcloud-20.0.8.ebuild | 43 ------------------------------
 2 files changed, 44 deletions(-)

Comment 7 John Helmert III archtester

2021-06-22 14:10:21 UTC

(In reply to Agostino Sarubbo from comment #5)
> ALLARCHES stable. Closing.

We've hit this bug before, right?

Comment 8 NATTkA bot gentoo-dev

2021-07-20 19:56:23 UTC

Unable to check for sanity:

> no match for package: www-apps/nextcloud-20.0.10

Comment 9 Bernard Cafarelli gentoo-dev

2021-07-20 19:59:49 UTC

20.0.10 was dropped for bug 802096 (newer vulnerability)

Comment 10 Bernard Cafarelli gentoo-dev

2022-06-02 15:55:39 UTC

Current stable version is 23.0.3 and the mentioned major versions here are not in tree anymore

Comment 11 Larry the Git Cow gentoo-dev

2022-08-10 22:33:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b56f993e2e4fa0778f67ba7d3b8fbb350d4c7386

commit b56f993e2e4fa0778f67ba7d3b8fbb350d4c7386
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 22:31:11 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 22:33:19 +0000

    [ GLSA 202208-17 ] Nextcloud: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/797253
    Bug: https://bugs.gentoo.org/802096
    Bug: https://bugs.gentoo.org/812443
    Bug: https://bugs.gentoo.org/820368
    Bug: https://bugs.gentoo.org/834803
    Bug: https://bugs.gentoo.org/835073
    Bug: https://bugs.gentoo.org/848873
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-17.xml | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)

Comment 12 John Helmert III archtester

2022-08-10 22:35:07 UTC

GLSA released, all done!