Bug 1171572 (CVE-2020-8155)

Summary: VUL-1: CVE-2020-8155: Cross-site scripting vulnerability when opening a malicious PDF
Product: [openSUSE] openSUSE Distribution Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: SecurityAssignee: Eric Schirra <ecsos>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low    
Version: Leap 15.1   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/259481/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2020-05-13 10:09:51 UTC
CVE-2020-8155

An outdated 3rd party library in the Files PDF viewer for Nextcloud Server
18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8155
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8155
https://nextcloud.com/security/advisory/?id=NC-SA-2020-019
Comment 1 Alexandros Toptsoglou 2020-05-13 10:10:28 UTC
Not sure whether Leap 15.1 is affected. Factory ships an already fixed version
Comment 2 Eric Schirra 2020-05-13 10:56:10 UTC
(In reply to Alexandros Toptsoglou from comment #1)
> Not sure whether Leap 15.1 is affected. Factory ships an already fixed
> version

Leap 15.1 has 15.0.14.
Also 15.2

https://nextcloud.com/security/advisory/?id=NC-SA-2020-019 say:
 Affected Software: Nextcloud Server < 18.0.3

For 15.2 i have made an request from Factory to 15.2

Please make an maintenance request for 15.1
Comment 3 Alexandros Toptsoglou 2020-05-13 11:42:13 UTC
(In reply to Eric Schirra from comment #2)
> (In reply to Alexandros Toptsoglou from comment #1)
> > Not sure whether Leap 15.1 is affected. Factory ships an already fixed
> > version
> 
> Leap 15.1 has 15.0.14.
> Also 15.2
> 
> https://nextcloud.com/security/advisory/?id=NC-SA-2020-019 say:
>  Affected Software: Nextcloud Server < 18.0.3
> 
> For 15.2 i have made an request from Factory to 15.2
> 
> Please make an maintenance request for 15.1

Hi Eric, 

maintenance requests are normally a task of the package maintainer and not of the security team's.
Comment 4 Eric Schirra 2020-05-13 13:20:51 UTC
> Hi Eric, 
> 
> maintenance requests are normally a task of the package maintainer and not
> of the security team's.

You're right.
Will do it in evening.
Comment 5 Eric Schirra 2020-05-13 13:42:28 UTC
Maintenance request is done.
Comment 6 OBSbugzilla Bot 2020-05-13 17:10:12 UTC
This is an autogenerated message for OBS integration:
This bug (1171572) was mentioned in
https://build.opensuse.org/request/show/805352 Backports:SLE-12 / nextcloud
https://build.opensuse.org/request/show/805353 Backports:SLE-15-SP1 / nextcloud
https://build.opensuse.org/request/show/805354 15.1 / nextcloud
Comment 7 Swamp Workflow Management 2020-05-17 19:12:44 UTC
openSUSE-SU-2020:0667-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1084320,1171572,1171579
CVE References: CVE-2020-8154,CVE-2020-8155
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    nextcloud-18.0.4-22.1
Comment 8 Swamp Workflow Management 2020-05-17 19:13:29 UTC
openSUSE-SU-2020:0668-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1171572,1171579
CVE References: CVE-2020-8154,CVE-2020-8155
Sources used:
openSUSE Backports SLE-15-SP1 (src):    nextcloud-18.0.4-bp151.3.9.1
Comment 9 Swamp Workflow Management 2020-05-22 22:14:35 UTC
openSUSE-SU-2020:0670-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1171572,1171579
CVE References: CVE-2020-8154,CVE-2020-8155
Sources used:
openSUSE Leap 15.1 (src):    nextcloud-18.0.4-lp151.2.6.1
Comment 10 OBSbugzilla Bot 2020-10-06 09:30:07 UTC
This is an autogenerated message for OBS integration:
This bug (1171572) was mentioned in
https://build.opensuse.org/request/show/839724 15.1+15.2+Backports:SLE-12+Backports:SLE-15-SP1+Backports:SLE-15-SP2 / nextcloud
Comment 11 Swamp Workflow Management 2020-10-10 22:15:36 UTC
openSUSE-SU-2020:1652-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1171572,1171579,1177346
CVE References: CVE-2020-8154,CVE-2020-8155,CVE-2020-8183,CVE-2020-8228,CVE-2020-8233
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nextcloud-20.0.0-lp152.3.3.1
openSUSE Leap 15.1 (src):    nextcloud-20.0.0-lp151.2.9.1
openSUSE Backports SLE-15-SP2 (src):    nextcloud-20.0.0-bp152.2.3.1
openSUSE Backports SLE-15-SP1 (src):    nextcloud-20.0.0-bp151.3.12.1
Comment 12 Swamp Workflow Management 2020-10-10 22:16:52 UTC
openSUSE-SU-2020:1652-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1171572,1171579,1177346
CVE References: CVE-2020-8154,CVE-2020-8155,CVE-2020-8183,CVE-2020-8228,CVE-2020-8233
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nextcloud-20.0.0-lp152.3.3.1
openSUSE Leap 15.1 (src):    nextcloud-20.0.0-lp151.2.9.1
openSUSE Backports SLE-15-SP2 (src):    nextcloud-20.0.0-bp152.2.3.1
openSUSE Backports SLE-15-SP1 (src):    nextcloud-20.0.0-bp151.3.12.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    nextcloud-20.0.0-25.1
Comment 13 Eric Schirra 2020-10-11 19:42:11 UTC
Nextcloud is updated to 20.