Bugzilla – Bug 1036756
VUL-1: CVE-2017-9286: nextcloud package security issues
Last modified: 2019-02-12 13:40:07 UTC
https://build.opensuse.org/package/view_file/openSUSE:Factory/nextcloud/nextcloud.spec?expand=1 Ignoring that /srv/www/htdocs violates current packaging guidelines for a moment I'm sure the package puts user owned directories in user owned directories in there. Such a setup is not safe for rpm. Worst case privilege escalation. Commands like service apache2 status | grep running > /tmp/apache_stopped_during_nextcloud_install Allow symlink attacks using su in scriptlets may not be safe either.
I don't understand the problem. This only runs on update or install. Install or update packages runs every time under root. For update nextcloud must be set in maintenance mode ON. And after update in maintenance mode OFF. The grep only writes something like: Active: active (running) since Mon 2017-04-24 13:06:23 CEST; 3 days ago Where is now the problem?
(In reply to Eric Schirra from comment #1) > Install or update packages runs every time under root. Exactly. When you write to locations where unprivileged can write too, anyone can create symlinks where the root process then writes into. So use /run instead of /tmp and only package subdirectories of root owned directories.
I have fixed the rights for directory. Nobody but wwwrun have rights for the directories app, config, data. I want split whole packages in different dirs. Beacuse in other packages, like phpmyadmin, it is also not split. And it would break all documentations wich can be found on internet. And i'm not a friend of massiv changes against upstream. When still not okay, please make a new issue with open failure.
This is an autogenerated message for OBS integration: This bug (1036756) was mentioned in https://build.opensuse.org/request/show/520643 42.3 / nextcloud
It looks like the 12 version was submitted into Leap Maintenance, I did not like this, at least not without another tracking bug. This submission fixes this minor vulnerability: https://build.opensuse.org/request/show/522326 As for version 12, please say if you want to have this new version considered.
This is an autogenerated message for OBS integration: This bug (1036756) was mentioned in https://build.opensuse.org/request/show/522719 42.3 / nextcloud
Why reopened? Issue is fixed as requested.
It was re-opened because of what I wrote in comment #5. The version 12 update is not required to fix this for Leap Maintenance, but please check this one: https://build.opensuse.org/request/show/522326
Can you please review https://build.opensuse.org/request/show/522719 or indicate that you want to put put a maintenance update to the latest release, for which we need another bug?
Not progressing version update without separate bug. Please provide a back-port for maintenance, since you declined mine.
maintenance request is on the way
CVE-2017-9286 for the /tmp races.
This is an autogenerated message for OBS integration: This bug (1036756) was mentioned in https://build.opensuse.org/request/show/529082 42.3 / nextcloud
(In reply to Bernhard Wiedemann from comment #13) > This is an autogenerated message for OBS integration: > This bug (1036756) was mentioned in > https://build.opensuse.org/request/show/529082 42.3 / nextcloud So it's now over 5 days in maintenance and on the way, but not in Update. Can i close this issue or should i wait?
You can just assign it back to the security team.
releasing update
openSUSE-SU-2017:2641-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1036756 CVE References: CVE-2017-9286 Sources used: openSUSE Leap 42.3 (src): nextcloud-11.0.3-3.1
This is an autogenerated message for OBS integration: This bug (1036756) was mentioned in https://build.opensuse.org/request/show/621840 Backports:SLE-12 / nextcloud
This is an autogenerated message for OBS integration: This bug (1036756) was mentioned in https://build.opensuse.org/request/show/673824 15.1 / nextcloud