{
  "schema_version": "1.7.0",
  "id": "MGASA-2015-0314",
  "published": "2015-08-13T20:56:40Z",
  "modified": "2016-03-07T22:46:41Z",
  "summary": "Updated owncloud package fixes security vulnerabilities",
  "details": "In ownCloud before 6.0.8 and 8.0.4, a bug in the SDK used to connect\nownCloud against the Dropbox server might allow the owner of \"Dropbox.com\"\nto gain access to any files on the ownCloud server if an external Dropbox\nstorage was mounted (CVE-2015-4715).\n\nIn ownCloud before 6.0.8 and 8.0.4, the sanitization component for\nfilenames was vulnerable to DoS when parsing specially crafted file names\npassed via specific endpoints. Effectively this lead to a endless loop\nfilling the log file until the system is not anymore responsive\n(CVE-2015-4717).\n\nIn ownCloud before 6.0.8 and 8.0.4, the external SMB storage of ownCloud\nwas not properly neutralizing all special elements which allows an\nadversary to execute arbitrary SMB commands. This was caused by improperly\nsanitizing the \";\" character which is interpreted as command separator by\nsmbclient (the used software to connect to SMB shared by ownCloud).\nEffectively this allows an attacker to gain access to any file on the\nsystem or overwrite it, finally leading to a PHP code execution in the\ncase of ownCloud's config file (CVE-2015-4718).\n",
  "upstream": [
    "CVE-2015-4715",
    "CVE-2015-4717",
    "CVE-2015-4718"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2015-0314.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=16491"
    },
    {
      "type": "ADVISORY",
      "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"
    },
    {
      "type": "ADVISORY",
      "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-007"
    },
    {
      "type": "ADVISORY",
      "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-008"
    },
    {
      "type": "WEB",
      "url": "http://owncloud.org/changelog/"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:4",
        "name": "owncloud",
        "purl": "pkg:rpm/mageia/owncloud?arch=source&distro=mageia-4"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.0.9-1.mga4"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:5",
        "name": "owncloud",
        "purl": "pkg:rpm/mageia/owncloud?arch=source&distro=mageia-5"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.5-1.2.mga5"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}