Bug 1297357 (CVE-2016-1500)

Summary: CVE-2016-1500 owncloud: disclosure of files that begin with ".v" due to unchecked return value
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: awilliam, ignatenko, james.hogarth, shawn
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: owncloud 8.2.2 owncloud 8.1.5 owncloud 8.0.10 owncloud 7.0.12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-25 06:42:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1297358, 1297359, 1297360    
Bug Blocks:    

Description Andrej Nemec 2016-01-11 10:20:02 UTC 
Due to a incorrect usage of the getOwner function of the ownCloud virtual filesystem,done authenticated users with incoming shares of other users are able to access files beginning with ".v" of the sharing user. This can only be exploited if the "files_versions" application is enabled on the server.

External Reference:

https://owncloud.org/security/advisory/?id=oc-sa-2016-003
Comment 1 Andrej Nemec 2016-01-11 10:21:10 UTC 
Created owncloud tracking bugs for this issue:

Affects: fedora-all [bug 1297358]
Affects: epel-6 [bug 1297359]
Affects: epel-7 [bug 1297360]
Comment 2 James Hogarth 2016-04-25 06:42:21 UTC 
Versions that fix this have been released to ask supported distributions, closing.