Bug 1263006 (CVE-2015-6566)

Summary: CVE-2015-6566 zarafa: Potential local privilege escalation in zarafa-autorespond
Product: [Other] Security Response Reporter: Robert Scheck <redhat-bugzilla>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: christian, jrusnack
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-07 03:43:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1265244, 1265245    
Bug Blocks:    
Attachments:
Description Flags
Relevant diff between Zarafa 7.2.1 RC1 (SVN 51272) and RC2 (SVN 51665) none

Description Robert Scheck 2015-09-14 21:39:16 UTC 
Created attachment 1073440 [details]
Relevant diff between Zarafa 7.2.1 RC1 (SVN 51272) and RC2 (SVN 51665)

Description of problem:
According to http://download.zarafa.com/community/beta/7.2/changelog-7.2.txt
there is a potential local privilege escalation in zarafa-autorespond. The
zarafa-autorespond(1) script is usually run by zarafa-dagent(1) which is run
by upstream defaults as root (and in Fedora as unprivileged zarafa user). I
am not aware about the details of this possible flaw, thus I am attaching a
diff between the previous and the fixed version.

Version-Release number of selected component (if applicable):
zarafa-7.1.13-1

Actual results:
Potential local privilege escalation in zarafa-autorespond.

Expected results:
Is it a flaw and thus does this deserve a CVE being assigned?

Additional info:
I am not really sure how to abuse zarafa-autorespond(1), hints appreciated.
Please let me know if you need further information etc.
Comment 1 Martin Prpič 2015-09-21 13:17:56 UTC 
CVE requested: http://seclists.org/oss-sec/2015/q3/599
Comment 2 Martin Prpič 2015-09-22 13:03:26 UTC 
(In reply to Martin Prpic from comment #1)
> CVE requested: http://seclists.org/oss-sec/2015/q3/599

Changelog in comment 0 was updated with a CVE, more info:

http://seclists.org/oss-sec/2015/q3/606
Comment 3 Martin Prpič 2015-09-22 13:07:37 UTC 
Created zarafa tracking bugs for this issue:

Affects: fedora-21 [bug 1265244]
Affects: epel-all [bug 1265245]
Comment 4 Christian Hoffmann 2015-11-04 14:01:47 UTC 
(In reply to Robert Scheck from comment #0)
> Additional info:
> I am not really sure how to abuse zarafa-autorespond(1), hints appreciated.
> Please let me know if you need further information etc.
The relevant Zarafa ticket has now been made public, which hopefully provides the additional hints you were looking for:
https://jira.zarafa.com/browse/ZCP-13533
Comment 5 Fedora Update System 2015-11-23 23:19:56 UTC 
zarafa-7.1.14-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-12-02 20:52:54 UTC 
php53-mapi-7.1.14-1.el5, zarafa-7.1.14-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-12-03 03:53:14 UTC 
zarafa-7.1.14-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-12-03 04:00:09 UTC 
zarafa-7.1.14-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.