Bug 1263006 - (CVE-2015-6566) CVE-2015-6566 zarafa: Potential local privilege escalation in zarafa-autorespond
CVE-2015-6566 zarafa: Potential local privilege escalation in zarafa-autorespond
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150911,repor...
: Security
Depends On: 1265244 1265245
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-14 17:39 EDT by Robert Scheck
Modified: 2016-11-08 11:08 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-06 22:43:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Relevant diff between Zarafa 7.2.1 RC1 (SVN 51272) and RC2 (SVN 51665) (2.39 KB, patch)
2015-09-14 17:39 EDT, Robert Scheck
no flags Details | Diff

  None (edit)
Description Robert Scheck 2015-09-14 17:39:16 EDT
Created attachment 1073440 [details]
Relevant diff between Zarafa 7.2.1 RC1 (SVN 51272) and RC2 (SVN 51665)

Description of problem:
According to http://download.zarafa.com/community/beta/7.2/changelog-7.2.txt
there is a potential local privilege escalation in zarafa-autorespond. The
zarafa-autorespond(1) script is usually run by zarafa-dagent(1) which is run
by upstream defaults as root (and in Fedora as unprivileged zarafa user). I
am not aware about the details of this possible flaw, thus I am attaching a
diff between the previous and the fixed version.

Version-Release number of selected component (if applicable):
zarafa-7.1.13-1

Actual results:
Potential local privilege escalation in zarafa-autorespond.

Expected results:
Is it a flaw and thus does this deserve a CVE being assigned?

Additional info:
I am not really sure how to abuse zarafa-autorespond(1), hints appreciated.
Please let me know if you need further information etc.
Comment 1 Martin Prpič 2015-09-21 09:17:56 EDT
CVE requested: http://seclists.org/oss-sec/2015/q3/599
Comment 2 Martin Prpič 2015-09-22 09:03:26 EDT
(In reply to Martin Prpic from comment #1)
> CVE requested: http://seclists.org/oss-sec/2015/q3/599

Changelog in comment 0 was updated with a CVE, more info:

http://seclists.org/oss-sec/2015/q3/606
Comment 3 Martin Prpič 2015-09-22 09:07:37 EDT
Created zarafa tracking bugs for this issue:

Affects: fedora-21 [bug 1265244]
Affects: epel-all [bug 1265245]
Comment 4 Christian Hoffmann 2015-11-04 09:01:47 EST
(In reply to Robert Scheck from comment #0)
> Additional info:
> I am not really sure how to abuse zarafa-autorespond(1), hints appreciated.
> Please let me know if you need further information etc.
The relevant Zarafa ticket has now been made public, which hopefully provides the additional hints you were looking for:
https://jira.zarafa.com/browse/ZCP-13533
Comment 5 Fedora Update System 2015-11-23 18:19:56 EST
zarafa-7.1.14-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-12-02 15:52:54 EST
php53-mapi-7.1.14-1.el5, zarafa-7.1.14-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-12-02 22:53:14 EST
zarafa-7.1.14-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-12-02 23:00:09 EST
zarafa-7.1.14-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.