Created attachment 1073440 [details] Relevant diff between Zarafa 7.2.1 RC1 (SVN 51272) and RC2 (SVN 51665) Description of problem: According to http://download.zarafa.com/community/beta/7.2/changelog-7.2.txt there is a potential local privilege escalation in zarafa-autorespond. The zarafa-autorespond(1) script is usually run by zarafa-dagent(1) which is run by upstream defaults as root (and in Fedora as unprivileged zarafa user). I am not aware about the details of this possible flaw, thus I am attaching a diff between the previous and the fixed version. Version-Release number of selected component (if applicable): zarafa-7.1.13-1 Actual results: Potential local privilege escalation in zarafa-autorespond. Expected results: Is it a flaw and thus does this deserve a CVE being assigned? Additional info: I am not really sure how to abuse zarafa-autorespond(1), hints appreciated. Please let me know if you need further information etc.
CVE requested: http://seclists.org/oss-sec/2015/q3/599
(In reply to Martin Prpic from comment #1) > CVE requested: http://seclists.org/oss-sec/2015/q3/599 Changelog in comment 0 was updated with a CVE, more info: http://seclists.org/oss-sec/2015/q3/606
Created zarafa tracking bugs for this issue: Affects: fedora-21 [bug 1265244] Affects: epel-all [bug 1265245]
(In reply to Robert Scheck from comment #0) > Additional info: > I am not really sure how to abuse zarafa-autorespond(1), hints appreciated. > Please let me know if you need further information etc. The relevant Zarafa ticket has now been made public, which hopefully provides the additional hints you were looking for: https://jira.zarafa.com/browse/ZCP-13533
zarafa-7.1.14-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
php53-mapi-7.1.14-1.el5, zarafa-7.1.14-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
zarafa-7.1.14-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
zarafa-7.1.14-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.