Guido Günther detected and reported that replacing "/tmp/zarafa-upgrade-lock" by a symlink makes the zarafa-server process following that symlink and thus allows to overwrite arbitrary files in the filesystem (assuming zarafa-server runs as root which is not case by default at Fedora, but upstream default). One just needs write permissions in /tmp and wait until the zarafa-server is restarted.
Zarafa fixed this issue with version 7.2.1 beta 1, however they unfortunately did not release any source code files nor a source code patch so far. At https://download.zarafa.com/community/beta/7.2/7.2.1-49597/ the "sourcecode" directory is missing.
Created attachment 1026883 [details] Relevant difference between Zarafa 7.2.0 and 7.2.1 beta 1 Meanwhile Zarafa has published the source code of Zarafa 7.2.1 beta 1.
Created attachment 1026887 [details] Backport of the patch from 7.2.1 beta 1 for Zarafa 7.1.x Backport takes proper care of reworked log levels from 7.1.x to 7.2.x.
Created zarafa tracking bugs for this issue: Affects: fedora-all [bug 1222909] Affects: epel-all [bug 1222911]
zarafa-7.1.12-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
zarafa-7.1.12-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
zarafa-7.1.12-2.el5, php53-mapi-7.1.12-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
zarafa-7.1.12-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
zarafa-7.1.12-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.