Bug 1263006 (CVE-2015-6566) - CVE-2015-6566 zarafa: Potential local privilege escalation in zarafa-autorespond
Summary: CVE-2015-6566 zarafa: Potential local privilege escalation in zarafa-autorespond
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-6566
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1265244 1265245
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-14 21:39 UTC by Robert Scheck
Modified: 2019-09-29 13:36 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-07 03:43:28 UTC
Embargoed:

Attachments (Terms of Use)
Relevant diff between Zarafa 7.2.1 RC1 (SVN 51272) and RC2 (SVN 51665) (2.39 KB, patch)
2015-09-14 21:39 UTC, Robert Scheck 		no flags Details | Diff
View All

Description Robert Scheck 2015-09-14 21:39:16 UTC 
Created attachment 1073440 [details]
Relevant diff between Zarafa 7.2.1 RC1 (SVN 51272) and RC2 (SVN 51665)

Description of problem:
According to http://download.zarafa.com/community/beta/7.2/changelog-7.2.txt
there is a potential local privilege escalation in zarafa-autorespond. The
zarafa-autorespond(1) script is usually run by zarafa-dagent(1) which is run
by upstream defaults as root (and in Fedora as unprivileged zarafa user). I
am not aware about the details of this possible flaw, thus I am attaching a
diff between the previous and the fixed version.

Version-Release number of selected component (if applicable):
zarafa-7.1.13-1

Actual results:
Potential local privilege escalation in zarafa-autorespond.

Expected results:
Is it a flaw and thus does this deserve a CVE being assigned?

Additional info:
I am not really sure how to abuse zarafa-autorespond(1), hints appreciated.
Please let me know if you need further information etc.
Comment 1 Martin Prpič 2015-09-21 13:17:56 UTC 
CVE requested: http://seclists.org/oss-sec/2015/q3/599
Comment 2 Martin Prpič 2015-09-22 13:03:26 UTC 
(In reply to Martin Prpic from comment #1)
> CVE requested: http://seclists.org/oss-sec/2015/q3/599

Changelog in comment 0 was updated with a CVE, more info:

http://seclists.org/oss-sec/2015/q3/606
Comment 3 Martin Prpič 2015-09-22 13:07:37 UTC 
Created zarafa tracking bugs for this issue:

Affects: fedora-21 [bug 1265244]
Affects: epel-all [bug 1265245]
Comment 4 Christian Hoffmann 2015-11-04 14:01:47 UTC 
(In reply to Robert Scheck from comment #0)
> Additional info:
> I am not really sure how to abuse zarafa-autorespond(1), hints appreciated.
> Please let me know if you need further information etc.
The relevant Zarafa ticket has now been made public, which hopefully provides the additional hints you were looking for:
https://jira.zarafa.com/browse/ZCP-13533
Comment 5 Fedora Update System 2015-11-23 23:19:56 UTC 
zarafa-7.1.14-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-12-02 20:52:54 UTC 
php53-mapi-7.1.14-1.el5, zarafa-7.1.14-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-12-03 03:53:14 UTC 
zarafa-7.1.14-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-12-03 04:00:09 UTC 
zarafa-7.1.14-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.