From c1293fe8f4b1785ed3fb9d1dc334dd051222a8b6 Mon Sep 17 00:00:00 2001 From: Robert Scheck Date: May 18 2015 22:00:01 +0000 Subject: Merge remote branch 'origin/f21' into el6 --- diff --git a/sources b/sources index 4a70ced..a15167f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -98ceed8b35a68bba669aecccbc7b1f43 zcp-7.1.12.tar.gz +4744f5c09ca082ea23cd28ea1d10941f zcp-7.1.12.tar.gz diff --git a/zarafa-7.1.12-upgrade-lock.patch b/zarafa-7.1.12-upgrade-lock.patch new file mode 100644 index 0000000..2a1fddd --- /dev/null +++ b/zarafa-7.1.12-upgrade-lock.patch @@ -0,0 +1,56 @@ +Patch by Robert Scheck for Zarafa 7.1.12 which backports the fix for +CVE-2015-3436. Guido Günther detected and reported that replacing "/tmp/zarafa-upgrade-lock" by +a symlink makes the zarafa-server process following that symlink and thus allows to overwrite +arbitrary files in the filesystem (assuming zarafa-server runs as root which is not the case by +default at Fedora, but it is the upstream default). One just needs write permissions in /tmp and +wait until the zarafa-server is restarted. https://bugzilla.redhat.com/show_bug.cgi?id=1222151 +contains further information. The difference between this backport and the original diff is that +the log levels were reworked from Zarafa 7.1.x to 7.2.x (which this backport takes care of). + +--- zarafa-7.1.12/provider/server/ECServer.cpp 2015-05-08 15:09:05.000000000 +0200 ++++ zarafa-7.1.12/provider/server/ECServer.cpp.upgrade-lock 2015-05-18 23:05:00.000000000 +0200 +@@ -101,6 +101,8 @@ + // have to go with the safe value which is for 64bit. + #define MYSQL_MIN_THREAD_STACK (256*1024) + ++const char upgrade_lock_file[] = "/tmp/zarafa-upgrade-lock"; ++ + extern ECSessionManager* g_lpSessionManager; + + // scheduled functions +@@ -832,7 +834,7 @@ + // SIGSEGV backtrace support + stack_t st = {0}; + struct sigaction act = {{0}}; +- FILE *tmplock = NULL; ++ int tmplock = -1; + struct stat dir = {0}; + struct passwd *runasUser = NULL; + +@@ -1288,8 +1290,9 @@ + m_bDatabaseUpdateIgnoreSignals = true; + + // add a lock file to disable the /etc/init.d scripts +- tmplock = fopen("/tmp/zarafa-upgrade-lock","w"); +- if (!tmplock) ++ tmplock = open(upgrade_lock_file, O_CREAT | O_EXCL, S_IRUSR | S_IWUSR); ++ ++ if (tmplock == -1) + g_lpLogger->Log(EC_LOGLEVEL_FATAL, "WARNING: Unable to place upgrade lockfile: %s", strerror(errno)); + + #ifdef EMBEDDED_MYSQL +@@ -1314,9 +1317,11 @@ + er = lpDatabaseFactory->UpdateDatabase(m_bForceDatabaseUpdate, dbError); + + // remove lock file +- if (tmplock) { +- fclose(tmplock); +- unlink("/tmp/zarafa-upgrade-lock"); ++ if (tmplock != -1) { ++ if (unlink(upgrade_lock_file) == -1) ++ g_lpLogger->Log(EC_LOGLEVEL_FATAL, "WARNING: Unable to delete upgrade lockfile (%s): %s", upgrade_lock_file, strerror(errno)); ++ ++ close(tmplock); + } + + if(er == ZARAFA_E_INVALID_VERSION) { diff --git a/zarafa.spec b/zarafa.spec index 2debd81..3821ad1 100644 --- a/zarafa.spec +++ b/zarafa.spec @@ -1,6 +1,6 @@ %global beta_or_rc 0 -%global actual_release 1 -%global svnrevision 48726 +%global actual_release 2 +%global svnrevision 49411 %global with_search 1 %global with_ldap 1 %global with_xmlto 1 @@ -68,6 +68,7 @@ Patch10: zarafa-7.1.11-webaccess-fail2ban.patch Patch11: zarafa-7.1.12-webaccess-mcrypt.patch Patch12: zarafa-7.1.12-gsoap-sslv3.patch Patch13: zarafa-7.1.12-licensed-archiver.patch +Patch14: zarafa-7.1.12-upgrade-lock.patch BuildRequires: bison BuildRequires: gcc-c++ @@ -408,6 +409,7 @@ touch -c -r aclocal.m4.rpath aclocal.m4 rm -f php-webclient-ajax/{.,*,*/*}/*.webaccess-* %patch12 -p1 -b .gsoap-sslv3 %patch13 -p1 -b .licensed-archiver +%patch14 -p1 -b .upgrade-lock %build %if 0%{?rhel}%{?fedora} < 6 @@ -951,6 +953,10 @@ fi %{python_sitearch}/* %changelog +* Mon May 18 2015 Robert Scheck 7.1.12-2 +- Upgrade to 7.1.12 (re-released) +- Backported patch from Zarafa 7.2 to fix CVE-2015-3436 (#1222151) + * Tue Apr 07 2015 Robert Scheck 7.1.12-1 - Upgrade to 7.1.12 - Added multiple minor enhancement and bugfix patches