[Zarafa] CVE-2015-3436: Overwrite arbitrary files in filesystem at Zarafa

Good evening, Guido Günther detected and reported that replacing /tmp/zarafa-upgrade-lock by a symlink makes the zarafa-server process following that symlink and thus allows to overwrite arbitrary files in the filesystem (assuming that zarafa-server runs as root which is not case by default at Fedora/EPEL, but upstream default). One just needs write permissions in /tmp and wait until the zarafa-server is restarted. CVE-2015-3436 was assigned for this flaw. Updated RPM packages of Zarafa with a backport of the patch (from Zarafa 7.2.1 beta 1) have been submitted to updates-testing for Fedora EPEL 5, 6 and 7, Fedora 20 and 21. You should be able to update to Zarafa 7.1.12 (re-released) by using something like: yum update --enablerepo=updates-testing 'zarafa*' on all Fedora releases and for Fedora EPEL you should use the following: yum update --enablerepo=epel-testing 'zarafa*' After testing, please add positive or negative karma to the Zarafa packages in Bodhi: https://admin.fedoraproject.org/updates/zarafa And if you should find bugs or issues, please fill a bug report in Red Hat Bugzilla as described here: https://fedoraproject.org/wiki/Zarafa#Bugs Your feedback is very much appreciated. Greetings, Robert