robert pushed to zarafa (f20). "Added minor bugfixes to two patches"

notifications at fedoraproject.org notifications at fedoraproject.org
Tue Apr 7 18:39:09 UTC 2015 

>From 860fae12508e25d020d8ee3e3762d34475280606 Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert at fedoraproject.org>
Date: Mon, 23 Feb 2015 00:58:12 +0100
Subject: Added minor bugfixes to two patches


diff --git a/zarafa-7.1.10-webaccess-fail2ban.patch b/zarafa-7.1.10-webaccess-fail2ban.patch
deleted file mode 100644
index b0bb26e..0000000
--- a/zarafa-7.1.10-webaccess-fail2ban.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.0 which logs authentication
-failures of Zarafa WebAccess into the error log of the webserver. This is basically a backport of
-https://jira.zarafa.com/browse/WA-6908 from WebApp to WebAccess. In difference to original patch
-there is no inappropriate space before a punctuation mark also known as "plenken".
-
-The second part of this patch is a backport of Zarafa WebApp 1.6 which ensures that authentication
-is only performed if username and password are filled. This avoids a) strange looking results of
-error_log() from the first part and b) reduces the possible risk of denial of service given that
-PHP is not connecting the Zarafa server if not really needed.
-
-I guess the usage of isset() rather !empty() was accidential because isset() is always true once
-the HTTP POST via the login formular happens.
-
-Proposed to upstream via e-mail on Wed, 13 Aug 2014 22:56:09 +0200, patch was put into the upstream
-ticket https://jira.zarafa.com/browse/ZCP-12543.
-
---- zarafa-7.1.10/php-webclient-ajax/client/login.php		2014-05-23 15:56:38.000000000 +0200
-+++ zarafa-7.1.10/php-webclient-ajax/client/login.php		2014-08-13 22:11:38.000000000 +0200
-@@ -86,6 +86,8 @@
- 		switch($_SESSION["hresult"]){
- 			case MAPI_E_LOGON_FAILED:
- 			case MAPI_E_UNCONFIGURED:
-+				// Print error message to error_log of webserver
-+				error_log('user '.$_POST["username"].': authentication failure at MAPI');
- 				echo _("Logon failed, please check your name/password.");
- 				break;
- 			case MAPI_E_NETWORK_ERROR:
---- zarafa-7.1.10/php-webclient-ajax/index.php			2014-05-23 15:56:38.000000000 +0200
-+++ zarafa-7.1.10/php-webclient-ajax/index.php			2014-08-13 22:11:11.000000000 +0200
-@@ -153,7 +153,7 @@
- 
- 	// Create global mapi object. This object is used in many other files
- 	$GLOBALS["mapisession"] = new MAPISession();
--	if (isset($_SESSION["username"]) && isset($_SESSION["password"])) {
-+	if (!empty($_SESSION["username"]) && !empty($_SESSION["password"])) {
- 		$sslcert_file = defined('SSLCERT_FILE') ? SSLCERT_FILE : null;
- 		$sslcert_pass = defined('SSLCERT_PASS') ? SSLCERT_PASS : null;
- 		$hresult = $GLOBALS["mapisession"]->logon($_SESSION["username"], $_SESSION["password"], DEFAULT_SERVER, $sslcert_file, $sslcert_pass);
diff --git a/zarafa-7.1.10-webaccess-mcrypt.patch b/zarafa-7.1.10-webaccess-mcrypt.patch
deleted file mode 100644
index 49bed4e..0000000
--- a/zarafa-7.1.10-webaccess-mcrypt.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.10 which fixes the fix that fixes CVE-2014-0103. Ush,
-that was complicated, so: CVE-2014-0103 exists because Zarafa WebAccess < 7.1.10 and Zarafa WebApp < 1.6 storing passwords
-in cleartext on server (in the PHP session). Zarafa solved this flaw by using openssl_encrypt() and openssl_decrypt() from
-PHP's OpenSSL bindings. However these functions are only available in PHP 5.3 or later. Without this patch suggestion, any
-older but still supported Linux distribution like Red Hat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 (which are
-both shipping PHP < 5.3 by default) would still be left vulnerable.
-
-Given that I am personally more a fan of OpenSSL rather mcrypt, I am not absolutely sure if this implementation is really
-correct even it works fine on my test system. So please explicitly review this code to avoid introducing another security
-flaw by trying to fix one! A thing that I generally question for myself is the usage of "des-ede3-cbc"/"MCRYPT_TRIPLEDES"
-instead of e.g. MCRYPT_RIJNDAEL_128. Given that this decision was initially made by Zarafa I am just following that here.
-
-Important: To get this patch really powerful the install-time requirement needs to be adapted like this (this example is
-based on Fedora's build system so the macros %{?rhel} and %{?fedora} might not exist at Zarafa but need to be replaced by
-other macros):
-
-%if 0%{?rhel}%{?fedora} < 6
-Requires: php-mcrypt
-%else
-Requires: php-openssl
-%endif
-
-This requires php-openssl (provided by php-common) on RHEL 6 (and later) and php-mcrypt (separate package) before RHEL 6.
-
-Proposed to upstream via e-mail on Thu, 5 Jun 2014 00:24:32 +0200, patch was put into the (non-disclosed) upstream ticket
-https://jira.zarafa.com/browse/ZCP-12407.
-
---- zarafa-7.1.10/php-webclient-ajax/index.php						2014-05-23 15:56:38.000000000 +0200
-+++ zarafa-7.1.10/php-webclient-ajax/index.php.webaccess-mcrypt				2014-06-05 00:08:18.000000000 +0200
-@@ -135,6 +135,8 @@
- 		// if user has openssl module installed
- 		if(function_exists("openssl_encrypt")) {
- 			$_SESSION['password'] = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
-+		} elseif(function_exists("mcrypt_encrypt")) {
-+			$_SESSION['password'] = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
- 		} else {
- 			$_SESSION["password"] = $password;
- 		}
---- zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php			2014-05-23 15:56:38.000000000 +0200
-+++ zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php.webaccess-mcrypt	2014-06-05 00:08:57.000000000 +0200
-@@ -132,6 +132,8 @@
- 			if(is_string($username) && is_string($password)) {
- 				if(function_exists("openssl_decrypt")) {
- 					$password = openssl_decrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
-+				} elseif(function_exists("mcrypt_decrypt")) {
-+					$password = trim(mcrypt_decrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, base64_decode($password), MCRYPT_MODE_CBC, PASSWORD_IV));
- 				}
- 				// logon
- 				$this->session = mapi_logon_zarafa($username, $password, $server, $sslcert_file, $sslcert_pass);
-@@ -139,6 +141,8 @@
- 
- 				if(function_exists("openssl_encrypt")) {
- 					$password = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
-+				} elseif(function_exists("mcrypt_encrypt")) {
-+					$password = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
- 				}
- 
- 				if ($result == NOERROR && $this->session !== false){
diff --git a/zarafa-7.1.11-webaccess-fail2ban.patch b/zarafa-7.1.11-webaccess-fail2ban.patch
new file mode 100644
index 0000000..3c2b5c3
--- /dev/null
+++ b/zarafa-7.1.11-webaccess-fail2ban.patch
@@ -0,0 +1,21 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.11 which logs authentication
+failures of Zarafa WebAccess into the error log of the webserver. This is basically a backport of
+https://jira.zarafa.com/browse/WA-6908 from WebApp to WebAccess. In difference to original patch
+there is no inappropriate space before a punctuation mark also known as "plenken".
+
+Proposed to upstream via e-mail on Wed, 13 Aug 2014 22:56:09 +0200, initial patch was put into the
+upstream ticket https://jira.zarafa.com/browse/ZCP-12543.
+
+--- zarafa-7.1.11/php-webclient-ajax/client/login.php		2014-09-03 10:45:06.000000000 +0200
++++ zarafa-7.1.11/php-webclient-ajax/client/login.php		2015-02-18 01:08:13.000000000 +0100
+@@ -86,6 +86,10 @@
+ 		switch($_SESSION["hresult"]){
+ 			case MAPI_E_LOGON_FAILED:
+ 			case MAPI_E_UNCONFIGURED:
++				// Print error message to error_log of webserver
++				if (!empty($_POST["username"])) {
++					error_log('user '.$_POST["username"].': authentication failure at MAPI');
++				}
+ 				echo _("Logon failed, please check your name/password.");
+ 				break;
+ 			case MAPI_E_NETWORK_ERROR:
diff --git a/zarafa-7.1.11-webaccess-mcrypt.patch b/zarafa-7.1.11-webaccess-mcrypt.patch
new file mode 100644
index 0000000..56b5274
--- /dev/null
+++ b/zarafa-7.1.11-webaccess-mcrypt.patch
@@ -0,0 +1,58 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.10 which fixes the fix that fixes CVE-2014-0103. Ush,
+that was complicated, so: CVE-2014-0103 exists because Zarafa WebAccess < 7.1.10 and Zarafa WebApp < 1.6 storing passwords
+in cleartext on server (in the PHP session). Zarafa solved this flaw by using openssl_encrypt() and openssl_decrypt() from
+PHP's OpenSSL bindings. However these functions are only available in PHP 5.3 or later. Without this patch suggestion, any
+older but still supported Linux distribution like Red Hat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 (which are
+both shipping PHP < 5.3 by default) would still be left vulnerable.
+
+Given that I am personally more a fan of OpenSSL rather mcrypt, I am not absolutely sure if this implementation is really
+correct even it works fine on my test system. So please explicitly review this code to avoid introducing another security
+flaw by trying to fix one! A thing that I generally question for myself is the usage of "des-ede3-cbc"/"MCRYPT_TRIPLEDES"
+instead of e.g. MCRYPT_RIJNDAEL_128. Given that this decision was initially made by Zarafa I am just following that here.
+
+Important: To get this patch really powerful the install-time requirement needs to be adapted like this (this example is
+based on Fedora's build system so the macros %{?rhel} and %{?fedora} might not exist at Zarafa but need to be replaced by
+other macros):
+
+%if 0%{?rhel}%{?fedora} < 6
+Requires: php-mcrypt
+%else
+Requires: php-openssl
+%endif
+
+This requires php-openssl (provided by php-common) on RHEL 6 (and later) and php-mcrypt (separate package) before RHEL 6.
+
+Proposed to upstream via e-mail on Thu, 5 Jun 2014 00:24:32 +0200, initial patch was put into the (non-disclosed) upstream
+ticket https://jira.zarafa.com/browse/ZCP-12407.
+
+--- zarafa-7.1.10/php-webclient-ajax/index.php						2014-05-23 15:56:38.000000000 +0200
++++ zarafa-7.1.10/php-webclient-ajax/index.php.webaccess-mcrypt				2014-06-05 00:08:18.000000000 +0200
+@@ -135,6 +135,8 @@
+ 		// if user has openssl module installed
+ 		if(function_exists("openssl_encrypt")) {
+ 			$_SESSION['password'] = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
++		} elseif(function_exists("mcrypt_encrypt")) {
++			$_SESSION['password'] = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
+ 		} else {
+ 			$_SESSION["password"] = $password;
+ 		}
+--- zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php			2014-05-23 15:56:38.000000000 +0200
++++ zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php.webaccess-mcrypt	2014-06-05 00:08:57.000000000 +0200
+@@ -132,6 +132,8 @@
+ 			if(is_string($username) && is_string($password)) {
+ 				if(function_exists("openssl_decrypt")) {
+ 					$password = openssl_decrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
++				} elseif(function_exists("mcrypt_decrypt")) {
++					$password = rtrim(mcrypt_decrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, base64_decode($password), MCRYPT_MODE_CBC, PASSWORD_IV), "\0");
+ 				}
+ 				// logon
+ 				$this->session = mapi_logon_zarafa($username, $password, $server, $sslcert_file, $sslcert_pass);
+@@ -139,6 +141,8 @@
+ 
+ 				if(function_exists("openssl_encrypt")) {
+ 					$password = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
++				} elseif(function_exists("mcrypt_encrypt")) {
++					$password = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
+ 				}
+ 
+ 				if ($result == NOERROR && $this->session !== false){
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/zarafa.git/commit/?h=f20&id=860fae12508e25d020d8ee3e3762d34475280606

More information about the scm-commits mailing list