robert pushed to zarafa (el6). "- Upgrade to 7.1.12 (re-released) (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Mon May 18 22:00:13 UTC 2015
From f800d1c7270ae156c3e498405b3692259b7d3f2b Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert at fedoraproject.org>
Date: Mon, 18 May 2015 23:58:02 +0200
Subject: - Upgrade to 7.1.12 (re-released) - Backported patch from Zarafa 7.2
to fix CVE-2015-3436 (#1222151)
diff --git a/sources b/sources
index 4a70ced..a15167f 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-98ceed8b35a68bba669aecccbc7b1f43 zcp-7.1.12.tar.gz
+4744f5c09ca082ea23cd28ea1d10941f zcp-7.1.12.tar.gz
diff --git a/zarafa-7.1.12-upgrade-lock.patch b/zarafa-7.1.12-upgrade-lock.patch
new file mode 100644
index 0000000..2a1fddd
--- /dev/null
+++ b/zarafa-7.1.12-upgrade-lock.patch
@@ -0,0 +1,56 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa 7.1.12 which backports the fix for
+CVE-2015-3436. Guido Günther detected and reported that replacing "/tmp/zarafa-upgrade-lock" by
+a symlink makes the zarafa-server process following that symlink and thus allows to overwrite
+arbitrary files in the filesystem (assuming zarafa-server runs as root which is not the case by
+default at Fedora, but it is the upstream default). One just needs write permissions in /tmp and
+wait until the zarafa-server is restarted. https://bugzilla.redhat.com/show_bug.cgi?id=1222151
+contains further information. The difference between this backport and the original diff is that
+the log levels were reworked from Zarafa 7.1.x to 7.2.x (which this backport takes care of).
+
+--- zarafa-7.1.12/provider/server/ECServer.cpp 2015-05-08 15:09:05.000000000 +0200
++++ zarafa-7.1.12/provider/server/ECServer.cpp.upgrade-lock 2015-05-18 23:05:00.000000000 +0200
+@@ -101,6 +101,8 @@
+ // have to go with the safe value which is for 64bit.
+ #define MYSQL_MIN_THREAD_STACK (256*1024)
+
++const char upgrade_lock_file[] = "/tmp/zarafa-upgrade-lock";
++
+ extern ECSessionManager* g_lpSessionManager;
+
+ // scheduled functions
+@@ -832,7 +834,7 @@
+ // SIGSEGV backtrace support
+ stack_t st = {0};
+ struct sigaction act = {{0}};
+- FILE *tmplock = NULL;
++ int tmplock = -1;
+ struct stat dir = {0};
+ struct passwd *runasUser = NULL;
+
+@@ -1288,8 +1290,9 @@
+ m_bDatabaseUpdateIgnoreSignals = true;
+
+ // add a lock file to disable the /etc/init.d scripts
+- tmplock = fopen("/tmp/zarafa-upgrade-lock","w");
+- if (!tmplock)
++ tmplock = open(upgrade_lock_file, O_CREAT | O_EXCL, S_IRUSR | S_IWUSR);
++
++ if (tmplock == -1)
+ g_lpLogger->Log(EC_LOGLEVEL_FATAL, "WARNING: Unable to place upgrade lockfile: %s", strerror(errno));
+
+ #ifdef EMBEDDED_MYSQL
+@@ -1314,9 +1317,11 @@
+ er = lpDatabaseFactory->UpdateDatabase(m_bForceDatabaseUpdate, dbError);
+
+ // remove lock file
+- if (tmplock) {
+- fclose(tmplock);
+- unlink("/tmp/zarafa-upgrade-lock");
++ if (tmplock != -1) {
++ if (unlink(upgrade_lock_file) == -1)
++ g_lpLogger->Log(EC_LOGLEVEL_FATAL, "WARNING: Unable to delete upgrade lockfile (%s): %s", upgrade_lock_file, strerror(errno));
++
++ close(tmplock);
+ }
+
+ if(er == ZARAFA_E_INVALID_VERSION) {
diff --git a/zarafa.spec b/zarafa.spec
index 2debd81..3821ad1 100644
--- a/zarafa.spec
+++ b/zarafa.spec
@@ -1,6 +1,6 @@
%global beta_or_rc 0
-%global actual_release 1
-%global svnrevision 48726
+%global actual_release 2
+%global svnrevision 49411
%global with_search 1
%global with_ldap 1
%global with_xmlto 1
@@ -68,6 +68,7 @@ Patch10: zarafa-7.1.11-webaccess-fail2ban.patch
Patch11: zarafa-7.1.12-webaccess-mcrypt.patch
Patch12: zarafa-7.1.12-gsoap-sslv3.patch
Patch13: zarafa-7.1.12-licensed-archiver.patch
+Patch14: zarafa-7.1.12-upgrade-lock.patch
BuildRequires: bison
BuildRequires: gcc-c++
@@ -408,6 +409,7 @@ touch -c -r aclocal.m4.rpath aclocal.m4
rm -f php-webclient-ajax/{.,*,*/*}/*.webaccess-*
%patch12 -p1 -b .gsoap-sslv3
%patch13 -p1 -b .licensed-archiver
+%patch14 -p1 -b .upgrade-lock
%build
%if 0%{?rhel}%{?fedora} < 6
@@ -951,6 +953,10 @@ fi
%{python_sitearch}/*
%changelog
+* Mon May 18 2015 Robert Scheck <robert at fedoraproject.org> 7.1.12-2
+- Upgrade to 7.1.12 (re-released)
+- Backported patch from Zarafa 7.2 to fix CVE-2015-3436 (#1222151)
+
* Tue Apr 07 2015 Robert Scheck <robert at fedoraproject.org> 7.1.12-1
- Upgrade to 7.1.12
- Added multiple minor enhancement and bugfix patches
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/zarafa.git/commit/?h=el6&id=f800d1c7270ae156c3e498405b3692259b7d3f2b
More information about the scm-commits
mailing list