Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 24 Oct 2014 00:04:41 +0200
From: Robert Scheck <robert@...oraproject.org>
To: Open Source Security Mailing List <oss-security@...ts.openwall.com>
Subject: Zarafa WebAccess >= 6.40.4 affected by CVE-2013-2205, CVE-2013-2205
 and CVE-2012-3414

Good evening,

I discovered that Zarafa WebAccess >= 6.40.4 is affected by CVE-2013-2205,
CVE-2013-2205 and CVE-2012-3414 as it bundles the vulnerable SWFUpload from
http://code.google.com/p/swfupload/. Zarafa has been already notified.

[root@... ~]# rpm -q zarafa-webaccess
zarafa-webaccess-7.1.11-46050
[root@... ~]# 

[root@... ~]# rpm -ql zarafa-webaccess | grep swfupload.swf | xargs md5sum
3a1c6cc728dddc258091a601f28a9c12 /usr/share/zarafa-webaccess/client/widgets/swfupload/swfupload.swf
[root@... ~]# 

Given that some distributions/downstreams are shipping that vulnerable .swf
file this is just meant as a simple "heads up". There are two solutions:

a) Replace the bundled swfupload.swf by the fork maintained by WordPress
   from https://github.com/wordpress/secure-swfupload (upstream will likely
   do the same for a future release of Zarafa) or
b) Remove the vulnerable SWFUpload e.g. at packaging time (this is what I
   did for Fedora because I never managed it to build the .swf file from
   source code to satisfy our Fedora Packaging Guidelines). Copy & paste
   example from .spec file for removal:

--- snipp ---
%if 0%{?no_multiupload}
sed '148,155d' $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php > \
    $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php.new
touch -c -r $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php{,.new}
mv -f $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php{.new,}
rm -rf $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/client/widgets/swfupload/
%endif
--- snapp ---


With kind regards

Robert Scheck
-- 
Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ