Date: Thu, 9 Apr 2015 22:11:54 +0200 From: Robert Scheck <robert@...oraproject.org> To: Open Source Security Mailing List <oss-security@...ts.openwall.com> Cc: CVE assignment team <cve-assign@...re.org> Subject: CVE request: Incorrect default permissions in Zarafa (zarafa-search-plus) Good evening, it was discovered that zarafa-search-plus (part of Zarafa >= 7.2.0) creates the directory /var/lib/zarafa/search/ read- and writable for world, as well as all sub-directories and files it creates afterwards: - https://forums.zarafa.com/showthread.php?11304-Zarafa-7-2-Problems-Bugs-with-the-new-search - https://bugzilla.redhat.com/show_bug.cgi?id=1206838 - https://jira.zarafa.com/browse/ZCP-13160 In difference to the ZCP-13160 ("change this to the same permissions as the other folders in the directory") the thus proposed 755 is not enough, it must be e.g. 750, otherwise data is still readable for local system users. As I unfortunately wasn't aware of the forum posting when I did my analysis I also cross-checked releases before the rewrite (thanks Martin Prpič). The predecessors of zarafa-search-plus are creating the /var/lib/zarafa/search/ or /var/lib/zarafa/index/ directory with the correct permissions, however some of the sub-directories and files (also created by the search daemon) are world-readable (see comment #2 of RHBZ#1206838 for details) through. I am not sure how this should be treated, given that all Zarafa search/index daemons do not seem to have built-in permission checks (like e.g. fetchmail has) and thus also accept an existing directory with incorrect permissions. With kind regards Robert Scheck -- Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.