[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Zarafa WebApp < 1.6 affected by CVE-2010-4207 or CVE-2012-5881
From:       Robert Scheck <robert () fedoraproject ! org>
Date:       2014-08-28 11:13:30
Message-ID: 20140828111330.GA5036 () hurricane ! linuxnetz ! de
[Download RAW message or body]


Hello,

I discovered that Zarafa WebApp < 1.6 is affected by CVE-2010-4207 or
CVE-2012-5881 (depends on WebApp version) as it bundles charts.swf by
YUI, see http://yuilibrary.com/support/20121030-vulnerability/ for the
list of affected md5sums.

[root@tux ~]# rpm -q zarafa-webapp
zarafa-webapp-1.5-44025.noarch
[root@tux ~]#

[root@tux ~]# rpm -ql zarafa-webapp | grep charts.swf | xargs md5sum
923c8afe50fc45ed42d92d6ab83b11f6 /usr/share/zarafa-webapp/client/extjs/resources/charts.swf
[root@tux ~]#

I don't know how to abuse this but upstream notice "This defect allows
JavaScript injection exploits to be created against domains that host
these affected .swf files, whether or not the .swf files are embedded
in your application." seems to be important enough for this heads up.

Given that Zarafa WebApp 1.6 (final release) happened on 2014-07-21
there might be distributions/downstreams still shipping Zarafa WebApp
1.5. Zarafa WebApp does not use that file so removing it on packaging
level is fine. Fedora is not affected; it doesn't ship Zarafa WebApp.


With kind regards

Robert Scheck
-- 
Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]