'[oss-security] Zarafa WebAccess >= 6.40.4 affected by CVE-2013-2205, CVE-2013-2205 and CVE-2012-3414'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Zarafa WebAccess >= 6.40.4 affected by CVE-2013-2205, CVE-2013-2205 and CVE-2012-3414
From:       Robert Scheck <robert () fedoraproject ! org>
Date:       2014-10-23 22:04:41
Message-ID: 20141023220441.GA485 () hurricane ! linuxnetz ! de
[Download RAW message or body]


Good evening,

I discovered that Zarafa WebAccess >= 6.40.4 is affected by CVE-2013-2205,
CVE-2013-2205 and CVE-2012-3414 as it bundles the vulnerable SWFUpload from
http://code.google.com/p/swfupload/. Zarafa has been already notified.

[root@tux ~]# rpm -q zarafa-webaccess
zarafa-webaccess-7.1.11-46050
[root@tux ~]# 

[root@tux ~]# rpm -ql zarafa-webaccess | grep swfupload.swf | xargs md5sum
3a1c6cc728dddc258091a601f28a9c12 /usr/share/zarafa-webaccess/client/widgets/swfupload/swfupload.swf
[root@tux ~]# 

Given that some distributions/downstreams are shipping that vulnerable .swf
file this is just meant as a simple "heads up". There are two solutions:

a) Replace the bundled swfupload.swf by the fork maintained by WordPress
   from https://github.com/wordpress/secure-swfupload (upstream will likely
   do the same for a future release of Zarafa) or
b) Remove the vulnerable SWFUpload e.g. at packaging time (this is what I
   did for Fedora because I never managed it to build the .swf file from
   source code to satisfy our Fedora Packaging Guidelines). Copy & paste
   example from .spec file for removal:

--- snipp ---
%if 0%{?no_multiupload}
sed '148,155d' $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php > \
    $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php.new
touch -c -r $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php{,.new}
mv -f $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php{.new,}
rm -rf $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/client/widgets/swfupload/
%endif
--- snapp ---


With kind regards

Robert Scheck
-- 
Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic