57 lines
2.2 KiB
Diff
57 lines
2.2 KiB
Diff
Patch by Robert Scheck <robert@fedoraproject.org> for Zarafa 7.1.12 which backports the fix for
|
|
CVE-2015-3436. Guido Günther detected and reported that replacing "/tmp/zarafa-upgrade-lock" by
|
|
a symlink makes the zarafa-server process following that symlink and thus allows to overwrite
|
|
arbitrary files in the filesystem (assuming zarafa-server runs as root which is not the case by
|
|
default at Fedora, but it is the upstream default). One just needs write permissions in /tmp and
|
|
wait until the zarafa-server is restarted. https://bugzilla.redhat.com/show_bug.cgi?id=1222151
|
|
contains further information. The difference between this backport and the original diff is that
|
|
the log levels were reworked from Zarafa 7.1.x to 7.2.x (which this backport takes care of).
|
|
|
|
--- zarafa-7.1.12/provider/server/ECServer.cpp 2015-05-08 15:09:05.000000000 +0200
|
|
+++ zarafa-7.1.12/provider/server/ECServer.cpp.upgrade-lock 2015-05-18 23:05:00.000000000 +0200
|
|
@@ -101,6 +101,8 @@
|
|
// have to go with the safe value which is for 64bit.
|
|
#define MYSQL_MIN_THREAD_STACK (256*1024)
|
|
|
|
+const char upgrade_lock_file[] = "/tmp/zarafa-upgrade-lock";
|
|
+
|
|
extern ECSessionManager* g_lpSessionManager;
|
|
|
|
// scheduled functions
|
|
@@ -832,7 +834,7 @@
|
|
// SIGSEGV backtrace support
|
|
stack_t st = {0};
|
|
struct sigaction act = {{0}};
|
|
- FILE *tmplock = NULL;
|
|
+ int tmplock = -1;
|
|
struct stat dir = {0};
|
|
struct passwd *runasUser = NULL;
|
|
|
|
@@ -1288,8 +1290,9 @@
|
|
m_bDatabaseUpdateIgnoreSignals = true;
|
|
|
|
// add a lock file to disable the /etc/init.d scripts
|
|
- tmplock = fopen("/tmp/zarafa-upgrade-lock","w");
|
|
- if (!tmplock)
|
|
+ tmplock = open(upgrade_lock_file, O_CREAT | O_EXCL, S_IRUSR | S_IWUSR);
|
|
+
|
|
+ if (tmplock == -1)
|
|
g_lpLogger->Log(EC_LOGLEVEL_FATAL, "WARNING: Unable to place upgrade lockfile: %s", strerror(errno));
|
|
|
|
#ifdef EMBEDDED_MYSQL
|
|
@@ -1314,9 +1317,11 @@
|
|
er = lpDatabaseFactory->UpdateDatabase(m_bForceDatabaseUpdate, dbError);
|
|
|
|
// remove lock file
|
|
- if (tmplock) {
|
|
- fclose(tmplock);
|
|
- unlink("/tmp/zarafa-upgrade-lock");
|
|
+ if (tmplock != -1) {
|
|
+ if (unlink(upgrade_lock_file) == -1)
|
|
+ g_lpLogger->Log(EC_LOGLEVEL_FATAL, "WARNING: Unable to delete upgrade lockfile (%s): %s", upgrade_lock_file, strerror(errno));
|
|
+
|
|
+ close(tmplock);
|
|
}
|
|
|
|
if(er == ZARAFA_E_INVALID_VERSION) {
|