oss-sec mailing list archives
Zarafa WebAccess >= 6.40.4 affected by CVE-2013-2205, CVE-2013-2205 and CVE-2012-3414
From: Robert Scheck <robert () fedoraproject org>
Date: Fri, 24 Oct 2014 00:04:41 +0200
Good evening, I discovered that Zarafa WebAccess >= 6.40.4 is affected by CVE-2013-2205, CVE-2013-2205 and CVE-2012-3414 as it bundles the vulnerable SWFUpload from http://code.google.com/p/swfupload/. Zarafa has been already notified. [root@tux ~]# rpm -q zarafa-webaccess zarafa-webaccess-7.1.11-46050 [root@tux ~]# [root@tux ~]# rpm -ql zarafa-webaccess | grep swfupload.swf | xargs md5sum 3a1c6cc728dddc258091a601f28a9c12 /usr/share/zarafa-webaccess/client/widgets/swfupload/swfupload.swf [root@tux ~]# Given that some distributions/downstreams are shipping that vulnerable .swf file this is just meant as a simple "heads up". There are two solutions: a) Replace the bundled swfupload.swf by the fork maintained by WordPress from https://github.com/wordpress/secure-swfupload (upstream will likely do the same for a future release of Zarafa) or b) Remove the vulnerable SWFUpload e.g. at packaging time (this is what I did for Fedora because I never managed it to build the .swf file from source code to satisfy our Fedora Packaging Guidelines). Copy & paste example from .spec file for removal: --- snipp --- %if 0%{?no_multiupload} sed '148,155d' $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php > \ $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php.new touch -c -r $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php{,.new} mv -f $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php{.new,} rm -rf $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/client/widgets/swfupload/ %endif --- snapp --- With kind regards Robert Scheck -- Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager
Attachment:
_bin
Description:
Current thread:
- Zarafa WebAccess >= 6.40.4 affected by CVE-2013-2205, CVE-2013-2205 and CVE-2012-3414 Robert Scheck (Oct 23)