oss-sec mailing list archives
CVE request: Incorrect default permissions in Zarafa (zarafa-search-plus)
From: Robert Scheck <robert () fedoraproject org>
Date: Thu, 9 Apr 2015 22:11:54 +0200
Good evening, it was discovered that zarafa-search-plus (part of Zarafa >= 7.2.0) creates the directory /var/lib/zarafa/search/ read- and writable for world, as well as all sub-directories and files it creates afterwards: - https://forums.zarafa.com/showthread.php?11304-Zarafa-7-2-Problems-Bugs-with-the-new-search - https://bugzilla.redhat.com/show_bug.cgi?id=1206838 - https://jira.zarafa.com/browse/ZCP-13160 In difference to the ZCP-13160 ("change this to the same permissions as the other folders in the directory") the thus proposed 755 is not enough, it must be e.g. 750, otherwise data is still readable for local system users. As I unfortunately wasn't aware of the forum posting when I did my analysis I also cross-checked releases before the rewrite (thanks Martin Prpič). The predecessors of zarafa-search-plus are creating the /var/lib/zarafa/search/ or /var/lib/zarafa/index/ directory with the correct permissions, however some of the sub-directories and files (also created by the search daemon) are world-readable (see comment #2 of RHBZ#1206838 for details) through. I am not sure how this should be treated, given that all Zarafa search/index daemons do not seem to have built-in permission checks (like e.g. fetchmail has) and thus also accept an existing directory with incorrect permissions. With kind regards Robert Scheck -- Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager
Attachment:
_bin
Description:
Current thread:
- CVE request: Incorrect default permissions in Zarafa (zarafa-search-plus) Robert Scheck (Apr 09)