Bug 14712

Summary: eGroupware 16.1 needs Packaging due to LDAP bugs.
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: Nicolas Lécureuil <mageia>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: neoclust
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2017-14920
Whiteboard: MGA7TOO
Source RPM: egroupware-1.8.007.20140506-11.mga8.src CVE: CVE-2017-14920
Status comment:

Description Zombie Ryushu 2014-12-02 18:18:34 CET 
eGroupware 1.8.007 has a severe bug that will at the best delete LDAP user accounts, and at worst corrupt the LDAP Database when used with a Samba 4 Active Directory.

Because of this the maintainer of eGroupware suggests everyone migrate to eGroupware 14.1 which officially supports a Samba 4 AD.

eGroupware 14.1 has many new dependencies which exist as Pear Modules. Import from OpenSuse Reccommended.

Reproducible: 

Steps to Reproduce:
Comment 1 Zombie Ryushu 2014-12-02 18:20:15 CET 
eGroupware 1.8's behaviour is also in practice violation for OpenLDAP as well.

CC: (none) => neoclust

Comment 2 Samuel Verschelde 2015-05-21 11:33:55 CEST 
Assigning to maintainer. Nicolas, seems a severe issue.

Whiteboard: (none) => MGA4TOO MGA5TOO
Severity: normal => critical
Assignee: bugsquad => mageia

Comment 3 Samuel Verschelde 2015-05-21 11:34:38 CEST 
(although we should check if we're affected since we don't have samba 4)
Comment 4 Zombie Ryushu 2015-05-21 13:30:32 CEST 
(In reply to Samuel VERSCHELDE from comment #3)
> (although we should check if we're affected since we don't have samba 4)

Okay let me explain: the behaviour of most LDAP applications is to issue an ldap modify command to any existing LDAP entry in the tree and edit or add only the existing object classes connected to that entry in the tree. All Applications except OpenLDAP do this to avoid running a foul an Object Class Constraint Violation.

eGroupware 1.8 reads the entire entry into a temporary space, makes changes in that space, then issues a drop command to delete the entire entry, then an add command to add a new entry with its changes. If for any reason a constraint violation or an object class violation occurs, the new entry won't be re-added, and eGroupware will error out. 

ACLs in both modern versions of OpenLDAP and Samba 4.1 can run a foul of this.

Reccommended action is to import the Suse eGroupware Packages and Rosa Horde Packages.
Comment 5 Zombie Ryushu 2015-09-21 17:28:00 CEST 
Still an issue. Please use Packages from Rosa Linux 2014.1
Comment 6 Zombie Ryushu 2017-04-27 15:44:56 CEST 
It has been so long since this package has been updated, that eGroupware 16.1 has been released.
Zombie Ryushu 2017-04-27 15:45:21 CEST

Summary: eGroupware 14.1 needs Packaging due to Samba 4 bugs. => eGroupware 16.1 needs Packaging due to LDAP bugs.

Comment 7 Zombie Ryushu 2020-12-06 09:04:54 CET 
Stored XSS vulnerability in eGroupware Community Edition before 16.1.20170922 allows an unauthenticated remote attacker to inject JavaScript via the User-Agent HTTP header, which is mishandled during rendering by the application administrator.

CVE: (none) => CVE-2017-14920
URL: (none) => https://nvd.nist.gov/vuln/detail/CVE-2017-14920
Component: RPM Packages => Security
Whiteboard: MGA4TOO MGA5TOO => MGA7TOO
QA Contact: (none) => security

Comment 8 Zombie Ryushu 2020-12-06 09:14:53 CET 
Please pull from Rosa on this matter. They have a substantially updated SPEC File for this App.

This app in it's current state must be updated to conform to the demands of PHP 7.0

Source RPM: egroupware => egroupware-1.8.007.20140506-11.mga8.src

Comment 9 Nicolas Lécureuil 2020-12-26 23:09:08 CET 
where are the specs files from them ? so i can take a look.
Comment 10 David Walser 2020-12-26 23:18:36 CET 
The newest I see out there is alt-linux:
.config/mib-report/sisyphus.txt:http://mirror.yandex.ru/altlinux/Sisyphus/files/SRPMS/egroupware-19.1.20200430-alt1.src.rpm

opensuse doesn't have it.  It looks like ROSA's package is unmaintained and bitrotting, it's over three years old.
Comment 11 Nicolas Lécureuil 2020-12-26 23:59:53 CET 
question: Do we keep it ?
Comment 12 David Walser 2020-12-27 00:03:10 CET 
It's a webapp that has been unmaintained for several years in Mageia.  Let's drop it.
Comment 13 Zombie Ryushu 2020-12-27 00:04:41 CET 
This application is one of my most Critical systems. I have to handle it out of tree because the package is not maintained.
Comment 14 David Walser 2020-12-27 00:22:48 CET 
Looking at ROSA's spec file provides a basis for a very simple setup script for this software, so it's a good candidate for dropping.
Comment 15 Nicolas Lécureuil 2020-12-27 13:46:20 CET 
removing from mageia 8

Status: NEW => RESOLVED
Resolution: (none) => FIXED