Bug 10352 - otrs new security issues CVE-2013-3551 and CVE-2013-4088
Summary: otrs new security issues CVE-2013-3551 and CVE-2013-4088
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/552192/
Whiteboard: MGA2TOO has_procedure MGA3-64-OK MGA3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-05-29 23:01 CEST by David Walser
Modified: 2014-05-08 18:04 CEST (History)
3 users (show)

See Also:
Source RPM: otrs-3.2.3-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-05-29 23:01:52 CEST
Debian has issued an advisory today (May 29):
http://lwn.net/Alerts/552189/

Mageia 2 and 3 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-05-29 23:01:58 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-06-03 18:14:20 CEST
debian.org link for advisory is now active:
http://www.debian.org/security/2013/dsa-2696
Comment 2 David Walser 2013-06-20 22:25:38 CEST
Debian has issued a new advisory on June 19:
http://www.debian.org/security/2013/dsa-2712

This adds a new CVE, CVE-2013-4088.

from http://lwn.net/Vulnerabilities/555692/

Summary: otrs new security issue CVE-2013-3551 => otrs new security issues CVE-2013-3551 and CVE-2013-4088

Comment 3 Daniel Lucio 2013-06-22 17:19:29 CEST
Pushing for Cauldron, 3 and 2
Comment 4 Daniel Lucio 2013-06-22 17:21:16 CEST
Waiting for QA

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 Manuel Hiebel 2013-06-22 18:06:58 CEST
(In reply to Daniel Lucio from comment #4)
> Waiting for QA

any reason you have closed this bug ?
Comment 6 Sander Lepik 2013-06-22 19:05:33 CEST
Next time please keep the bug open and just assign to QA :)

Status: RESOLVED => REOPENED
CC: (none) => mageia
Resolution: FIXED => (none)
Assignee: luis.daniel.lucio => qa-bugs

Sander Lepik 2013-06-22 19:06:53 CEST

Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 8 David Walser 2013-06-22 20:48:21 CEST
Advisory:
========================

Updated otrs package fixes security vulnerabilities:

An attacker with a valid agent login could manipulate URLs in the ticket
watch mechanism to see contents of tickets they are not permitted to see
(CVE-2013-3551, CVE-2013-4088).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3551
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4088
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-03/
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-04/
http://www.debian.org/security/2013/dsa-2696
http://www.debian.org/security/2013/dsa-2712
========================

Updated packages in core/updates_testing:
========================
otrs-3.2.8-1.mga2
otrs-3.2.8-1.mga3

from SRPMS:
otrs-3.2.8-1.mga2.src.rpm
otrs-3.2.8-1.mga3.src.rpm
Comment 9 Dave Hodgins 2013-06-27 21:53:28 CEST
Testers, see https://bugs.mageia.org/show_bug.cgi?id=7527#c7

CC: (none) => davidwhodgins

Dave Hodgins 2013-06-27 21:54:05 CEST

Whiteboard: MGA2TOO => MGA2TOO has_procedure

Comment 10 Dave Hodgins 2013-06-30 23:41:58 CEST
Not a regression, but there is an error in ...
postinstall scriptlet (using /bin/sh):
/var/www/otrs/bin/otrs.SetPermissions.pl  --otrs-user=otrs --web-user=apache --otrs-group=otrs --web-group=apache /var/www/otrs
cd /var/www/otrs/var/cron
for foo in *.dist; do cp $foo `basename $foo .dist`; done
/var/www/otrs/bin/Cron.sh start otrs

From rpm -q -l otrs
/var/www/otrs/.fetchmailrc
/var/www/otrs/.fetchmailrc.dist
/var/www/otrs/.mailfilter
/var/www/otrs/.mailfilter.dist
/var/www/otrs/.procmailrc
/var/www/otrs/.procmailrc.dist
/var/www/otrs/Kernel/Config.pm
/var/www/otrs/Kernel/Config.pm.dist
/var/www/otrs/Kernel/Config/GenericAgent.pm
/var/www/otrs/Kernel/Config/GenericAgent.pm.dist

As all of the files that end in .dist have a copy in the same dir without
the .dist (and none of the .dist files are in /var/www/otrs/var/cron),
it looks like the cd and for/cp commands should just be removed from the
postinstall scriptlet.

As it is, the installation has one easy to miss message in the output with
cp: target âunlockâ is not a directory

Note that unlock is last file in the cron directory, so it looks like the
target of trying to copy multiple files, hence the error message.

I'll be testing shortly.
Comment 11 Dave Hodgins 2013-07-01 00:10:32 CEST
Probably not a regression, but it should have a requires on perl-DBD-mysql,
otherwise there's an error in /var/log/httpd/error_log with
install_driver(mysql) failed: Can't locate DBD/mysql.pm

Once that's installed, it starts ok.
Comment 12 Dave Hodgins 2013-07-01 00:14:52 CEST
Note for future testers, after installing otrs, and (if not already installed),
mariadb, use http://127.0.0.1/otrs/installer.pl, to create the database,
and then follow the instructions, to login, create an agent, etc.
Comment 13 Dave Hodgins 2013-07-01 00:57:01 CEST
Bug 10669 opened for comment 10 and comment 11.

Testing complete on Mageia 3 i586 and x86_64, and Mageia 2 i586 and x86_64.

http://svnweb.mageia.org/advisories/10352.adv?view=markup&sortby=date
uploaded.

Could someone from the sysadmin team push 10352.adv.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 14 Nicolas Vigier 2013-07-01 21:24:17 CEST
http://advisories.mageia.org/MGASA-2013-0196.html

Status: REOPENED => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:04:31 CEST

CC: boklm => (none)


Note You need to log in before you can comment on or make changes to this bug.