Bug 10352 - otrs new security issues CVE-2013-3551 and CVE-2013-4088
: otrs new security issues CVE-2013-3551 and CVE-2013-4088
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/552192/
: MGA2TOO has_procedure MGA3-64-OK MGA3...
: validated_update
  Show dependency treegraph
Reported: 2013-05-29 23:01 CEST by David Walser
Modified: 2014-05-08 18:04 CEST (History)
3 users (show)

See Also:
Source RPM: otrs-3.2.3-1.mga3.src.rpm


Description David Walser 2013-05-29 23:01:52 CEST
Debian has issued an advisory today (May 29):

Mageia 2 and 3 are also affected.


Steps to Reproduce:
Comment 1 David Walser 2013-06-03 18:14:20 CEST
debian.org link for advisory is now active:
Comment 2 David Walser 2013-06-20 22:25:38 CEST
Debian has issued a new advisory on June 19:

This adds a new CVE, CVE-2013-4088.

from http://lwn.net/Vulnerabilities/555692/
Comment 3 Daniel Lucio 2013-06-22 17:19:29 CEST
Pushing for Cauldron, 3 and 2
Comment 4 Daniel Lucio 2013-06-22 17:21:16 CEST
Waiting for QA
Comment 5 Manuel Hiebel 2013-06-22 18:06:58 CEST
(In reply to Daniel Lucio from comment #4)
> Waiting for QA

any reason you have closed this bug ?
Comment 6 Sander Lepik 2013-06-22 19:05:33 CEST
Next time please keep the bug open and just assign to QA :)
Comment 8 David Walser 2013-06-22 20:48:21 CEST

Updated otrs package fixes security vulnerabilities:

An attacker with a valid agent login could manipulate URLs in the ticket
watch mechanism to see contents of tickets they are not permitted to see
(CVE-2013-3551, CVE-2013-4088).


Updated packages in core/updates_testing:

from SRPMS:
Comment 9 Dave Hodgins 2013-06-27 21:53:28 CEST
Testers, see https://bugs.mageia.org/show_bug.cgi?id=7527#c7
Comment 10 Dave Hodgins 2013-06-30 23:41:58 CEST
Not a regression, but there is an error in ...
postinstall scriptlet (using /bin/sh):
/var/www/otrs/bin/otrs.SetPermissions.pl  --otrs-user=otrs --web-user=apache --otrs-group=otrs --web-group=apache /var/www/otrs
cd /var/www/otrs/var/cron
for foo in *.dist; do cp $foo `basename $foo .dist`; done
/var/www/otrs/bin/Cron.sh start otrs

From rpm -q -l otrs

As all of the files that end in .dist have a copy in the same dir without
the .dist (and none of the .dist files are in /var/www/otrs/var/cron),
it looks like the cd and for/cp commands should just be removed from the
postinstall scriptlet.

As it is, the installation has one easy to miss message in the output with
cp: target ‘unlock’ is not a directory

Note that unlock is last file in the cron directory, so it looks like the
target of trying to copy multiple files, hence the error message.

I'll be testing shortly.
Comment 11 Dave Hodgins 2013-07-01 00:10:32 CEST
Probably not a regression, but it should have a requires on perl-DBD-mysql,
otherwise there's an error in /var/log/httpd/error_log with
install_driver(mysql) failed: Can't locate DBD/mysql.pm

Once that's installed, it starts ok.
Comment 12 Dave Hodgins 2013-07-01 00:14:52 CEST
Note for future testers, after installing otrs, and (if not already installed),
mariadb, use, to create the database,
and then follow the instructions, to login, create an agent, etc.
Comment 13 Dave Hodgins 2013-07-01 00:57:01 CEST
Bug 10669 opened for comment 10 and comment 11.

Testing complete on Mageia 3 i586 and x86_64, and Mageia 2 i586 and x86_64.


Could someone from the sysadmin team push 10352.adv.
Comment 14 Nicolas Vigier 2013-07-01 21:24:17 CEST

Note You need to log in before you can comment on or make changes to this bug.