Bug 12813 - zarafa new security issues CVE-2014-0037 and CVE-2014-0079
: zarafa new security issues CVE-2014-0037 and CVE-2014-0079
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/586794/
: MGA3TOO advisory MGA3-32-OK MGA3-64-O...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-18 19:40 CET by David Walser
Modified: 2014-03-02 00:00 CET (History)
5 users (show)

See Also:
Source RPM: zarafa-7.1.2-3.mga3.src.rpm
CVE:


Attachments

Description David Walser 2014-02-18 19:40:10 CET
Fedora has issued an advisory on February 1:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128409.html

They fixed the issues by upgrading to 7.1.8 (which fixes CVE-2014-0037) and adding an additional patch (which fixes CVE-2014-0079):
http://pkgs.fedoraproject.org/cgit/zarafa.git/tree/zarafa-7.1.8-nullptr.patch?h=f20

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2014-02-19 09:52:47 CET
Would it work to backport zarafa-7.1.8-2.mga5.src.rpm to mga3 and mga4?
Comment 2 David Walser 2014-02-19 15:12:28 CET
I'd have no objection, and it would certainly seem the easiest thing to do, especially given CVE-2014-0037.  I'd like to hear from the maintainer on this, since this package actually has a maintainer who's good about staying on top of his packages, but I haven't seen Thomas in a while, which is unusual.  Maybe give him a few days to respond and go ahead with it if he doesn't?  I guess the biggest problem is that these are critical vulnerabilities so we shouldn't wait too long.  Personally I know nothing about this package, but if you do and you feel comfortable with updating it, I'd say go for it.
Comment 4 David Walser 2014-02-19 18:02:47 CET
That's cool.  Might as well backport it then.
Comment 5 David Walser 2014-02-20 03:42:18 CET
Thomas says he'll address this at the end of the week.  He's on vacation.
Comment 6 Thomas Spuhler 2014-02-24 05:15:33 CET
I have updated cauldron, maga3 and mga4.
Mage3 and mga4 zarafa have versin 7.1.8 in updates testing (svn 44004)
zarafa's website states for svn44004:
ZCP 7.1.8 final-R1 [44004]
===============================
This release is an emergency release. The main focus of this release is the menory leak in the Zarafa-search service. This issue has been address by this release. Alongside we also included two other fixes.

=== Backend ===
ZCP-12062	Search memory leak introduced in 7.1.8
ZCP-12019	Dagent creates much more fallback deliveries than in 7.1.7

=== Archiver ===
ARCH-333	Za-aclsync and za-aclset utilities are broken and give tracebacks.

This version fixes all issues in the description. I haven't done any testing. I never used this program. I think I originally imported it because it was a (build) "Requires" for a package which I used. We may need to rebuild that package as well. Is there wa way to find a package that has a Buildrequires for one of the provided zarafa packages of the list below:

zarafa-webaccess-7.1.8-1.mga5.noarch.rpm
lib64zarafa0-7.1.8-1.mga5.x86_64.rpm
lib64zarafa-devel-7.1.8-1.mga5.x86_64.rpm
php-mapi-7.1.8-1.mga5.x86_64.rpm
python-MAPI-7.1.8-1.mga5.x86_64.rpm
zarafa-7.1.8-1.mga5.x86_64.rpm
zarafa-archiver-7.1.8-1.mga5.x86_64.rpm
zarafa-caldav-7.1.8-1.mga5.x86_64.rpm
zarafa-client-7.1.8-1.mga5.x86_64.rpm
zarafa-common-7.1.8-1.mga5.x86_64.rpm
zarafa-dagent-7.1.8-1.mga5.x86_64.rpm
zarafa-debuginfo-7.1.8-1.mga5.x86_64.rpm
zarafa-gateway-7.1.8-1.mga5.x86_64.rpm
zarafa-ical-7.1.8-1.mga5.x86_64.rpm
zarafa-indexer-7.1.8-1.mga5.x86_64.rpm
zarafa-monitor-7.1.8-1.mga5.x86_64.rpm
zarafa-server-7.1.8-1.mga5.x86_64.rpm
zarafa-spooler-7.1.8-1.mga5.x86_64.rpm
zarafa-utils-7.1.8-1.mga5.x86_64.rpm
Comment 7 David Walser 2014-02-24 14:00:33 CET
Only php-mapi and python-MAPI have the library as a runtime dependency, so it's probably just those.  Since the major number of the library hasn't changed, they *shouldn't* need to be rebuilt.
Comment 8 David Walser 2014-02-24 14:07:04 CET
Advisory:
========================

Updated zarafa packages fix security vulnerabilities:

Robert Scheck discovered multiple vulnerabilities in Zarafa that could
allow a remote unauthenticated attacker to crash the zarafa-server
daemon, preventing access to any other legitimate Zarafa users
(CVE-2014-0037, CVE-2014-0079).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0037
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0079
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128409.html
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:044/
========================

Updated packages in core/updates_testing:
========================
zarafa-webaccess-7.1.8-1.mga3
libzarafa0-7.1.8-1.mga3
libzarafa-devel-7.1.8-1.mga3
php-mapi-7.1.8-1.mga3
python-MAPI-7.1.8-1.mga3
zarafa-7.1.8-1.mga3
zarafa-archiver-7.1.8-1.mga3
zarafa-caldav-7.1.8-1.mga3
zarafa-client-7.1.8-1.mga3
zarafa-common-7.1.8-1.mga3
zarafa-dagent-7.1.8-1.mga3
zarafa-debuginfo-7.1.8-1.mga3
zarafa-gateway-7.1.8-1.mga3
zarafa-ical-7.1.8-1.mga3
zarafa-indexer-7.1.8-1.mga3
zarafa-monitor-7.1.8-1.mga3
zarafa-server-7.1.8-1.mga3
zarafa-spooler-7.1.8-1.mga3
zarafa-utils-7.1.8-1.mga3
zarafa-webaccess-7.1.8-1.mga4
libzarafa0-7.1.8-1.mga4
libzarafa-devel-7.1.8-1.mga4
php-mapi-7.1.8-1.mga4
python-MAPI-7.1.8-1.mga4
zarafa-7.1.8-1.mga4
zarafa-archiver-7.1.8-1.mga4
zarafa-caldav-7.1.8-1.mga4
zarafa-client-7.1.8-1.mga4
zarafa-common-7.1.8-1.mga4
zarafa-dagent-7.1.8-1.mga4
zarafa-debuginfo-7.1.8-1.mga4
zarafa-gateway-7.1.8-1.mga4
zarafa-ical-7.1.8-1.mga4
zarafa-indexer-7.1.8-1.mga4
zarafa-monitor-7.1.8-1.mga4
zarafa-server-7.1.8-1.mga4
zarafa-spooler-7.1.8-1.mga4
zarafa-utils-7.1.8-1.mga4

from SRPMS:
zarafa-7.1.8-1.mga3.src.rpm
zarafa-7.1.8-1.mga4.src.rpm
Comment 9 David Walser 2014-02-24 14:09:49 CET
Oh, the mapi packages are from this SRPM.  The Sophie bot says nothing BuildRequires libzarafa-devel.
Comment 10 claire robinson 2014-02-25 08:14:12 CET
Testing mga3 64

First time we've tested this one, there are some packaging issues.

Before
======
installing php-mapi-7.1.2-3.mga3.x86_64.rpm zarafa-7.1.2-3.mga3.x86_64.rpm zarafa-monitor-7.1.2-3.mga3.x86_64.rpm zarafa-common-7.1.2-3.mga3.x86_64.rpm lib64zarafa-devel-7.1.2-3.mga3.x86_64.rpm zarafa-indexer-7.1.2-3.mga3.x86_64.rpm zarafa-client-7.1.2-3.mga3.x86_64.rpm zarafa-utils-7.1.2-3.mga3.x86_64.rpm zarafa-server-7.1.2-3.mga3.x86_64.rpm lib64boost-devel-1.53.0-1.mga3.x86_64.rpm lib64zarafa0-7.1.2-3.mga3.x86_64.rpm lib64boost_context1.53.0-1.53.0-1.mga3.x86_64.rpm zarafa-ical-7.1.2-3.mga3.x86_64.rpm zarafa-dagent-7.1.2-3.mga3.x86_64.rpm zarafa-webaccess-7.1.2-3.mga3.noarch.rpm zarafa-spooler-7.1.2-3.mga3.x86_64.rpm php-iconv-5.4.23-1.mga3.x86_64.rpm zarafa-gateway-7.1.2-3.mga3.x86_64.rpm from /var/cache/urpmi/rpms

Preparing...                     ##########################
useradd: group zarafa exists - if you want to add this user to that group, use -g.
    41/61: zarafa-common         #########################warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
#
    42/61: zarafa-server         warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
#warning: user zarafa does not exist - using root
#########################
zarafa-server.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig zarafa-server on
    43/61: php-iconv             ##########################
    44/61: lib64boost_context1.53.0
                                 ##########################
    45/61: lib64boost-devel      ##########################
    46/61: zarafa-monitor        warning: user zarafa does not exist - using root
##########################
zarafa-monitor.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig zarafa-monitor on
    47/61: zarafa-client         ##########################
    48/61: zarafa-utils          ##########################
    49/61: zarafa-ical           warning: user zarafa does not exist - using root
##########################
zarafa-ical.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig zarafa-ical on
    50/61: zarafa-dagent         warning: user zarafa does not exist - using root
##########################
zarafa-dagent.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig zarafa-dagent on
    51/61: zarafa-spooler        warning: user zarafa does not exist - using root
##########################
zarafa-spooler.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig zarafa-spooler on
    52/61: zarafa-gateway        warning: user zarafa does not exist - using root
##########################
zarafa-gateway.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig zarafa-gateway on
    53/61: lib64zarafa0          ##########################
    54/61: php-mapi              ##########################
    55/61: zarafa-webaccess      ##########################
    56/61: zarafa                ##########################
    57/61: lib64zarafa-devel     ##########################
    58/61: zarafa-indexer        warning: user zarafa does not exist - using root
##########################
                                     
installing zarafa-caldav-7.1.2-3.mga3.x86_64.rpm zarafa-archiver-7.1.2-3.mga3.x86_64.rpm python-MAPI-7.1.2-3.mga3.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     ##########################
    59/61: python-MAPI           ##########################
    60/61: zarafa-archiver       warning: user zarafa does not exist - using root
##########################
    61/61: zarafa-caldav         ##########################

# grep zarafa /etc/passwd /etc/group
/etc/group:zarafa:x:404:




After
=====
# urpmi zarafa zarafa-archiver zarafa-caldav zarafa-client zarafa-common zarafa-dagent zarafa-gateway zarafa-ical zarafa-indexer zarafa-monitor zarafa-server zarafa-spooler zarafa-utils zarafa-webaccess lib64zarafa0 php-mapi python-MAPI
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing")
  lib64zarafa-devel              7.1.8        1.mga3        x86_64  
  lib64zarafa0                   7.1.8        1.mga3        x86_64  
  php-mapi                       7.1.8        1.mga3        x86_64  
  python-MAPI                    7.1.8        1.mga3        x86_64  
  zarafa                         7.1.8        1.mga3        x86_64  
  zarafa-archiver                7.1.8        1.mga3        x86_64  
  zarafa-caldav                  7.1.8        1.mga3        x86_64  
  zarafa-client                  7.1.8        1.mga3        x86_64  
  zarafa-common                  7.1.8        1.mga3        x86_64  
  zarafa-dagent                  7.1.8        1.mga3        x86_64  
  zarafa-gateway                 7.1.8        1.mga3        x86_64  
  zarafa-ical                    7.1.8        1.mga3        x86_64  
  zarafa-indexer                 7.1.8        1.mga3        x86_64  
  zarafa-monitor                 7.1.8        1.mga3        x86_64  
  zarafa-server                  7.1.8        1.mga3        x86_64  
  zarafa-spooler                 7.1.8        1.mga3        x86_64  
  zarafa-utils                   7.1.8        1.mga3        x86_64  
  zarafa-webaccess               7.1.8        1.mga3        noarch  
2.3MB of additional disk space will be used.
9.4MB of packages will be retrieved.
Proceed with the installation of the 18 packages? (Y/n) y

installing zarafa-utils-7.1.8-1.mga3.x86_64.rpm zarafa-ical-7.1.8-1.mga3.x86_64.rpm zarafa-7.1.8-1.mga3.x86_64.rpm zarafa-dagent-7.1.8-1.mga3.x86_64.rpm lib64zarafa0-7.1.8-1.mga3.x86_64.rpm lib64zarafa-devel-7.1.8-1.mga3.x86_64.rpm zarafa-common-7.1.8-1.mga3.x86_64.rpm zarafa-server-7.1.8-1.mga3.x86_64.rpm php-mapi-7.1.8-1.mga3.x86_64.rpm zarafa-spooler-7.1.8-1.mga3.x86_64.rpm zarafa-webaccess-7.1.8-1.mga3.noarch.rpm zarafa-monitor-7.1.8-1.mga3.x86_64.rpm zarafa-gateway-7.1.8-1.mga3.x86_64.rpm zarafa-client-7.1.8-1.mga3.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     ##########################
useradd: group zarafa exists - if you want to add this user to that group, use -g.
     1/18: zarafa-common         ##################warning: user zarafa does not exist - using root
#######warning: user zarafa does not exist - using root
#
     2/18: zarafa-server         warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
#warning: user zarafa does not exist - using root
#########################
     3/18: zarafa-webaccess      ##########################
     4/18: php-mapi              ##########################
     5/18: zarafa-ical           warning: user zarafa does not exist - using root
##########################
     6/18: zarafa-dagent         warning: user zarafa does not exist - using root
##########################
     7/18: zarafa-spooler        warning: user zarafa does not exist - using root
##########################
     8/18: zarafa-monitor        warning: user zarafa does not exist - using root
##########################
     9/18: zarafa-gateway        warning: user zarafa does not exist - using root
##########################
    10/18: zarafa-client         ##########################
    11/18: lib64zarafa0          ##########################
    12/18: zarafa-utils          ##########################
    13/18: zarafa                ##########################
    14/18: lib64zarafa-devel     ##########################
     1/14: removing zarafa-ical-7.1.2-3.mga3.x86_64
                                 ##########################
     2/14: removing zarafa-dagent-7.1.2-3.mga3.x86_64
                                 ##########################
     3/14: removing zarafa-gateway-7.1.2-3.mga3.x86_64
                                 ##########################
     4/14: removing zarafa-monitor-7.1.2-3.mga3.x86_64
                                 ##########################
     5/14: removing zarafa-client-7.1.2-3.mga3.x86_64
                                 ##########################
     6/14: removing zarafa-spooler-7.1.2-3.mga3.x86_64
                                 ##########################
     7/14: removing php-mapi-7.1.2-3.mga3.x86_64
                                 ##########################
     8/14: removing zarafa-webaccess-7.1.2-3.mga3.noarch
                                 ##########################
     9/14: removing zarafa-7.1.2-3.mga3.x86_64
                                 ##########################
    10/14: removing zarafa-utils-7.1.2-3.mga3.x86_64
                                 ##########################
    11/14: removing lib64zarafa0-7.1.2-3.mga3.x86_64
                                 ##########################
    12/14: removing lib64zarafa-devel-7.1.2-3.mga3.x86_64
                                 ##########################
    13/14: removing zarafa-server-7.1.2-3.mga3.x86_64
                                 ##########################
    14/14: removing zarafa-common-7.1.2-3.mga3.x86_64
                                 ##########################
                        
installing zarafa-caldav-7.1.8-1.mga3.x86_64.rpm python-MAPI-7.1.8-1.mga3.x86_64.rpm zarafa-indexer-7.1.8-1.mga3.x86_64.rpm zarafa-archiver-7.1.8-1.mga3.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     ##########################
    15/18: zarafa-archiver       warning: user zarafa does not exist - using root
##########################
    16/18: zarafa-indexer        warning: user zarafa does not exist - using root
##########################
    17/18: python-MAPI           ##########################
    18/18: zarafa-caldav         ##########################
      1/4: removing zarafa-archiver-7.1.2-3.mga3.x86_64
                                 ##########################
      2/4: removing zarafa-indexer-7.1.2-3.mga3.x86_64
                                 ##########################
      3/4: removing python-MAPI-7.1.2-3.mga3.x86_64
                                 ##########################
      4/4: removing zarafa-caldav-7.1.2-3.mga3.x86_64
                                 ##########################


# grep zarafa /etc/passwd /etc/group
/etc/group:zarafa:x:404:
Comment 11 David Walser 2014-02-25 12:37:39 CET
This is strange.  Taking a quick look at the Cauldron spec, the common package has the appropriate useradd macro in %pre, and the other packages Require the common package, so the zarafa user should exist.  It would be nice to see it using the appropriate service macros instead of calling service and chkconfig directly, but that's a different issue.
Comment 12 Thomas Backlund 2014-02-25 15:05:29 CET
the other packages would need to have Requires(pre) on the common package so it's ensured to be installed before all other packages, otherwise it will just depend on pure luck how the transaction ordering goes
Comment 13 David Walser 2014-02-25 16:33:53 CET
(In reply to Thomas Backlund from comment #12)
> the other packages would need to have Requires(pre) on the common package so
> it's ensured to be installed before all other packages, otherwise it will
> just depend on pure luck how the transaction ordering goes

Unless there's a dependency loop, if it's required, it should be installed first.  Requires(pre) is for things that are needed specifically by %pre scriplets.
Comment 14 David Walser 2014-02-25 16:54:23 CET
And indeed zarafa-common is installed first, but even it's complaining about user zarafa not existing, and it's the one creating it.

I think this is what's happening.  %pre common has:
%_pre_groupadd %{name}
%_pre_useradd %{name} %{_localstatedir}/lib/%{name} /sbin/nologin

As you can see in Claire's output, it complains that *group* zarafa already exists.  I think at that point, it's failing the %pre scriplet and not even running the useradd command.  Furthermore, useradd -U (which pre_useradd uses) creates a group by the same name as the user it's creating, so the pre_groupadd call *should not be needed.*  I think the solution is to remove it.
Comment 15 Thomas Spuhler 2014-02-25 19:57:16 CET
I am glad to remove it if this is what is needed. Strangely, it has been there since importing the package from Mandriva and maybe long before.
Is anybody actually using it or should we drop it in mga5?
Comment 16 Thomas Spuhler 2014-02-25 21:15:40 CET
(In reply to David Walser from comment #14)
> And indeed zarafa-common is installed first, but even it's complaining about
> user zarafa not existing, and it's the one creating it.
> 
> I think this is what's happening.  %pre common has:
> %_pre_groupadd %{name}
> %_pre_useradd %{name} %{_localstatedir}/lib/%{name} /sbin/nologin
> 
> As you can see in Claire's output, it complains that *group* zarafa already
> exists.  I think at that point, it's failing the %pre scriplet and not even
> running the useradd command.  Furthermore, useradd -U (which pre_useradd
> uses) creates a group by the same name as the user it's creating, so the
> pre_groupadd call *should not be needed.*  I think the solution is to remove
> it.

I made this change in Cauldron and will test it as soon as it appears on the mirrors. Fedora has a different approach that may work better. I will test that locally, but it will take about 3 hours to build on my vbox.
Comment 17 David Walser 2014-02-25 21:30:00 CET
Thomas, this commit is wrong:
http://svnweb.mageia.org/packages/cauldron/zarafa/current/SPECS/zarafa.spec?r1=597152&r2=597158

You lost the "%pre common" so now the code is being run in the build system in %install.

Also, you should just leave the Mageia %_pre_useradd macro rather than doing it Fedora's way.
Comment 18 David Walser 2014-02-25 21:30:51 CET
(In reply to Thomas Spuhler from comment #15)
> I am glad to remove it if this is what is needed. Strangely, it has been
> there since importing the package from Mandriva and maybe long before.
> Is anybody actually using it or should we drop it in mga5?

Send a message to the dev mailing list.  If nobody is interested in it and you don't want to maintain it anymore, we can drop it.
Comment 19 David Walser 2014-02-26 00:49:50 CET
Thomas has fixed this for Mageia 3 and Mageia 4.  I assume he'll fix Cauldron shortly.

Updated SRPMS:
zarafa-7.1.8-1.1.mga3.src.rpm
zarafa-7.1.8-1.1.mga4.src.rpm
Comment 20 Thomas Spuhler 2014-02-26 01:04:11 CET
(In reply to David Walser from comment #14)
> And indeed zarafa-common is installed first, but even it's complaining about
> user zarafa not existing, and it's the one creating it.
> 
> I think this is what's happening.  %pre common has:
> %_pre_groupadd %{name}
> %_pre_useradd %{name} %{_localstatedir}/lib/%{name} /sbin/nologin
> 
> As you can see in Claire's output, it complains that *group* zarafa already
> exists.  I think at that point, it's failing the %pre scriplet and not even
> running the useradd command.  Furthermore, useradd -U (which pre_useradd
> uses) creates a group by the same name as the user it's creating, so the
> pre_groupadd call *should not be needed.*  I think the solution is to remove
> it.

I removed %_pre_groupadd %{name} and the pacakge is now in upgrade testing with subrel 1
Comment 21 Thomas Spuhler 2014-02-26 01:05:22 CET
(In reply to David Walser from comment #17)
> Thomas, this commit is wrong:
> http://svnweb.mageia.org/packages/cauldron/zarafa/current/SPECS/zarafa.
> spec?r1=597152&r2=597158
> 
> You lost the "%pre common" so now the code is being run in the build system
> in %install.
> 
> Also, you should just leave the Mageia %_pre_useradd macro rather than doing
> it Fedora's way.

Agree but %_pre_groupadd macro should be fixed.
Comment 22 David Walser 2014-02-26 01:08:07 CET
(In reply to Thomas Spuhler from comment #21)
> Agree but %_pre_groupadd macro should be fixed.

Fixed how?  I believe it does what it's intended to do, it just isn't meant to be used for the type of case it was being used in this package.  Maybe it shouldn't barf if the group already exists though.
Comment 23 Thomas Backlund 2014-02-26 09:49:24 CET
(In reply to David Walser from comment #13)
> (In reply to Thomas Backlund from comment #12)
> > the other packages would need to have Requires(pre) on the common package so
> > it's ensured to be installed before all other packages, otherwise it will
> > just depend on pure luck how the transaction ordering goes
> 
> Unless there's a dependency loop, if it's required, it should be installed
> first. 

Nope. "Requires" only guarantees same transaction, not ordering


> Requires(pre) is for things that are needed specifically by %pre
> scriplets.

Normally yes, 
but we also use it to notify urpmi of wanted transaction order.
Comment 24 David Walser 2014-02-26 12:49:45 CET
(In reply to Thomas Backlund from comment #23)
> (In reply to David Walser from comment #13)
> > (In reply to Thomas Backlund from comment #12)
> > > the other packages would need to have Requires(pre) on the common package so
> > > it's ensured to be installed before all other packages, otherwise it will
> > > just depend on pure luck how the transaction ordering goes
> > 
> > Unless there's a dependency loop, if it's required, it should be installed
> > first. 
> 
> Nope. "Requires" only guarantees same transaction, not ordering

So I guess jbj, the author of RPM doesn't know what he's talking about then.

> > Requires(pre) is for things that are needed specifically by %pre
> > scriplets.
> 
> Normally yes, 
> but we also use it to notify urpmi of wanted transaction order.

Which is wrong.
Comment 25 Dave Hodgins 2014-02-27 23:15:00 CET
Advisory added to svn. Testing shortly.
Comment 26 claire robinson 2014-02-28 11:06:13 CET
Not tested mga4 yet but mga3 has the same user/group issues as mga4 did..

installing zarafa-spooler-7.1.8-1.1.mga3.i586.rpm zarafa-monitor-7.1.8-1.1.mga3.i586.rpm zarafa-7.1.8-1.1.mga3.i586.rpm zarafa-ical-7.1.8-1.1.mga3.i586.rpm libzarafa-devel-7.1.8-1.1.mga3.i586.rpm zarafa-common-7.1.8-1.1.mga3.i586.rpm zarafa-utils-7.1.8-1.1.mga3.i586.rpm zarafa-webaccess-7.1.8-1.1.mga3.noarch.rpm php-mapi-7.1.8-1.1.mga3.i586.rpm zarafa-gateway-7.1.8-1.1.mga3.i586.rpm zarafa-server-7.1.8-1.1.mga3.i586.rpm zarafa-client-7.1.8-1.1.mga3.i586.rpm zarafa-dagent-7.1.8-1.1.mga3.i586.rpm from /var/cache/urpmi/rpms

Preparing...                     ##########
useradd: group zarafa exists - if you want to add this user to that group, use -g.
     1/13: zarafa-common         #######warning: user zarafa does not exist - using root
##warning: user zarafa does not exist - using root
#
     2/13: zarafa-client         ##########
     3/13: zarafa-spooler        warning: user zarafa does not exist - using root
##########
     4/13: zarafa-monitor        #warning: user zarafa does not exist - using root
#########
     5/13: zarafa-ical           warning: user zarafa does not exist - using root
##########
     6/13: zarafa-utils          ##########
     7/13: zarafa-gateway        warning: user zarafa does not exist - using root
#########
     8/13: zarafa-dagent         warning: user zarafa does not exist - using root
##########
     9/13: zarafa-server         warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
##########
    10/13: php-mapi              ##########
    11/13: zarafa-webaccess      ##########
    12/13: zarafa                ##########
    13/13: libzarafa-devel       ##########
Comment 27 claire robinson 2014-02-28 11:13:14 CET
Still similar issues installing the update mga4 too

installing zarafa-utils-7.1.8-1.1.mga4.x86_64.rpm lib64zarafa-devel-7.1.8-1.1.mga4.x86_64.rpm zarafa-7.1.8-1.1.mga4.x86_64.rpm zarafa-server-7.1.8-1.1.mga4.x86_64.rpm zarafa-spooler-7.1.8-1.1.mga4.x86_64.rpm zarafa-ical-7.1.8-1.1.mga4.x86_64.rpm zarafa-monitor-7.1.8-1.1.mga4.x86_64.rpm zarafa-client-7.1.8-1.1.mga4.x86_64.rpm php-mapi-7.1.8-1.1.mga4.x86_64.rpm zarafa-dagent-7.1.8-1.1.mga4.x86_64.rpm zarafa-common-7.1.8-1.1.mga4.x86_64.rpm zarafa-webaccess-7.1.8-1.1.mga4.noarch.rpm zarafa-gateway-7.1.8-1.1.mga4.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     ##########
useradd: group zarafa exists - if you want to add this user to that group, use -g.
     1/13: zarafa-common         #########################################################################################warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
#
     2/13: zarafa-client         ##########################################################################################
     3/13: zarafa-utils          ##########################################################################################
     4/13: zarafa-spooler        warning: user zarafa does not exist - using root
##########################################################################################
     5/13: zarafa-ical           warning: user zarafa does not exist - using root
##########################################################################################
     6/13: zarafa-monitor        warning: user zarafa does not exist - using root
##########################################################################################
     7/13: zarafa-dagent         warning: user zarafa does not exist - using root
##########################################################################################
     8/13: zarafa-gateway        warning: user zarafa does not exist - using root
##########################################################################################
     9/13: zarafa-server         warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
warning: user zarafa does not exist - using root
##########
    10/13: php-mapi              ##########
    11/13: zarafa-webaccess      ##########
    12/13: zarafa                ##########
    13/13: lib64zarafa-devel     ##########
Comment 28 David Walser 2014-02-28 12:20:31 CET
Claire, can you try uninstalling the zarafa packages and removing the zarafa user and group accounts from your system, and starting over fresh?
Comment 29 claire robinson 2014-02-28 12:21:51 CET
The mga3 32 was fresh, but I first installed the release package then updated to the testing version.
Comment 30 David Walser 2014-02-28 12:24:41 CET
(In reply to claire robinson from comment #29)
> The mga3 32 was fresh, but I first installed the release package then
> updated to the testing version.

Yes, please don't install the /release version.
Comment 31 claire robinson 2014-02-28 12:44:43 CET
# urpme -a zarafa
unknown package: zarafa

# grep zarafa /etc/{passwd,group}
/etc/group:zarafa:x:409:

# groupdel zarafa
# grep zarafa /etc/{passwd,group}
# ecupdt
Enabling Core Updates Testing
# cupdt
Updating Core Updates Testing

medium "Core Updates Testing" is up-to-date

# urpmi -ya zarafa
In order to satisfy the 'devel(libuuid)' dependency, one of the following packages is needed:
 1- libuuid-devel-2.22.2-5.mga3.i586: Universally unique ID library (to install)
 2- libossp_uuid-devel-1.6.2-7.mga3.i586: Header files for the ossp-uuid library (to install)
What is your choice? (1-2) 1
To satisfy dependencies, the following packages are going to be installed:

...etc
 
Installs without error.
Comment 32 David Walser 2014-02-28 12:49:39 CET
Thanks.  We can't go back in time and fix the release version, but at least we know the updated one is fixed and installs correctly.
Comment 33 claire robinson 2014-02-28 12:50:41 CET
It just needs to check for the existence of the zarafa group before creating zarafa user.
Comment 34 David Walser 2014-02-28 13:15:03 CET
(In reply to claire robinson from comment #33)
> It just needs to check for the existence of the zarafa group before creating
> zarafa user.

That's not a zarafa issue, apparently that's how our standard macros work.
Comment 35 Dave Hodgins 2014-02-28 20:46:44 CET
Testing complete on Mageia 3 i586. Confirmed that a clean install now does
create the user properly.

After editing /etc/zarafa/server.cfg to add the mysql root password, the
server starts ok, and I can add a user.

# zarafa-admin -c dave -P -f 'David W. Hodgins' -e 'dave@i3v.hodgins.homeip.net'
Type password:
Re-Type password:
User created.
Comment 36 Thomas Backlund 2014-03-02 00:00:35 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0112.html

Note You need to log in before you can comment on or make changes to this bug.