12820 – egroupware new security issue CVE-2014-2027

Bug 12820 - egroupware new security issue CVE-2014-2027

Summary: egroupware new security issue CVE-2014-2027

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/589243/
Whiteboard:	MGA3TOO has_procedure mga4-64-ok mga4...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-02-19 17:07 CET by David Walser
Modified:	2014-03-04 18:40 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	egroupware-1.8.004.20120410-3.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-02-19 17:07:19 CET

A CVE was assigned for a security issue fixed upstream in 1.8.006.20140217:
http://openwall.com/lists/oss-security/2014/02/19/4

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2014-02-19 17:07:28 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-02-24 17:23:48 CET

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated curl packages fix security vulnerabilities:

eGroupware prior to 1.8.006.20140217 is vulnerable to remote file deletion and
possible remote code execution due to user input being passed to PHP's
unserialize() method (CVE-2014-2027).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
http://www.egroupware.org/changelog
http://openwall.com/lists/oss-security/2014/02/19/4
========================

Updated packages in core/updates_testing:
========================
egroupware-1.8.006.20140217-1.mga3
egroupware-bookmarks-1.8.006.20140217-1.mga3
egroupware-calendar-1.8.006.20140217-1.mga3
egroupware-developer_tools-1.8.006.20140217-1.mga3
egroupware-egw-pear-1.8.006.20140217-1.mga3
egroupware-emailadmin-1.8.006.20140217-1.mga3
egroupware-felamimail-1.8.006.20140217-1.mga3
egroupware-filemanager-1.8.006.20140217-1.mga3
egroupware-gallery-1.8.006.20140217-1.mga3
egroupware-importexport-1.8.006.20140217-1.mga3
egroupware-infolog-1.8.006.20140217-1.mga3
egroupware-manual-1.8.006.20140217-1.mga3
egroupware-news_admin-1.8.006.20140217-1.mga3
egroupware-notifications-1.8.006.20140217-1.mga3
egroupware-phpbrain-1.8.006.20140217-1.mga3
egroupware-phpsysinfo-1.8.006.20140217-1.mga3
egroupware-polls-1.8.006.20140217-1.mga3
egroupware-projectmanager-1.8.006.20140217-1.mga3
egroupware-registration-1.8.006.20140217-1.mga3
egroupware-sambaadmin-1.8.006.20140217-1.mga3
egroupware-sitemgr-1.8.006.20140217-1.mga3
egroupware-syncml-1.8.006.20140217-1.mga3
egroupware-timesheet-1.8.006.20140217-1.mga3
egroupware-tracker-1.8.006.20140217-1.mga3
egroupware-wiki-1.8.006.20140217-1.mga3
egroupware-1.8.006.20140217-1.mga4
egroupware-bookmarks-1.8.006.20140217-1.mga4
egroupware-calendar-1.8.006.20140217-1.mga4
egroupware-developer_tools-1.8.006.20140217-1.mga4
egroupware-egw-pear-1.8.006.20140217-1.mga4
egroupware-emailadmin-1.8.006.20140217-1.mga4
egroupware-felamimail-1.8.006.20140217-1.mga4
egroupware-filemanager-1.8.006.20140217-1.mga4
egroupware-gallery-1.8.006.20140217-1.mga4
egroupware-importexport-1.8.006.20140217-1.mga4
egroupware-infolog-1.8.006.20140217-1.mga4
egroupware-manual-1.8.006.20140217-1.mga4
egroupware-news_admin-1.8.006.20140217-1.mga4
egroupware-notifications-1.8.006.20140217-1.mga4
egroupware-phpbrain-1.8.006.20140217-1.mga4
egroupware-phpsysinfo-1.8.006.20140217-1.mga4
egroupware-polls-1.8.006.20140217-1.mga4
egroupware-projectmanager-1.8.006.20140217-1.mga4
egroupware-registration-1.8.006.20140217-1.mga4
egroupware-sambaadmin-1.8.006.20140217-1.mga4
egroupware-sitemgr-1.8.006.20140217-1.mga4
egroupware-syncml-1.8.006.20140217-1.mga4
egroupware-timesheet-1.8.006.20140217-1.mga4
egroupware-tracker-1.8.006.20140217-1.mga4
egroupware-wiki-1.8.006.20140217-1.mga4

from SRPMS:
egroupware-1.8.006.20140217-1.mga3.src.rpm
egroupware-1.8.006.20140217-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: mageia => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 Anne Nicolas 2014-02-25 16:32:01 CET

Installed all packages on Mageia 4 64. run web post-install using http://localhost/egroupware.

Install finalized without any problem.

CC: (none) => ennael1
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok

Comment 3 Anne Nicolas 2014-02-25 16:37:49 CET

Tested on Mageia 4 32. All is ok.

Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga4-32-ok

Comment 4 claire robinson 2014-02-28 11:59:26 CET

Testing mga3 32

Installed packages and browsed to http://localhost/egroupware to complete the installation. It is a confusing installation and tl;dr broken.

If doing the 'Installation tests' you get the message..

Checking php.ini: date.timezone set and not "System/Localtime": ini_get('date.timezone')=''
No VALID timezone set! ("System/Localtime" is NOT sufficient, you have to use a timezone identifer like "Europe/Berlin", see full list of valid identifers)

You need to set date.timezone in /etc/php.ini and restart httpd service. It is commented out by default so set for example..

[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone = Europe/London

Then..

# service httpd restart


There are various warnings then and one error at the bottom..

 Checking for JPGraph in /var/www/jpgraph: False
You dont have JPGraph version 1.13 or higher installed! It is needed from ProjectManager for Ganttcharts.
Please download a recent version from jpgraph.net/download/ and install it as /var/www/jpgraph.

It is able to continue the installation without it though and write a config file.

It's not able to create a database though after logging in as 'Setup/Config Admin Login'. It asks for DB root login to be able to create the egroupware DB but fails with..

Database error: Necessary php database support for mysql (mysql.so) not loaded and can't be loaded, exiting !!!
mysql Error: 1045 (Access denied for user 'egroupware'@'localhost' (using password: YES))

Function: egw_db->query / egw_db->create_database

Database error: Necessary php database support for mysql (mysql.so) not loaded and can't be loaded, exiting !!!
mysql Error: 1045 (Access denied for user 'egroupware'@'localhost' (using password: YES))

Function: egw_db->query / egw_db->create_database

Database error: Necessary php database support for mysql (mysql.so) not loaded and can't be loaded, exiting !!!
mysql Error: 1045 (Access denied for user 'egroupware'@'localhost' (using password: YES))

Function: egw_db->create_database and can't be loaded, exiting !!!

Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok => MGA3TOO has_procedure feedback mga4-64-ok mga4-32-ok

Comment 5 David Walser 2014-02-28 12:23:10 CET

Does it work if you install php-mysql?  I don't know if it maybe supports other database types and just uses mysql by default, so it may not be appropriate to have it actually require it, you might just have to know you're using that database type and install it.

Comment 6 claire robinson 2014-02-28 12:36:37 CET

Right, yeah. It was pulling in php-pdo_mysql but with php-mysql installed it shows one less warning on the installation check.

Note: on the DB configuration page, don't click "Add new database" just click "Write" to write the config file, then continue and log in as "Setup/Config Admin Login".

It then goes through several steps making you click buttons but does install the database and then tries the applications too but fails again..


CreateIndexSQL(NULL,'egw_wiki_pages',Array ( [0] => wiki_body(32) ) ,Array ( [0] => FULLTEXT ) ) sql=Array ( [0] => ALTER TABLE `egw_wiki_pages` ADD FULLTEXT INDEX `egw_wiki_pages_body` (`wiki_body` (32)) )

The used table type doesn't support FULLTEXT indexes
An error happened

calendar_timezones::import_sqlite('calendar/setup/timezones.sqlite') required SQLite support (PHP extension pdo_sqlite) missing!


Tried installing php-sqlite3 which made no difference but php-pdo_sqlite did allow it to install them.

It then fails with..

CreateIndexSQL(NULL,'egw_wiki_pages',Array ( [0] => wiki_body(32) ) ,Array ( [0] => FULLTEXT ) ) sql=Array ( [0] => ALTER TABLE `egw_wiki_pages` ADD FULLTEXT INDEX `egw_wiki_pages_body` (`wiki_body` (32)) )

Comment 7 claire robinson 2014-02-28 12:47:39 CET

I missed part of the error message..

CreateIndexSQL(NULL,'egw_wiki_pages',Array ( [0] => wiki_body(32) ) ,Array ( [0] => FULLTEXT ) ) sql=Array ( [0] => ALTER TABLE `egw_wiki_pages` ADD FULLTEXT INDEX `egw_wiki_pages_body` (`wiki_body` (32)) )

The used table type doesn't support FULLTEXT indexes

Comment 8 Dave Hodgins 2014-03-03 08:27:26 CET

Testing complete on Mageia 3 i586.

Installed Mariadb, and phpmyadmin. Set password for mysql root, and timezone
in /etc/php.ini (America/Toronto, in my case).

Installed egroupware, restarted httpd, was then able to use http://localhost/egroupware to create the database, and an admin user, install the language,
and selected install all apps. Logged out, logged in as the admin user,
and am presented with the calender app, to start with. Added an event.

Testing x86_64 shortly.

CC: (none) => davidwhodgins
Whiteboard: MGA3TOO has_procedure feedback mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok MGA3-32-OK

Comment 9 Dave Hodgins 2014-03-03 09:48:14 CET

Testing complete on Mageia 3 x86_64.

Advisory added to svn. Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok MGA3-32-OK => MGA3TOO has_procedure mga4-64-ok mga4-32-ok MGA3-32-OK MGA3-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2014-03-03 21:44:52 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0116.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-03-04 18:40:16 CET

URL: (none) => http://lwn.net/Vulnerabilities/589243/

Note You need to log in before you can comment on or make changes to this bug.