Bug 12820 - egroupware new security issue CVE-2014-2027
: egroupware new security issue CVE-2014-2027
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/589243/
: MGA3TOO has_procedure mga4-64-ok mga4...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-19 17:07 CET by David Walser
Modified: 2014-03-04 18:40 CET (History)
4 users (show)

See Also:
Source RPM: egroupware-1.8.004.20120410-3.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-02-19 17:07:19 CET
A CVE was assigned for a security issue fixed upstream in 1.8.006.20140217:
http://openwall.com/lists/oss-security/2014/02/19/4

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-02-24 17:23:48 CET
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated curl packages fix security vulnerabilities:

eGroupware prior to 1.8.006.20140217 is vulnerable to remote file deletion and
possible remote code execution due to user input being passed to PHP's
unserialize() method (CVE-2014-2027).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
http://www.egroupware.org/changelog
http://openwall.com/lists/oss-security/2014/02/19/4
========================

Updated packages in core/updates_testing:
========================
egroupware-1.8.006.20140217-1.mga3
egroupware-bookmarks-1.8.006.20140217-1.mga3
egroupware-calendar-1.8.006.20140217-1.mga3
egroupware-developer_tools-1.8.006.20140217-1.mga3
egroupware-egw-pear-1.8.006.20140217-1.mga3
egroupware-emailadmin-1.8.006.20140217-1.mga3
egroupware-felamimail-1.8.006.20140217-1.mga3
egroupware-filemanager-1.8.006.20140217-1.mga3
egroupware-gallery-1.8.006.20140217-1.mga3
egroupware-importexport-1.8.006.20140217-1.mga3
egroupware-infolog-1.8.006.20140217-1.mga3
egroupware-manual-1.8.006.20140217-1.mga3
egroupware-news_admin-1.8.006.20140217-1.mga3
egroupware-notifications-1.8.006.20140217-1.mga3
egroupware-phpbrain-1.8.006.20140217-1.mga3
egroupware-phpsysinfo-1.8.006.20140217-1.mga3
egroupware-polls-1.8.006.20140217-1.mga3
egroupware-projectmanager-1.8.006.20140217-1.mga3
egroupware-registration-1.8.006.20140217-1.mga3
egroupware-sambaadmin-1.8.006.20140217-1.mga3
egroupware-sitemgr-1.8.006.20140217-1.mga3
egroupware-syncml-1.8.006.20140217-1.mga3
egroupware-timesheet-1.8.006.20140217-1.mga3
egroupware-tracker-1.8.006.20140217-1.mga3
egroupware-wiki-1.8.006.20140217-1.mga3
egroupware-1.8.006.20140217-1.mga4
egroupware-bookmarks-1.8.006.20140217-1.mga4
egroupware-calendar-1.8.006.20140217-1.mga4
egroupware-developer_tools-1.8.006.20140217-1.mga4
egroupware-egw-pear-1.8.006.20140217-1.mga4
egroupware-emailadmin-1.8.006.20140217-1.mga4
egroupware-felamimail-1.8.006.20140217-1.mga4
egroupware-filemanager-1.8.006.20140217-1.mga4
egroupware-gallery-1.8.006.20140217-1.mga4
egroupware-importexport-1.8.006.20140217-1.mga4
egroupware-infolog-1.8.006.20140217-1.mga4
egroupware-manual-1.8.006.20140217-1.mga4
egroupware-news_admin-1.8.006.20140217-1.mga4
egroupware-notifications-1.8.006.20140217-1.mga4
egroupware-phpbrain-1.8.006.20140217-1.mga4
egroupware-phpsysinfo-1.8.006.20140217-1.mga4
egroupware-polls-1.8.006.20140217-1.mga4
egroupware-projectmanager-1.8.006.20140217-1.mga4
egroupware-registration-1.8.006.20140217-1.mga4
egroupware-sambaadmin-1.8.006.20140217-1.mga4
egroupware-sitemgr-1.8.006.20140217-1.mga4
egroupware-syncml-1.8.006.20140217-1.mga4
egroupware-timesheet-1.8.006.20140217-1.mga4
egroupware-tracker-1.8.006.20140217-1.mga4
egroupware-wiki-1.8.006.20140217-1.mga4

from SRPMS:
egroupware-1.8.006.20140217-1.mga3.src.rpm
egroupware-1.8.006.20140217-1.mga4.src.rpm
Comment 2 Anne Nicolas 2014-02-25 16:32:01 CET
Installed all packages on Mageia 4 64. run web post-install using http://localhost/egroupware.

Install finalized without any problem.
Comment 3 Anne Nicolas 2014-02-25 16:37:49 CET
Tested on Mageia 4 32. All is ok.
Comment 4 claire robinson 2014-02-28 11:59:26 CET
Testing mga3 32

Installed packages and browsed to http://localhost/egroupware to complete the installation. It is a confusing installation and tl;dr broken.

If doing the 'Installation tests' you get the message..

Checking php.ini: date.timezone set and not "System/Localtime": ini_get('date.timezone')=''
No VALID timezone set! ("System/Localtime" is NOT sufficient, you have to use a timezone identifer like "Europe/Berlin", see full list of valid identifers)

You need to set date.timezone in /etc/php.ini and restart httpd service. It is commented out by default so set for example..

[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone = Europe/London

Then..

# service httpd restart


There are various warnings then and one error at the bottom..

 Checking for JPGraph in /var/www/jpgraph: False
You dont have JPGraph version 1.13 or higher installed! It is needed from ProjectManager for Ganttcharts.
Please download a recent version from jpgraph.net/download/ and install it as /var/www/jpgraph.

It is able to continue the installation without it though and write a config file.

It's not able to create a database though after logging in as 'Setup/Config Admin Login'. It asks for DB root login to be able to create the egroupware DB but fails with..

Database error: Necessary php database support for mysql (mysql.so) not loaded and can't be loaded, exiting !!!
mysql Error: 1045 (Access denied for user 'egroupware'@'localhost' (using password: YES))

Function: egw_db->query / egw_db->create_database

Database error: Necessary php database support for mysql (mysql.so) not loaded and can't be loaded, exiting !!!
mysql Error: 1045 (Access denied for user 'egroupware'@'localhost' (using password: YES))

Function: egw_db->query / egw_db->create_database

Database error: Necessary php database support for mysql (mysql.so) not loaded and can't be loaded, exiting !!!
mysql Error: 1045 (Access denied for user 'egroupware'@'localhost' (using password: YES))

Function: egw_db->create_database and can't be loaded, exiting !!!
Comment 5 David Walser 2014-02-28 12:23:10 CET
Does it work if you install php-mysql?  I don't know if it maybe supports other database types and just uses mysql by default, so it may not be appropriate to have it actually require it, you might just have to know you're using that database type and install it.
Comment 6 claire robinson 2014-02-28 12:36:37 CET
Right, yeah. It was pulling in php-pdo_mysql but with php-mysql installed it shows one less warning on the installation check.

Note: on the DB configuration page, don't click "Add new database" just click "Write" to write the config file, then continue and log in as "Setup/Config Admin Login".

It then goes through several steps making you click buttons but does install the database and then tries the applications too but fails again..


CreateIndexSQL(NULL,'egw_wiki_pages',Array ( [0] => wiki_body(32) ) ,Array ( [0] => FULLTEXT ) ) sql=Array ( [0] => ALTER TABLE `egw_wiki_pages` ADD FULLTEXT INDEX `egw_wiki_pages_body` (`wiki_body` (32)) )

The used table type doesn't support FULLTEXT indexes
An error happened

calendar_timezones::import_sqlite('calendar/setup/timezones.sqlite') required SQLite support (PHP extension pdo_sqlite) missing!


Tried installing php-sqlite3 which made no difference but php-pdo_sqlite did allow it to install them.

It then fails with..

CreateIndexSQL(NULL,'egw_wiki_pages',Array ( [0] => wiki_body(32) ) ,Array ( [0] => FULLTEXT ) ) sql=Array ( [0] => ALTER TABLE `egw_wiki_pages` ADD FULLTEXT INDEX `egw_wiki_pages_body` (`wiki_body` (32)) )
Comment 7 claire robinson 2014-02-28 12:47:39 CET
I missed part of the error message..

CreateIndexSQL(NULL,'egw_wiki_pages',Array ( [0] => wiki_body(32) ) ,Array ( [0] => FULLTEXT ) ) sql=Array ( [0] => ALTER TABLE `egw_wiki_pages` ADD FULLTEXT INDEX `egw_wiki_pages_body` (`wiki_body` (32)) )

The used table type doesn't support FULLTEXT indexes
Comment 8 Dave Hodgins 2014-03-03 08:27:26 CET
Testing complete on Mageia 3 i586.

Installed Mariadb, and phpmyadmin. Set password for mysql root, and timezone
in /etc/php.ini (America/Toronto, in my case).

Installed egroupware, restarted httpd, was then able to use http://localhost/egroupware to create the database, and an admin user, install the language,
and selected install all apps. Logged out, logged in as the admin user,
and am presented with the calender app, to start with. Added an event.

Testing x86_64 shortly.
Comment 9 Dave Hodgins 2014-03-03 09:48:14 CET
Testing complete on Mageia 3 x86_64.

Advisory added to svn. Validating the update.
Comment 10 Thomas Backlund 2014-03-03 21:44:52 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0116.html

Note You need to log in before you can comment on or make changes to this bug.