Your message dated Sun, 16 Aug 2009 01:57:53 +0000
with message-id <[email protected]>
and subject line Bug#540464: fixed in zope2.9 2.9.6-4etch2
has caused the Debian Bug report #540464,
regarding CVE-2009-0668, CVE-2009-0669
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
540464: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540464
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: zope2.10
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Two vulnerabilities have been reported in Zope, which can be exploited by
malicious people to bypass certain
security restrictions and compromise a vulnerable system.
1) A missing access control check was found in the way Zope Enterprise Objects
(ZEO) used to manage remote connections to the Zope server. A remote attacker
could use this flaw to execute arbitrary Python code in the context of
Zope server. (CVE-2009-0668)[0]
2) A weakness was found in the Zope Enterprise Objects (ZEO) authentication
protocol. A remote attacker could use this flaw to bypass the authentication
to the Zope Object Database (ZODB). (CVE-2009-0669)[1]
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0668
http://security-tracker.debian.net/tracker/CVE-2009-0668
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0669
http://security-tracker.debian.net/tracker/CVE-2009-0669
http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp9N8EACgkQNxpp46476arVPQCeOfUT1sVlZUSXMETleD8pD+6A
AA8AniYpFrHT9ERJ5UpgFXkcHkxgDIqF
=UJsU
-----END PGP SIGNATURE-----
=== StorageServer.py
==================================================================
--- StorageServer.py (revision 167632)
+++ StorageServer.py (local)
@@ -111,7 +111,7 @@
for func in self.extensions:
self._extensions[func.func_name] = None
- def finish_auth(self, authenticated):
+ def _finish_auth(self, authenticated):
if not self.auth_realm:
return 1
self.authenticated = authenticated
@@ -421,6 +421,7 @@
def new_oids(self, n=100):
"""Return a sequence of n new oids, where n defaults to 100"""
+ n = min(n, 100)
if self.read_only:
raise ReadOnlyError()
if n <= 0:
=== auth/auth_digest.py
==================================================================
--- auth/auth_digest.py (revision 167632)
+++ auth/auth_digest.py (local)
@@ -121,7 +121,7 @@
check = hexdigest("%s:%s" % (h_up, challenge))
if check == response:
self.connection.setSessionKey(session_key(h_up, self._key_nonce))
- return self.finish_auth(check == response)
+ return self._finish_auth(check == response)
extensions = [auth_get_challenge, auth_response]
=== tests/auth_plaintext.py
==================================================================
--- tests/auth_plaintext.py (revision 167632)
+++ tests/auth_plaintext.py (local)
@@ -41,7 +41,7 @@
self.connection.setSessionKey(session_key(username,
self.database.realm,
password))
- return self.finish_auth(dbpw == password_dig)
+ return self._finish_auth(dbpw == password_dig)
class PlaintextClient(Client):
extensions = ["auth"]
=== zrpc/connection.py
==================================================================
--- zrpc/connection.py (revision 167632)
+++ zrpc/connection.py (local)
@@ -24,7 +24,7 @@
import ThreadedAsync
from ZEO.zrpc import smac
from ZEO.zrpc.error import ZRPCError, DisconnectedError
-from ZEO.zrpc.marshal import Marshaller
+from ZEO.zrpc.marshal import Marshaller, ServerMarshaller
from ZEO.zrpc.trigger import trigger
from ZEO.zrpc.log import short_repr, log
from ZODB.loglevels import BLATHER, TRACE
@@ -883,6 +883,7 @@
def __init__(self, sock, addr, obj, mgr):
self.mgr = mgr
self.__super_init(sock, addr, obj, 'S')
+ self.marshal = ServerMarshaller()
self.obj.notifyConnected(self)
def handshake(self):
=== zrpc/marshal.py
==================================================================
--- zrpc/marshal.py (revision 167632)
+++ zrpc/marshal.py (local)
@@ -52,6 +52,20 @@
level=logging.ERROR)
raise
+class ServerMarshaller(Marshaller):
+
+ def decode(self, msg):
+ """Decodes msg and returns its parts"""
+ unpickler = cPickle.Unpickler(StringIO(msg))
+ unpickler.find_global = server_find_global
+
+ try:
+ return unpickler.load() # msgid, flags, name, args
+ except:
+ log("can't decode message: %s" % short_repr(msg),
+ level=logging.ERROR)
+ raise
+
_globals = globals()
_silly = ('__doc__',)
@@ -78,3 +92,21 @@
return r
raise ZRPCError("Unsafe global: %s.%s" % (module, name))
+
+def server_find_global(module, name):
+ """Helper for message unpickler"""
+ try:
+ m = __import__(module, _globals, _globals, _silly)
+ except ImportError, msg:
+ raise ZRPCError("import error %s: %s" % (module, msg))
+
+ try:
+ r = getattr(m, name)
+ except AttributeError:
+ raise ZRPCError("module %s has no global %s" % (module, name))
+
+ safe = getattr(r, '__no_side_effects__', 0)
+ if safe:
+ return r
+
+ raise ZRPCError("Unsafe global: %s.%s" % (module, name))
--- End Message ---
--- Begin Message ---
Source: zope2.9
Source-Version: 2.9.6-4etch2
We believe that the bug you reported is fixed in the latest version of
zope2.9, which is due to be installed in the Debian FTP archive:
zope2.9-sandbox_2.9.6-4etch2_all.deb
to pool/main/z/zope2.9/zope2.9-sandbox_2.9.6-4etch2_all.deb
zope2.9_2.9.6-4etch2.diff.gz
to pool/main/z/zope2.9/zope2.9_2.9.6-4etch2.diff.gz
zope2.9_2.9.6-4etch2.dsc
to pool/main/z/zope2.9/zope2.9_2.9.6-4etch2.dsc
zope2.9_2.9.6-4etch2_amd64.deb
to pool/main/z/zope2.9/zope2.9_2.9.6-4etch2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[email protected]> (supplier of updated zope2.9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 13 Aug 2009 16:39:59 +0000
Source: zope2.9
Binary: zope2.9-sandbox zope2.9
Architecture: source amd64 all
Version: 2.9.6-4etch2
Distribution: oldstable-security
Urgency: high
Maintainer: Debian/Ubuntu Zope Team
<[email protected]>
Changed-By: Nico Golde <[email protected]>
Description:
zope2.9 - Open Source Web Application Server
zope2.9-sandbox - sandbox instance for the zope2.9 web application server
Closes: 540464
Changes:
zope2.9 (2.9.6-4etch2) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fix two vulnerabilities in the ZODB ZEO network protocol (closes: #540464)
- CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage
servers
- CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers
Files:
d9acba8fb8981d626357ef9d22dc19e5 878 web optional zope2.9_2.9.6-4etch2.dsc
e26b1a97ba98194cb6624085aff6abd0 6977379 web optional zope2.9_2.9.6.orig.tar.gz
3702a3e4a4519b57a12c7cccc164cf47 17874 web optional
zope2.9_2.9.6-4etch2.diff.gz
cc82b279f1ad82a1d076a6fa3c780d2e 6992354 web optional
zope2.9_2.9.6-4etch2_amd64.deb
48f2c56b9372820369fa91bef4f5559a 11916 web optional
zope2.9-sandbox_2.9.6-4etch2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqERIoACgkQHYflSXNkfP9HOwCfTX5VtloIXQ8xtkkuyMadBndE
g6wAn3AgAmsJi4iwJu52/Jii6h9iYH/R
=hxaw
-----END PGP SIGNATURE-----
--- End Message ---
