Your message dated Sun, 25 Oct 2009 19:57:42 +0000
with message-id <[email protected]>
and subject line Bug#540464: fixed in zope2.10 2.10.6-1+lenny1
has caused the Debian Bug report #540464,
regarding CVE-2009-0668, CVE-2009-0669
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
540464: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540464
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: zope2.10
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Two vulnerabilities have been reported in Zope, which can be exploited by
malicious people to bypass certain
security restrictions and compromise a vulnerable system.
1) A missing access control check was found in the way Zope Enterprise Objects
(ZEO) used to manage remote connections to the Zope server. A remote attacker
could use this flaw to execute arbitrary Python code in the context of
Zope server. (CVE-2009-0668)[0]
2) A weakness was found in the Zope Enterprise Objects (ZEO) authentication
protocol. A remote attacker could use this flaw to bypass the authentication
to the Zope Object Database (ZODB). (CVE-2009-0669)[1]
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0668
http://security-tracker.debian.net/tracker/CVE-2009-0668
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0669
http://security-tracker.debian.net/tracker/CVE-2009-0669
http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp9N8EACgkQNxpp46476arVPQCeOfUT1sVlZUSXMETleD8pD+6A
AA8AniYpFrHT9ERJ5UpgFXkcHkxgDIqF
=UJsU
-----END PGP SIGNATURE-----
=== StorageServer.py
==================================================================
--- StorageServer.py (revision 167632)
+++ StorageServer.py (local)
@@ -111,7 +111,7 @@
for func in self.extensions:
self._extensions[func.func_name] = None
- def finish_auth(self, authenticated):
+ def _finish_auth(self, authenticated):
if not self.auth_realm:
return 1
self.authenticated = authenticated
@@ -421,6 +421,7 @@
def new_oids(self, n=100):
"""Return a sequence of n new oids, where n defaults to 100"""
+ n = min(n, 100)
if self.read_only:
raise ReadOnlyError()
if n <= 0:
=== auth/auth_digest.py
==================================================================
--- auth/auth_digest.py (revision 167632)
+++ auth/auth_digest.py (local)
@@ -121,7 +121,7 @@
check = hexdigest("%s:%s" % (h_up, challenge))
if check == response:
self.connection.setSessionKey(session_key(h_up, self._key_nonce))
- return self.finish_auth(check == response)
+ return self._finish_auth(check == response)
extensions = [auth_get_challenge, auth_response]
=== tests/auth_plaintext.py
==================================================================
--- tests/auth_plaintext.py (revision 167632)
+++ tests/auth_plaintext.py (local)
@@ -41,7 +41,7 @@
self.connection.setSessionKey(session_key(username,
self.database.realm,
password))
- return self.finish_auth(dbpw == password_dig)
+ return self._finish_auth(dbpw == password_dig)
class PlaintextClient(Client):
extensions = ["auth"]
=== zrpc/connection.py
==================================================================
--- zrpc/connection.py (revision 167632)
+++ zrpc/connection.py (local)
@@ -24,7 +24,7 @@
import ThreadedAsync
from ZEO.zrpc import smac
from ZEO.zrpc.error import ZRPCError, DisconnectedError
-from ZEO.zrpc.marshal import Marshaller
+from ZEO.zrpc.marshal import Marshaller, ServerMarshaller
from ZEO.zrpc.trigger import trigger
from ZEO.zrpc.log import short_repr, log
from ZODB.loglevels import BLATHER, TRACE
@@ -883,6 +883,7 @@
def __init__(self, sock, addr, obj, mgr):
self.mgr = mgr
self.__super_init(sock, addr, obj, 'S')
+ self.marshal = ServerMarshaller()
self.obj.notifyConnected(self)
def handshake(self):
=== zrpc/marshal.py
==================================================================
--- zrpc/marshal.py (revision 167632)
+++ zrpc/marshal.py (local)
@@ -52,6 +52,20 @@
level=logging.ERROR)
raise
+class ServerMarshaller(Marshaller):
+
+ def decode(self, msg):
+ """Decodes msg and returns its parts"""
+ unpickler = cPickle.Unpickler(StringIO(msg))
+ unpickler.find_global = server_find_global
+
+ try:
+ return unpickler.load() # msgid, flags, name, args
+ except:
+ log("can't decode message: %s" % short_repr(msg),
+ level=logging.ERROR)
+ raise
+
_globals = globals()
_silly = ('__doc__',)
@@ -78,3 +92,21 @@
return r
raise ZRPCError("Unsafe global: %s.%s" % (module, name))
+
+def server_find_global(module, name):
+ """Helper for message unpickler"""
+ try:
+ m = __import__(module, _globals, _globals, _silly)
+ except ImportError, msg:
+ raise ZRPCError("import error %s: %s" % (module, msg))
+
+ try:
+ r = getattr(m, name)
+ except AttributeError:
+ raise ZRPCError("module %s has no global %s" % (module, name))
+
+ safe = getattr(r, '__no_side_effects__', 0)
+ if safe:
+ return r
+
+ raise ZRPCError("Unsafe global: %s.%s" % (module, name))
--- End Message ---
--- Begin Message ---
Source: zope2.10
Source-Version: 2.10.6-1+lenny1
We believe that the bug you reported is fixed in the latest version of
zope2.10, which is due to be installed in the Debian FTP archive:
zope2.10-sandbox_2.10.6-1+lenny1_all.deb
to pool/main/z/zope2.10/zope2.10-sandbox_2.10.6-1+lenny1_all.deb
zope2.10_2.10.6-1+lenny1.diff.gz
to pool/main/z/zope2.10/zope2.10_2.10.6-1+lenny1.diff.gz
zope2.10_2.10.6-1+lenny1.dsc
to pool/main/z/zope2.10/zope2.10_2.10.6-1+lenny1.dsc
zope2.10_2.10.6-1+lenny1_amd64.deb
to pool/main/z/zope2.10/zope2.10_2.10.6-1+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Meurer <[email protected]> (supplier of updated zope2.10 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 10 Aug 2009 00:50:31 +0200
Source: zope2.10
Binary: zope2.10 zope2.10-sandbox
Architecture: source amd64 all
Version: 2.10.6-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Jonas Meurer <[email protected]>
Changed-By: Jonas Meurer <[email protected]>
Description:
zope2.10 - Open Source Web Application Server
zope2.10-sandbox - sandbox instance for the zope2.10 web application server
Closes: 540464
Changes:
zope2.10 (2.10.6-1+lenny1) stable-security; urgency=high
.
* Fix two vulnerabilities in the ZODB ZEO network protocol (closes: #540464)
- CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers
- CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers
Checksums-Sha1:
894be24b145be444ebb545d56a4a52c5144273d0 1356 zope2.10_2.10.6-1+lenny1.dsc
94c79a6be01356559f210aaed910d69cc05f64bc 7263938 zope2.10_2.10.6.orig.tar.gz
14a6dc6bc1d23599ae56c2b42731610cffa34a21 14698 zope2.10_2.10.6-1+lenny1.diff.gz
48f44f947c464c72f15efcf8fb091335a5514496 7060682
zope2.10_2.10.6-1+lenny1_amd64.deb
8416864ab9b08c040f06597adbb61e1811ee035f 179592
zope2.10-sandbox_2.10.6-1+lenny1_all.deb
Checksums-Sha256:
b099a87ab8d406488012bb468df6c6088730bdb70da6d6ec5c42f15777130618 1356
zope2.10_2.10.6-1+lenny1.dsc
92f26db1b8c3422226630d923a0e01538543da62a7709d57b59f222777e36733 7263938
zope2.10_2.10.6.orig.tar.gz
4fcaaec2119de29338ddc491d702b449e9409aa3f20165cd02628bb49a0757f2 14698
zope2.10_2.10.6-1+lenny1.diff.gz
dc4d6cc09add26f4bed65e15521854b3580776b6b970489116ff278bfb65a463 7060682
zope2.10_2.10.6-1+lenny1_amd64.deb
75c286f61ea874e201106fa8ececc36c1ba119e5fdf6444d03f6650906d9da39 179592
zope2.10-sandbox_2.10.6-1+lenny1_all.deb
Files:
79b85989ea078482571388ac9847f0dd 1356 web optional zope2.10_2.10.6-1+lenny1.dsc
6e983f0e5a0f6f1eedf347038e09b571 7263938 web optional
zope2.10_2.10.6.orig.tar.gz
ad40802de32fbe651eb5a0efac571cd5 14698 web optional
zope2.10_2.10.6-1+lenny1.diff.gz
d4244d62ff01cbc4c4f74e97bc5cff06 7060682 web optional
zope2.10_2.10.6-1+lenny1_amd64.deb
5011d75ba94a95bbc9162fe7489f032c 179592 web optional
zope2.10-sandbox_2.10.6-1+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp/VDwACgkQd6lUs+JfIQJJ6wCdEnhyKbngrnLv8vX1mdiiASym
W/MAoJRBUAabVnMljOuWZwHGmhXdRO7A
=XtHa
-----END PGP SIGNATURE-----
--- End Message ---
