[Zope-CMF] cmf-tests - OK: 8
This is the summary for test reports received on the cmf-tests list between 2012-11-08 00:00:00 UTC and 2012-11-09 00:00:00 UTC: See the footnotes for test reports of unsuccessful builds. An up-to date view of the builders is also available in our buildbot documentation: http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds Reports received CMF-2.2 Zope-2.12 Python-2.6.8 : Linux CMF-2.2 Zope-2.13 Python-2.6.8 : Linux CMF-2.3 Zope-2.13 Python-2.6.8 : Linux CMF-2.3 Zope-trunk Python-2.6.8 : Linux CMF-trunk Zope-2.13 Python-2.6.8 : Linux CMF-trunk Zope-2.13 Python-2.7.3 : Linux CMF-trunk Zope-trunk Python-2.6.8 : Linux CMF-trunk Zope-trunk Python-2.7.3 : Linux Non-OK results -- ___ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
Re: [Zope-CMF] CMF security patches in Products.PloneHotfix20121106
On 11/9/12 11:33 AM, Charlie Clark wrote: Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone) : We should have informed you earlier. There are a lot of tasks associated with preparing a hotfix (and this one in particular covered many vulnerabilities), and it got missed. I apologize. In the future, what's the best place to report possible CMF security issues? zope-cmf Launchpad? Hi David, thanks for the quick response. I would definitely say just post to the list to see if we're still alive. Can you say which versions of CMF are affected? Probably any that use getToolByName. The problem is that getToolByName can be used to get attributes that wouldn't normally be accessible from RestrictedPython. The hotfix adds some checks to make sure that the object that was found provides IPersistent or IItem (or is explicitly named in the tool registry), so that it is at least much harder to break out of the sandbox. Unfortunately this breaks non-persistent non-item dummy objects used in tests unless they are made to provide one of the interfaces that is checked. David ___ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
Re: [Zope-CMF] CMF security patches in Products.PloneHotfix20121106
Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone) : We should have informed you earlier. There are a lot of tasks associated with preparing a hotfix (and this one in particular covered many vulnerabilities), and it got missed. I apologize. In the future, what's the best place to report possible CMF security issues? zope-cmf Launchpad? Hi David, thanks for the quick response. I would definitely say just post to the list to see if we're still alive. Can you say which versions of CMF are affected? Charlie -- Charlie Clark Managing Director Clark Consulting & Research German Office Kronenstr. 27a Düsseldorf D- 40217 Tel: +49-211-600-3657 Mobile: +49-178-782-6226 ___ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
Re: [Zope-CMF] CMF security patches in Products.PloneHotfix20121106
On 11/9/12 11:23 AM, Charlie Clark wrote: Am 09.11.2012, 17:02 Uhr, schrieb Jens Vagelpohl : Hi all, I don't recall any information being provided to the CMF developers about CMF fixes in the most recent Plone Hotfix: http://plone.org/products/plone-hotfix/releases/20121106 For example, there's a monkey patch to make sure getToolByName only returns valid tool objects and nothing else, see the attached file. I'm not sure if there's an oversight of not forwarding this information to us or if it was determined this fix is not relevant for the CMF. Would any list member who also works on Plone have an insight? Thanks! jens I got this back from David Glick after asking secur...@plone.org: """ Thanks. We haven't had a chance to start applying the patches in the hotfix back to where they really belong, but we'll do so soon. Note that for the time being it should be possible to apply the Plone hotfix to pure CMF sites as well to patch this issue. """ Still no wiser as to why we weren't informed. We should have informed you earlier. There are a lot of tasks associated with preparing a hotfix (and this one in particular covered many vulnerabilities), and it got missed. I apologize. In the future, what's the best place to report possible CMF security issues? zope-cmf Launchpad? David ___ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
Re: [Zope-CMF] CMF security patches in Products.PloneHotfix20121106
Am 09.11.2012, 17:02 Uhr, schrieb Jens Vagelpohl : Hi all, I don't recall any information being provided to the CMF developers about CMF fixes in the most recent Plone Hotfix: http://plone.org/products/plone-hotfix/releases/20121106 For example, there's a monkey patch to make sure getToolByName only returns valid tool objects and nothing else, see the attached file. I'm not sure if there's an oversight of not forwarding this information to us or if it was determined this fix is not relevant for the CMF. Would any list member who also works on Plone have an insight? Thanks! jens I got this back from David Glick after asking secur...@plone.org: """ Thanks. We haven't had a chance to start applying the patches in the hotfix back to where they really belong, but we'll do so soon. Note that for the time being it should be possible to apply the Plone hotfix to pure CMF sites as well to patch this issue. """ Still no wiser as to why we weren't informed. Charlie -- Charlie Clark Managing Director Clark Consulting & Research German Office Kronenstr. 27a Düsseldorf D- 40217 Tel: +49-211-600-3657 Mobile: +49-178-782-6226 ___ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
[Zope-CMF] CMF security patches in Products.PloneHotfix20121106
Hi all, I don't recall any information being provided to the CMF developers about CMF fixes in the most recent Plone Hotfix: http://plone.org/products/plone-hotfix/releases/20121106 For example, there's a monkey patch to make sure getToolByName only returns valid tool objects and nothing else, see the attached file. I'm not sure if there's an oversight of not forwarding this information to us or if it was determined this fix is not relevant for the CMF. Would any list member who also works on Plone have an insight? Thanks! jens from Products.CMFCore import utils try: from Products.CMFPlone.FactoryTool import FauxArchetypeTool HAS_FAT = True except ImportError: FauxArchetypeTool = None HAS_FAT = False from persistent.interfaces import IPersistent try: from OFS.interfaces import IItem except ImportError: IItem = IPersistent try: tool_registry = utils._tool_interface_registry except AttributeError: tool_registry = {} gtbn = utils.getToolByName def wrapped_getToolByName(obj, name, default=utils._marker): result = gtbn(obj, name, default) if IPersistent.providedBy(result) or \ IItem.providedBy(result) or \ name in tool_registry or \ (HAS_FAT and isinstance(result, FauxArchetypeTool)) or \ result is utils._marker or \ result is default: return result else: raise TypeError("Object found is not a portal tool (%s)" % (name,)) return result utils.getToolByName = wrapped_getToolByName try: import Products.CMFPlone.utils Products.CMFPlone.utils.getToolByName = wrapped_getToolByName except ImportError: pass smime.p7s Description: S/MIME cryptographic signature ___ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests