from:"Arnaud Fontaine"

Re: [Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix

2012-11-26 Thread Arnaud Fontaine

Hello,

Tres Seaver tsea...@palladion.com writes:

 version 2.12.21: * LP #1079238 fixes CVE 2012-5489.

 According  to the  upstream changelog,  LP  #1047318 seems  to fix  a
 security bug, but I could not find it in zope2 launchpad nor anywhere
 else.

 That bug was  still in Private Security state: I  have updated it to
 Public Security, so you whould be able to view it:

  https://bugs.launchpad.net/zope2/+bug/1047318

Thank you very much.

 Not fixed in latest release of Zope AFAIK:

 * CVE-2012-5487 (allow_module.py)
 http://plone.org/products/plone/security/advisories/20121106/03

 I  don't  believe that  this  can  be a  bug  in  Zope itself:  adding
 '__roles__' to a module-scope function  is pointless unless the module
 itselfisimportableby   untrusted(TTW)code. The
 'AccessControl.SecurityInfo' module should  *certainly* not be exposed
 to untrusted  code.  If  some other  out-of-Zope-core module  which is
 supposed to be importable by TTW  code imports that function at module
 scope, then fix *that* module instead.

Indeed, thanks for your explanation.

 * CVE-2012-5505 (zope.traversing: atat.py)
 http://plone.org/products/plone/security/advisories/20121106/21

 That fix is  also disputed: hiding the default view  from the '@@'
 name does not actually improve security  at all.  There is a Launchpad
 bug where  it is being  debated (#1079225), but  that bug is  still in
 Private Security mode.  The correct fix is to change the code of the
 multi-adapter to barf if published via a URL.

Any idea when this patch will be released? Thanks.

Cheers,
Arnaud Fontaine


pgpvo23YpEpK9.pgp
Description: PGP signature
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix

2012-11-24 Thread Arnaud Fontaine

Hello,

Luciano Bello luci...@debian.org writes:

 Hi, please see : http://seclists.org/oss-sec/2012/q4/249

 Can you confirm if any of the Debian packages are affected?

As far as I could find (not clear in the upstream changelog):

version 2.12.26:
  * LP #1071067 fixes CVE 2012-5507, CVE 2012-5508.
  * LP #930812 fixes CVE 2012-5486.

version 2.12.21:
  * LP #1079238 fixes CVE 2012-5489.

According to the upstream changelog, LP #1047318 seems to fix a security
bug, but I could not find it in zope2 launchpad nor anywhere else.

The  following CVEs  are  not affecting  Zope2 package  (Plone/Zope3/..)
(within  brackets is  the  Product/module/...  affected  along with  the
corresponding filename in Plone Hotfix):

* CVE-2012-5485 (Plone: registerConfiglet.py)
  http://plone.org/products/plone/security/advisories/20121106/01

* CVE-2012-5488/CVE-2012-5494/CVE-2012-5495/CVE-2012-5499/CVE-2012-5506
  (Plone-specific: python_scripts.py)
  http://plone.org/products/plone/security/advisories/20121106/04
  http://plone.org/products/plone/security/advisories/20121106/10
  http://plone.org/products/plone/security/advisories/20121106/11
  http://plone.org/products/plone/security/advisories/20121106/15
  http://plone.org/products/plone/security/advisories/20121106/22

* CVE-2012-5490 (kss: kssdevel.py)
  http://plone.org/products/plone/security/advisories/20121106/06

* CVE-2012-5491/CVE-2012-5504 (z3c.form (Zope3): widget_traversal.py)
  http://plone.org/products/plone/security/advisories/20121106/12
  http://plone.org/products/plone/security/advisories/20121106/20

* CVE-2012-5492 (Plone: uid_catalog.py)
  http://plone.org/products/plone/security/advisories/20121106/08

* CVE-2012-5493 (CMFCore: gtbn.py)
  http://plone.org/products/plone/security/advisories/20121106/09

* CVE-2012-5496 (Plone: kupu_spellcheck.py)
  http://plone.org/products/plone/security/advisories/20121106/09

* CVE-2012-5497 (Plone: membership_tool.py)
  http://plone.org/products/plone/security/advisories/20121106/13

* CVE-2012-5498 (Plone: queryCatalog.py)
  http://plone.org/products/plone/security/advisories/20121106/14

* CVE-2012-5500 (Plone: renameObjectsByPaths.py)
  http://plone.org/products/plone/security/advisories/20121106/15

* CVE-2012-5501 (Plone: at_download.py)
  http://plone.org/products/plone/security/advisories/20121106/17

* CVE-2012-5502 (PortalTransforms: safe_html.py)
  http://plone.org/products/plone/security/advisories/20121106/18

* CVE-2012-5503 (Plone-specific: ObjectManager: ftp.py)
  http://plone.org/products/plone/security/advisories/20121106/19

Not fixed in latest release of Zope AFAIK:

* CVE-2012-5487 (allow_module.py)
  http://plone.org/products/plone/security/advisories/20121106/03

* CVE-2012-5505 (zope.traversing: atat.py)
  http://plone.org/products/plone/security/advisories/20121106/21

I have attached  to this email the  patches for these two  CVEs and will
upload them soon. I'm CC'ing zope-dev for review.

Regards,
Arnaud Fontaine

Index: zope2.12-2.12.26/source/Zope2/src/AccessControl/SecurityInfo.py
===
--- zope2.12-2.12.26.orig/source/Zope2/src/AccessControl/SecurityInfo.py	2012-11-22 18:57:27.0 +0900
+++ zope2.12-2.12.26/source/Zope2/src/AccessControl/SecurityInfo.py	2012-11-24 13:23:20.669183242 +0900
@@ -311,6 +311,8 @@
 ModuleSecurityInfo(module_name[:dot]).setDefaultAccess(1)
 dot = module_name.find('.', dot + 1)
 
+allow_module.__roles__ = ()
+
 def allow_class(Class):
 Allow a class and all of its methods to be used from a
 restricted Script.  The argument Class must be a class.
Index: zope2.12-2.12.26/source/zope.traversing/src/zope/traversing/namespace.py
===
--- zope2.12-2.12.26.orig/source/zope.traversing/src/zope/traversing/namespace.py	2012-11-22 19:00:29.0 +0900
+++ zope2.12-2.12.26/source/zope.traversing/src/zope/traversing/namespace.py	2012-11-24 13:16:40.229707666 +0900
@@ -31,7 +31,7 @@
 from zope.traversing.interfaces import IEtcNamespace
 from zope.traversing.interfaces import IPathAdapter
 from zope.traversing.interfaces import ITraversable
-
+from zope.traversing.interfaces import TraversalError
 
 class UnexpectedParameters(LocationError):
 Unexpected namespace parameters were provided.
@@ -325,6 +325,9 @@
 self.request = request
 
 def traverse(self, name, ignored):
+if not name:
+raise TraversalError(self.context, name)
+
 view = zope.component.queryMultiAdapter((self.context, self.request),
 name=name)
 if view is None:


pgpkDBkR0g0D5.pgp
Description: PGP signature
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce

Re: [Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix

Re: [Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix

2 matches

Site Navigation

Mail list logo

Footer information