Re: [Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/27/2013 08:49 AM, Julien Cristau wrote: On Mon, Nov 26, 2012 at 18:53:58 +0900, Arnaud Fontaine wrote: Tres Seaver tsea...@palladion.com writes: * CVE-2012-5505 (zope.traversing: atat.py) http://plone.org/products/plone/security/advisories/20121106/21 That fix is also disputed: hiding the default view from the '@@' name does not actually improve security at all. There is a Launchpad bug where it is being debated (#1079225), but that bug is still in Private Security mode. The correct fix is to change the code of the multi-adapter to barf if published via a URL. Any idea when this patch will be released? Thanks. Is there any news on that issue? I still believe the report is in error: we cannot hide default (unnamed) views simply because an application might register one in error. Any views which wants not to be called via URLs needs to handle that directly: registering a multiadapter for (IThing, None) *is* registering a view. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlEFTwsACgkQ+gerLs4ltQ6FVACgmfgoLVb+YLTfJCqHEX4cvd+K ywkAn32iTCbw7oCm5EgC7uI60bJiRm1M =mRXV -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/27/2013 11:55 AM, David Glick (Plone) wrote: On 1/27/13 6:00 PM, Tres Seaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/27/2013 08:49 AM, Julien Cristau wrote: On Mon, Nov 26, 2012 at 18:53:58 +0900, Arnaud Fontaine wrote: Tres Seaver tsea...@palladion.com writes: * CVE-2012-5505 (zope.traversing: atat.py) http://plone.org/products/plone/security/advisories/20121106/21 That fix is also disputed: hiding the default view from the '@@' name does not actually improve security at all. There is a Launchpad bug where it is being debated (#1079225), but that bug is still in Private Security mode. The correct fix is to change the code of the multi-adapter to barf if published via a URL. Any idea when this patch will be released? Thanks. Is there any news on that issue? I still believe the report is in error: we cannot hide default (unnamed) views simply because an application might register one in error. Any views which wants not to be called via URLs needs to handle that directly: registering a multiadapter for (IThing, None) *is* registering a view. Plone includes the configuration of zope.annotation which registers a multiadapter of (IAnnotations, Interface) that, as far as I can tell, is not intended as a view and can expose information that was meant to be private. Our patch therefore monkey-patched the view traverser in zope.traversing to prevent it from being published. zope.annotation is not configured in Zope 2 out of the box. If you believe that the '(IAnnotation, None)' registration is not supposed to be a view, then the correct place to address this is in 'zope.annotation', not the publisher. E.g.:, the attached patch. Note that the two-argument registration was added by Jacob Holm in r72995 (2007-03-05). CC'ing him to ask if he can recall the justification, or knows what would break if we removed it. At a guess, the motivator is zope.app.preference, which wnats the extra argument passed to its __new__: this is *not* a reason to reguster a multi-adapter. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlEFbAEACgkQ+gerLs4ltQ6vSgCff1kX2u+mhrvly+m0uBSg5DD+ nBoAoMVdVCnKzrHwPIleuHhHIHpM7Xkw =e1VT -END PGP SIGNATURE- === modified file 'src/zope/annotation/configure.zcml' --- src/zope/annotation/configure.zcml 2011-02-15 15:46:28 + +++ src/zope/annotation/configure.zcml 2013-01-27 18:00:07 + @@ -8,10 +8,4 @@ factory=.attribute.AttributeAnnotations / - adapter - for=.interfaces.IAttributeAnnotatable * - provides=.interfaces.IAnnotations - factory=.attribute.AttributeAnnotations - / - /configure === modified file 'src/zope/annotation/tests/test_configure.py' --- src/zope/annotation/tests/test_configure.py 2011-02-15 15:46:28 + +++ src/zope/annotation/tests/test_configure.py 2013-01-27 18:01:03 + @@ -36,7 +36,7 @@ zope.configuration.xmlconfig.XMLConfig( 'configure.zcml', zope.annotation)() self.assertEqual(u_count + 2, len(list(gsm.registeredUtilities( -self.assertEqual(a_count + 2, len(list(gsm.registeredAdapters( +self.assertEqual(a_count + 1, len(list(gsm.registeredAdapters( self.assertEqual( s_count, len(list(gsm.registeredSubscriptionAdapters( self.assertEqual(h_count, len(list(gsm.registeredHandlers( ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix
Hello, Tres Seaver tsea...@palladion.com writes: version 2.12.21: * LP #1079238 fixes CVE 2012-5489. According to the upstream changelog, LP #1047318 seems to fix a security bug, but I could not find it in zope2 launchpad nor anywhere else. That bug was still in Private Security state: I have updated it to Public Security, so you whould be able to view it: https://bugs.launchpad.net/zope2/+bug/1047318 Thank you very much. Not fixed in latest release of Zope AFAIK: * CVE-2012-5487 (allow_module.py) http://plone.org/products/plone/security/advisories/20121106/03 I don't believe that this can be a bug in Zope itself: adding '__roles__' to a module-scope function is pointless unless the module itselfisimportableby untrusted(TTW)code. The 'AccessControl.SecurityInfo' module should *certainly* not be exposed to untrusted code. If some other out-of-Zope-core module which is supposed to be importable by TTW code imports that function at module scope, then fix *that* module instead. Indeed, thanks for your explanation. * CVE-2012-5505 (zope.traversing: atat.py) http://plone.org/products/plone/security/advisories/20121106/21 That fix is also disputed: hiding the default view from the '@@' name does not actually improve security at all. There is a Launchpad bug where it is being debated (#1079225), but that bug is still in Private Security mode. The correct fix is to change the code of the multi-adapter to barf if published via a URL. Any idea when this patch will be released? Thanks. Cheers, Arnaud Fontaine pgpvo23YpEpK9.pgp Description: PGP signature ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/24/2012 09:07 PM, Arnaud Fontaine wrote: Luciano Bello luci...@debian.org writes: Hi, please see : http://seclists.org/oss-sec/2012/q4/249 Can you confirm if any of the Debian packages are affected? As far as I could find (not clear in the upstream changelog): The CVEs were not identified during the release cycles in which those fixes were released. Plone's hotfix includes monkey-patches for them to permit fixing older Zope versions. version 2.12.26: * LP #1071067 fixes CVE 2012-5507, CVE 2012-5508. * LP #930812 fixes CVE 2012-5486. version 2.12.21: * LP #1079238 fixes CVE 2012-5489. According to the upstream changelog, LP #1047318 seems to fix a security bug, but I could not find it in zope2 launchpad nor anywhere else. That bug was still in Private Security state: I have updated it to Public Security, so you whould be able to view it: https://bugs.launchpad.net/zope2/+bug/1047318 snip Not fixed in latest release of Zope AFAIK: * CVE-2012-5487 (allow_module.py) http://plone.org/products/plone/security/advisories/20121106/03 I don't believe that this can be a bug in Zope itself: adding '__roles__' to a module-scope function is pointless unless the module itself is importable by untrusted (TTW) code. The 'AccessControl.SecurityInfo' module should *certainly* not be exposed to untrusted code. If some other out-of-Zope-core module which is supposed to be importable by TTW code imports that function at module scope, then fix *that* module instead. * CVE-2012-5505 (zope.traversing: atat.py) http://plone.org/products/plone/security/advisories/20121106/21 That fix is also disputed: hiding the default view from the '@@' name does not actually improve security at all. There is a Launchpad bug where it is being debated (#1079225), but that bug is still in Private Security mode. The correct fix is to change the code of the multi-adapter to barf if published via a URL. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlCytygACgkQ+gerLs4ltQ4yfQCfV3ORolGU92gFiKqVSUvfr4Tu fGEAoNR5bgzFnYDLkuukZ1z0OUugwJ7V =YSuX -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix
Hello,
Luciano Bello luci...@debian.org writes:
Hi, please see : http://seclists.org/oss-sec/2012/q4/249
Can you confirm if any of the Debian packages are affected?
As far as I could find (not clear in the upstream changelog):
version 2.12.26:
* LP #1071067 fixes CVE 2012-5507, CVE 2012-5508.
* LP #930812 fixes CVE 2012-5486.
version 2.12.21:
* LP #1079238 fixes CVE 2012-5489.
According to the upstream changelog, LP #1047318 seems to fix a security
bug, but I could not find it in zope2 launchpad nor anywhere else.
The following CVEs are not affecting Zope2 package (Plone/Zope3/..)
(within brackets is the Product/module/... affected along with the
corresponding filename in Plone Hotfix):
* CVE-2012-5485 (Plone: registerConfiglet.py)
http://plone.org/products/plone/security/advisories/20121106/01
* CVE-2012-5488/CVE-2012-5494/CVE-2012-5495/CVE-2012-5499/CVE-2012-5506
(Plone-specific: python_scripts.py)
http://plone.org/products/plone/security/advisories/20121106/04
http://plone.org/products/plone/security/advisories/20121106/10
http://plone.org/products/plone/security/advisories/20121106/11
http://plone.org/products/plone/security/advisories/20121106/15
http://plone.org/products/plone/security/advisories/20121106/22
* CVE-2012-5490 (kss: kssdevel.py)
http://plone.org/products/plone/security/advisories/20121106/06
* CVE-2012-5491/CVE-2012-5504 (z3c.form (Zope3): widget_traversal.py)
http://plone.org/products/plone/security/advisories/20121106/12
http://plone.org/products/plone/security/advisories/20121106/20
* CVE-2012-5492 (Plone: uid_catalog.py)
http://plone.org/products/plone/security/advisories/20121106/08
* CVE-2012-5493 (CMFCore: gtbn.py)
http://plone.org/products/plone/security/advisories/20121106/09
* CVE-2012-5496 (Plone: kupu_spellcheck.py)
http://plone.org/products/plone/security/advisories/20121106/09
* CVE-2012-5497 (Plone: membership_tool.py)
http://plone.org/products/plone/security/advisories/20121106/13
* CVE-2012-5498 (Plone: queryCatalog.py)
http://plone.org/products/plone/security/advisories/20121106/14
* CVE-2012-5500 (Plone: renameObjectsByPaths.py)
http://plone.org/products/plone/security/advisories/20121106/15
* CVE-2012-5501 (Plone: at_download.py)
http://plone.org/products/plone/security/advisories/20121106/17
* CVE-2012-5502 (PortalTransforms: safe_html.py)
http://plone.org/products/plone/security/advisories/20121106/18
* CVE-2012-5503 (Plone-specific: ObjectManager: ftp.py)
http://plone.org/products/plone/security/advisories/20121106/19
Not fixed in latest release of Zope AFAIK:
* CVE-2012-5487 (allow_module.py)
http://plone.org/products/plone/security/advisories/20121106/03
* CVE-2012-5505 (zope.traversing: atat.py)
http://plone.org/products/plone/security/advisories/20121106/21
I have attached to this email the patches for these two CVEs and will
upload them soon. I'm CC'ing zope-dev for review.
Regards,
Arnaud Fontaine
Index: zope2.12-2.12.26/source/Zope2/src/AccessControl/SecurityInfo.py
===
--- zope2.12-2.12.26.orig/source/Zope2/src/AccessControl/SecurityInfo.py 2012-11-22 18:57:27.0 +0900
+++ zope2.12-2.12.26/source/Zope2/src/AccessControl/SecurityInfo.py 2012-11-24 13:23:20.669183242 +0900
@@ -311,6 +311,8 @@
ModuleSecurityInfo(module_name[:dot]).setDefaultAccess(1)
dot = module_name.find('.', dot + 1)
+allow_module.__roles__ = ()
+
def allow_class(Class):
Allow a class and all of its methods to be used from a
restricted Script. The argument Class must be a class.
Index: zope2.12-2.12.26/source/zope.traversing/src/zope/traversing/namespace.py
===
--- zope2.12-2.12.26.orig/source/zope.traversing/src/zope/traversing/namespace.py 2012-11-22 19:00:29.0 +0900
+++ zope2.12-2.12.26/source/zope.traversing/src/zope/traversing/namespace.py 2012-11-24 13:16:40.229707666 +0900
@@ -31,7 +31,7 @@
from zope.traversing.interfaces import IEtcNamespace
from zope.traversing.interfaces import IPathAdapter
from zope.traversing.interfaces import ITraversable
-
+from zope.traversing.interfaces import TraversalError
class UnexpectedParameters(LocationError):
Unexpected namespace parameters were provided.
@@ -325,6 +325,9 @@
self.request = request
def traverse(self, name, ignored):
+if not name:
+raise TraversalError(self.context, name)
+
view = zope.component.queryMultiAdapter((self.context, self.request),
name=name)
if view is None:
pgpkDBkR0g0D5.pgp
Description: PGP signature
___
Zope-Dev maillist - Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
