Re: [Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix
Hello, Luciano Bello <luciano@debian.org> writes:
Hi, please see : http://seclists.org/oss-sec/2012/q4/249
Can you confirm if any of the Debian packages are affected?
As far as I could find (not clear in the upstream changelog): version 2.12.26: * LP #1071067 fixes CVE 2012-5507, CVE 2012-5508. * LP #930812 fixes CVE 2012-5486. version 2.12.21: * LP #1079238 fixes CVE 2012-5489. According to the upstream changelog, LP #1047318 seems to fix a security bug, but I could not find it in zope2 launchpad nor anywhere else. The following CVEs are not affecting Zope2 package (Plone/Zope3/..) (within brackets is the Product/module/... affected along with the corresponding filename in Plone Hotfix): * CVE-2012-5485 (Plone: registerConfiglet.py) http://plone.org/products/plone/security/advisories/20121106/01 * CVE-2012-5488/CVE-2012-5494/CVE-2012-5495/CVE-2012-5499/CVE-2012-5506 (Plone-specific: python_scripts.py) http://plone.org/products/plone/security/advisories/20121106/04 http://plone.org/products/plone/security/advisories/20121106/10 http://plone.org/products/plone/security/advisories/20121106/11 http://plone.org/products/plone/security/advisories/20121106/15 http://plone.org/products/plone/security/advisories/20121106/22 * CVE-2012-5490 (kss: kssdevel.py) http://plone.org/products/plone/security/advisories/20121106/06 * CVE-2012-5491/CVE-2012-5504 (z3c.form (Zope3): widget_traversal.py) http://plone.org/products/plone/security/advisories/20121106/12 http://plone.org/products/plone/security/advisories/20121106/20 * CVE-2012-5492 (Plone: uid_catalog.py) http://plone.org/products/plone/security/advisories/20121106/08 * CVE-2012-5493 (CMFCore: gtbn.py) http://plone.org/products/plone/security/advisories/20121106/09 * CVE-2012-5496 (Plone: kupu_spellcheck.py) http://plone.org/products/plone/security/advisories/20121106/09 * CVE-2012-5497 (Plone: membership_tool.py) http://plone.org/products/plone/security/advisories/20121106/13 * CVE-2012-5498 (Plone: queryCatalog.py) http://plone.org/products/plone/security/advisories/20121106/14 * CVE-2012-5500 (Plone: renameObjectsByPaths.py) http://plone.org/products/plone/security/advisories/20121106/15 * CVE-2012-5501 (Plone: at_download.py) http://plone.org/products/plone/security/advisories/20121106/17 * CVE-2012-5502 (PortalTransforms: safe_html.py) http://plone.org/products/plone/security/advisories/20121106/18 * CVE-2012-5503 (Plone-specific: ObjectManager: ftp.py) http://plone.org/products/plone/security/advisories/20121106/19 Not fixed in latest release of Zope AFAIK: * CVE-2012-5487 (allow_module.py) http://plone.org/products/plone/security/advisories/20121106/03 * CVE-2012-5505 (zope.traversing: atat.py) http://plone.org/products/plone/security/advisories/20121106/21 I have attached to this email the patches for these two CVEs and will upload them soon. I'm CC'ing zope-dev for review. Regards, Arnaud Fontaine
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/24/2012 09:07 PM, Arnaud Fontaine wrote:
Luciano Bello <luciano@debian.org> writes:
Hi, please see : http://seclists.org/oss-sec/2012/q4/249
Can you confirm if any of the Debian packages are affected?
As far as I could find (not clear in the upstream changelog):
The CVEs were not identified during the release cycles in which those fixes were released. Plone's hotfix includes monkey-patches for them to permit fixing older Zope versions.
version 2.12.26: * LP #1071067 fixes CVE 2012-5507, CVE 2012-5508. * LP #930812 fixes CVE 2012-5486.
version 2.12.21: * LP #1079238 fixes CVE 2012-5489.
According to the upstream changelog, LP #1047318 seems to fix a security bug, but I could not find it in zope2 launchpad nor anywhere else.
That bug was still in "Private Security" state: I have updated it to "Public Security", so you whould be able to view it: https://bugs.launchpad.net/zope2/+bug/1047318 <snip>
Not fixed in latest release of Zope AFAIK:
* CVE-2012-5487 (allow_module.py) http://plone.org/products/plone/security/advisories/20121106/03
I don't believe that this can be a bug in Zope itself: adding '__roles__' to a module-scope function is pointless unless the module itself is importable by untrusted (TTW) code. The 'AccessControl.SecurityInfo' module should *certainly* not be exposed to untrusted code. If some other out-of-Zope-core module which is supposed to be importable by TTW code imports that function at module scope, then fix *that* module instead.
* CVE-2012-5505 (zope.traversing: atat.py) http://plone.org/products/plone/security/advisories/20121106/21
That "fix" is also disputed: hiding the "default" view from the '@@' name does not actually improve security at all. There is a Launchpad bug where it is being debated (#1079225), but that bug is still in "Private Security" mode. The correct fix is to change the code of the multi-adapter to barf if published via a URL. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlCytygACgkQ+gerLs4ltQ4yfQCfV3ORolGU92gFiKqVSUvfr4Tu fGEAoNR5bgzFnYDLkuukZ1z0OUugwJ7V =YSuX -----END PGP SIGNATURE-----
Hello, Tres Seaver <tseaver@palladion.com> writes:
version 2.12.21: * LP #1079238 fixes CVE 2012-5489.
According to the upstream changelog, LP #1047318 seems to fix a security bug, but I could not find it in zope2 launchpad nor anywhere else.
That bug was still in "Private Security" state: I have updated it to "Public Security", so you whould be able to view it:
Thank you very much.
Not fixed in latest release of Zope AFAIK:
* CVE-2012-5487 (allow_module.py) http://plone.org/products/plone/security/advisories/20121106/03
I don't believe that this can be a bug in Zope itself: adding '__roles__' to a module-scope function is pointless unless the module itself is importable by untrusted (TTW) code. The 'AccessControl.SecurityInfo' module should *certainly* not be exposed to untrusted code. If some other out-of-Zope-core module which is supposed to be importable by TTW code imports that function at module scope, then fix *that* module instead.
Indeed, thanks for your explanation.
* CVE-2012-5505 (zope.traversing: atat.py) http://plone.org/products/plone/security/advisories/20121106/21
That "fix" is also disputed: hiding the "default" view from the '@@' name does not actually improve security at all. There is a Launchpad bug where it is being debated (#1079225), but that bug is still in "Private Security" mode. The correct fix is to change the code of the multi-adapter to barf if published via a URL.
Any idea when this patch will be released? Thanks. Cheers, Arnaud Fontaine
participants (2)
-
Arnaud Fontaine -
Tres Seaver