[Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix

[Arnaud Fontaine]

Hello,

Luciano Bello <luciano at debian.org> writes:

> Hi, please see : http://seclists.org/oss-sec/2012/q4/249
>
> Can you confirm if any of the Debian packages are affected?

As far as I could find (not clear in the upstream changelog):

version 2.12.26:
  * LP #1071067 fixes CVE 2012-5507, CVE 2012-5508.
  * LP #930812 fixes CVE 2012-5486.

version 2.12.21:
  * LP #1079238 fixes CVE 2012-5489.

According to the upstream changelog, LP #1047318 seems to fix a security
bug, but I could not find it in zope2 launchpad nor anywhere else.

The  following CVEs  are  not affecting  Zope2 package  (Plone/Zope3/..)
(within  brackets is  the  Product/module/...  affected  along with  the
corresponding filename in Plone Hotfix):

* CVE-2012-5485 (Plone: registerConfiglet.py)
  http://plone.org/products/plone/security/advisories/20121106/01

* CVE-2012-5488/CVE-2012-5494/CVE-2012-5495/CVE-2012-5499/CVE-2012-5506
  (Plone-specific: python_scripts.py)
  http://plone.org/products/plone/security/advisories/20121106/04
  http://plone.org/products/plone/security/advisories/20121106/10
  http://plone.org/products/plone/security/advisories/20121106/11
  http://plone.org/products/plone/security/advisories/20121106/15
  http://plone.org/products/plone/security/advisories/20121106/22

* CVE-2012-5490 (kss: kssdevel.py)
  http://plone.org/products/plone/security/advisories/20121106/06

* CVE-2012-5491/CVE-2012-5504 (z3c.form (Zope3): widget_traversal.py)
  http://plone.org/products/plone/security/advisories/20121106/12
  http://plone.org/products/plone/security/advisories/20121106/20

* CVE-2012-5492 (Plone: uid_catalog.py)
  http://plone.org/products/plone/security/advisories/20121106/08

* CVE-2012-5493 (CMFCore: gtbn.py)
  http://plone.org/products/plone/security/advisories/20121106/09

* CVE-2012-5496 (Plone: kupu_spellcheck.py)
  http://plone.org/products/plone/security/advisories/20121106/09

* CVE-2012-5497 (Plone: membership_tool.py)
  http://plone.org/products/plone/security/advisories/20121106/13

* CVE-2012-5498 (Plone: queryCatalog.py)
  http://plone.org/products/plone/security/advisories/20121106/14

* CVE-2012-5500 (Plone: renameObjectsByPaths.py)
  http://plone.org/products/plone/security/advisories/20121106/15

* CVE-2012-5501 (Plone: at_download.py)
  http://plone.org/products/plone/security/advisories/20121106/17

* CVE-2012-5502 (PortalTransforms: safe_html.py)
  http://plone.org/products/plone/security/advisories/20121106/18

* CVE-2012-5503 (Plone-specific: ObjectManager: ftp.py)
  http://plone.org/products/plone/security/advisories/20121106/19

Not fixed in latest release of Zope AFAIK:

* CVE-2012-5487 (allow_module.py)
  http://plone.org/products/plone/security/advisories/20121106/03

* CVE-2012-5505 (zope.traversing: atat.py)
  http://plone.org/products/plone/security/advisories/20121106/21

I have attached  to this email the  patches for these two  CVEs and will
upload them soon. I'm CC'ing zope-dev for review.

Regards,
Arnaud Fontaine

-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2012-5487.patch
Type: text/x-diff
Size: 670 bytes
Desc: not available
URL: <http://mail.zope.org/pipermail/zope-dev/attachments/20121125/38bd6d4e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2012-5505.patch
Type: text/x-diff
Size: 1051 bytes
Desc: not available
URL: <http://mail.zope.org/pipermail/zope-dev/attachments/20121125/38bd6d4e/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://mail.zope.org/pipermail/zope-dev/attachments/20121125/38bd6d4e/attachment.sig>