[Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix

Tres Seaver tseaver at palladion.com
Mon Nov 26 00:26:16 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/24/2012 09:07 PM, Arnaud Fontaine wrote:

> Luciano Bello <luciano at debian.org> writes:
> 
>> Hi, please see : http://seclists.org/oss-sec/2012/q4/249
>> 
>> Can you confirm if any of the Debian packages are affected?
> 
> As far as I could find (not clear in the upstream changelog):

The CVEs were not identified during the release cycles in which those
fixes were released.  Plone's hotfix includes monkey-patches for them to
permit fixing older Zope versions.

> version 2.12.26: * LP #1071067 fixes CVE 2012-5507, CVE 2012-5508. *
> LP #930812 fixes CVE 2012-5486.
> 
> version 2.12.21: * LP #1079238 fixes CVE 2012-5489.
> 
> According to the upstream changelog, LP #1047318 seems to fix a
> security bug, but I could not find it in zope2 launchpad nor anywhere
> else.

That bug was still in "Private Security" state:  I have updated it to
"Public Security", so you whould be able to view it:

 https://bugs.launchpad.net/zope2/+bug/1047318

<snip>

> Not fixed in latest release of Zope AFAIK:
> 
> * CVE-2012-5487 (allow_module.py) 
> http://plone.org/products/plone/security/advisories/20121106/03

I don't believe that this can be a bug in Zope itself:  adding
'__roles__' to a module-scope function is pointless unless the module
itself is importable by untrusted (TTW) code.  The
'AccessControl.SecurityInfo' module should *certainly* not be exposed to
untrusted code.   If some other out-of-Zope-core module which is supposed
to be importable by TTW code imports that function at module scope, then
fix *that* module instead.

> * CVE-2012-5505 (zope.traversing: atat.py) 
> http://plone.org/products/plone/security/advisories/20121106/21

That "fix" is also disputed:  hiding the "default" view from the '@@'
name does not actually improve security at all.  There is a Launchpad bug
where it is being debated (#1079225), but that bug is still in "Private
Security" mode.  The correct fix is to change the code of the
multi-adapter to barf if published via a URL.



Tres.
- -- 
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlCytygACgkQ+gerLs4ltQ4yfQCfV3ORolGU92gFiKqVSUvfr4Tu
fGEAoNR5bgzFnYDLkuukZ1z0OUugwJ7V
=YSuX
-----END PGP SIGNATURE-----

More information about the Zope-Dev mailing list