Bug#540464: marked as done (CVE-2009-0668, CVE-2009-0669)

[Debian Bug Tracking System]

Your message dated Wed, 12 Aug 2009 10:17:34 +0000
with message-id <e1mbati-0005bz...@ries.debian.org>
and subject line Bug#540464: fixed in zope2.10 2.10.9-1
has caused the Debian Bug report #540464,
regarding CVE-2009-0668, CVE-2009-0669
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
540464: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540464
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: zope2.10
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

Two vulnerabilities have been reported in Zope, which can be exploited by
malicious people to bypass certain
security restrictions and compromise a vulnerable system.

1) A missing access control check was found in the way Zope Enterprise Objects
(ZEO) used to manage remote connections to the Zope server. A remote attacker
could use this flaw to execute arbitrary Python code in the context of
Zope server.  (CVE-2009-0668)[0]

2) A weakness was found in the Zope Enterprise Objects (ZEO) authentication
protocol. A remote attacker could use this flaw to bypass the authentication
to the Zope Object Database (ZODB).  (CVE-2009-0669)[1]

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0668
    http://security-tracker.debian.net/tracker/CVE-2009-0668
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0669
    http://security-tracker.debian.net/tracker/CVE-2009-0669

    http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkp9N8EACgkQNxpp46476arVPQCeOfUT1sVlZUSXMETleD8pD+6A
AA8AniYpFrHT9ERJ5UpgFXkcHkxgDIqF
=UJsU
-----END PGP SIGNATURE-----

=== StorageServer.py
==================================================================
--- StorageServer.py	(revision 167632)
+++ StorageServer.py	(local)
@@ -111,7 +111,7 @@
         for func in self.extensions:
             self._extensions[func.func_name] = None
 
-    def finish_auth(self, authenticated):
+    def _finish_auth(self, authenticated):
         if not self.auth_realm:
             return 1
         self.authenticated = authenticated
@@ -421,6 +421,7 @@
 
     def new_oids(self, n=100):
         """Return a sequence of n new oids, where n defaults to 100"""
+        n = min(n, 100)
         if self.read_only:
             raise ReadOnlyError()
         if n <= 0:
=== auth/auth_digest.py
==================================================================
--- auth/auth_digest.py	(revision 167632)
+++ auth/auth_digest.py	(local)
@@ -121,7 +121,7 @@
         check = hexdigest("%s:%s" % (h_up, challenge))
         if check == response:
             self.connection.setSessionKey(session_key(h_up, self._key_nonce))
-        return self.finish_auth(check == response)
+        return self._finish_auth(check == response)
 
     extensions = [auth_get_challenge, auth_response]
 
=== tests/auth_plaintext.py
==================================================================
--- tests/auth_plaintext.py	(revision 167632)
+++ tests/auth_plaintext.py	(local)
@@ -41,7 +41,7 @@
             self.connection.setSessionKey(session_key(username,
                                                       self.database.realm,
                                                       password))
-        return self.finish_auth(dbpw == password_dig)
+        return self._finish_auth(dbpw == password_dig)
 
 class PlaintextClient(Client):
     extensions = ["auth"]
=== zrpc/connection.py
==================================================================
--- zrpc/connection.py	(revision 167632)
+++ zrpc/connection.py	(local)
@@ -24,7 +24,7 @@
 import ThreadedAsync
 from ZEO.zrpc import smac
 from ZEO.zrpc.error import ZRPCError, DisconnectedError
-from ZEO.zrpc.marshal import Marshaller
+from ZEO.zrpc.marshal import Marshaller, ServerMarshaller
 from ZEO.zrpc.trigger import trigger
 from ZEO.zrpc.log import short_repr, log
 from ZODB.loglevels import BLATHER, TRACE
@@ -883,6 +883,7 @@
     def __init__(self, sock, addr, obj, mgr):
         self.mgr = mgr
         self.__super_init(sock, addr, obj, 'S')
+        self.marshal = ServerMarshaller()
         self.obj.notifyConnected(self)
 
     def handshake(self):
=== zrpc/marshal.py
==================================================================
--- zrpc/marshal.py	(revision 167632)
+++ zrpc/marshal.py	(local)
@@ -52,6 +52,20 @@
                 level=logging.ERROR)
             raise
 
+class ServerMarshaller(Marshaller):
+
+    def decode(self, msg):
+        """Decodes msg and returns its parts"""
+        unpickler = cPickle.Unpickler(StringIO(msg))
+        unpickler.find_global = server_find_global
+
+        try:
+            return unpickler.load() # msgid, flags, name, args
+        except:
+            log("can't decode message: %s" % short_repr(msg),
+                level=logging.ERROR)
+            raise
+
 _globals = globals()
 _silly = ('__doc__',)
 
@@ -78,3 +92,21 @@
         return r
 
     raise ZRPCError("Unsafe global: %s.%s" % (module, name))
+
+def server_find_global(module, name):
+    """Helper for message unpickler"""
+    try:
+        m = __import__(module, _globals, _globals, _silly)
+    except ImportError, msg:
+        raise ZRPCError("import error %s: %s" % (module, msg))
+
+    try:
+        r = getattr(m, name)
+    except AttributeError:
+        raise ZRPCError("module %s has no global %s" % (module, name))
+
+    safe = getattr(r, '__no_side_effects__', 0)
+    if safe:
+        return r
+
+    raise ZRPCError("Unsafe global: %s.%s" % (module, name))

--- End Message ---

--- Begin Message ---

Source: zope2.10
Source-Version: 2.10.9-1

We believe that the bug you reported is fixed in the latest version of
zope2.10, which is due to be installed in the Debian FTP archive:

zope2.10-sandbox_2.10.9-1_all.deb
  to pool/main/z/zope2.10/zope2.10-sandbox_2.10.9-1_all.deb
zope2.10_2.10.9-1.diff.gz
  to pool/main/z/zope2.10/zope2.10_2.10.9-1.diff.gz
zope2.10_2.10.9-1.dsc
  to pool/main/z/zope2.10/zope2.10_2.10.9-1.dsc
zope2.10_2.10.9-1_amd64.deb
  to pool/main/z/zope2.10/zope2.10_2.10.9-1_amd64.deb
zope2.10_2.10.9.orig.tar.gz
  to pool/main/z/zope2.10/zope2.10_2.10.9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 540...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Meurer <m...@debian.org> (supplier of updated zope2.10 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 09 Aug 2009 15:58:49 +0200
Source: zope2.10
Binary: zope2.10 zope2.10-sandbox
Architecture: source amd64 all
Version: 2.10.9-1
Distribution: unstable
Urgency: high
Maintainer: Jonas Meurer <m...@debian.org>
Changed-By: Jonas Meurer <m...@debian.org>
Description: 
 zope2.10   - Open Source Web Application Server
 zope2.10-sandbox - sandbox instance for the zope2.10 web application server
Closes: 540159 540464
Changes: 
 zope2.10 (2.10.9-1) unstable; urgency=high
 .
   * New upstraem release, fixes two vulnerabilities in the ZEO network
     protocol: CVE-2009-0668 and CVE-2009-0669. (closes: #540464)
   * Add support to start a particular instance to initscript.
   * Bump pre-depends on zope-common to 0.5.49 and build-depends on debhelper
     to 0.3.14 to use invoke-rc.d in maintainer scripts. (closes: #540159)
   * Set urgency=high as this upload fixes two serious bugs.
Checksums-Sha1: 
 8b16815dc1a28b2ea3f71cc8e03b7dfc45fae803 1425 zope2.10_2.10.9-1.dsc
 96271ad13372e2f7db1413805a23b76772a7af86 7175300 zope2.10_2.10.9.orig.tar.gz
 bf85d21d8713f26e8400f0f4c590de2aad0a681d 14618 zope2.10_2.10.9-1.diff.gz
 5e5c572052fd8050fe1a98fa0fe8933c2b68785e 7068002 zope2.10_2.10.9-1_amd64.deb
 6d9c069261bb13b6085266eb395647dd6e14cd44 182008 
zope2.10-sandbox_2.10.9-1_all.deb
Checksums-Sha256: 
 eeed2727ec648d103ad48f96eb6b8faf0dff5bdeb0f4ffd9199fb757e6e7efb3 1425 
zope2.10_2.10.9-1.dsc
 7c513425f5181c8c142eee5bce15813e5f6830fba499255d51b603626dffa990 7175300 
zope2.10_2.10.9.orig.tar.gz
 37aafb37203777edc5d045a5cc15b02527cce3e424f122c33b70af58b69096a4 14618 
zope2.10_2.10.9-1.diff.gz
 94ea7e7b87ce0eb2d02021e9baf62d646d870d52295139a70780a31ee6071ae3 7068002 
zope2.10_2.10.9-1_amd64.deb
 9519bfb52ac080b92df403c2c56a9b68bec5adee11f2bf93dcc2bcbb0747dbbc 182008 
zope2.10-sandbox_2.10.9-1_all.deb
Files: 
 672c170159850e799aed63d004561956 1425 zope optional zope2.10_2.10.9-1.dsc
 e9d87f7f048eeeaf39bb1cdebb5ba634 7175300 zope optional 
zope2.10_2.10.9.orig.tar.gz
 b4eb5d6ebae7087b800bbd9026af7675 14618 zope optional zope2.10_2.10.9-1.diff.gz
 3d59f8c1166605b84f014c5bef4e68fe 7068002 zope optional 
zope2.10_2.10.9-1_amd64.deb
 23eedee598275fd75934851a0f6d888c 182008 zope optional 
zope2.10-sandbox_2.10.9-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqCkK0ACgkQd6lUs+JfIQJUywCfWmtlATFmWgWUDeH14D5i4Udr
qcIAnjcBV1RCaFGd+p+DXCm0nuwkiamc
=q10d
-----END PGP SIGNATURE-----

--- End Message ---