Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix

Arnaud Fontaine Sat, 24 Nov 2012 18:12:17 -0800

Hello,

Luciano Bello <luci...@debian.org> writes:


> Hi, please see : http://seclists.org/oss-sec/2012/q4/249
>
> Can you confirm if any of the Debian packages are affected?

As far as I could find (not clear in the upstream changelog):

version 2.12.26:
  * LP #1071067 fixes CVE 2012-5507, CVE 2012-5508.
  * LP #930812 fixes CVE 2012-5486.

version 2.12.21:
  * LP #1079238 fixes CVE 2012-5489.

According to the upstream changelog, LP #1047318 seems to fix a security
bug, but I could not find it in zope2 launchpad nor anywhere else.

The  following CVEs  are  not affecting  Zope2 package  (Plone/Zope3/..)
(within  brackets is  the  Product/module/...  affected  along with  the
corresponding filename in Plone Hotfix):

* CVE-2012-5485 (Plone: registerConfiglet.py)
  http://plone.org/products/plone/security/advisories/20121106/01

* CVE-2012-5488/CVE-2012-5494/CVE-2012-5495/CVE-2012-5499/CVE-2012-5506
  (Plone-specific: python_scripts.py)
  http://plone.org/products/plone/security/advisories/20121106/04
  http://plone.org/products/plone/security/advisories/20121106/10
  http://plone.org/products/plone/security/advisories/20121106/11
  http://plone.org/products/plone/security/advisories/20121106/15
  http://plone.org/products/plone/security/advisories/20121106/22

* CVE-2012-5490 (kss: kssdevel.py)
  http://plone.org/products/plone/security/advisories/20121106/06

* CVE-2012-5491/CVE-2012-5504 (z3c.form (Zope3): widget_traversal.py)
  http://plone.org/products/plone/security/advisories/20121106/12
  http://plone.org/products/plone/security/advisories/20121106/20

* CVE-2012-5492 (Plone: uid_catalog.py)
  http://plone.org/products/plone/security/advisories/20121106/08

* CVE-2012-5493 (CMFCore: gtbn.py)
  http://plone.org/products/plone/security/advisories/20121106/09

* CVE-2012-5496 (Plone: kupu_spellcheck.py)
  http://plone.org/products/plone/security/advisories/20121106/09

* CVE-2012-5497 (Plone: membership_tool.py)
  http://plone.org/products/plone/security/advisories/20121106/13

* CVE-2012-5498 (Plone: queryCatalog.py)
  http://plone.org/products/plone/security/advisories/20121106/14

* CVE-2012-5500 (Plone: renameObjectsByPaths.py)
  http://plone.org/products/plone/security/advisories/20121106/15

* CVE-2012-5501 (Plone: at_download.py)
  http://plone.org/products/plone/security/advisories/20121106/17

* CVE-2012-5502 (PortalTransforms: safe_html.py)
  http://plone.org/products/plone/security/advisories/20121106/18

* CVE-2012-5503 (Plone-specific: ObjectManager: ftp.py)
  http://plone.org/products/plone/security/advisories/20121106/19

Not fixed in latest release of Zope AFAIK:

* CVE-2012-5487 (allow_module.py)
  http://plone.org/products/plone/security/advisories/20121106/03

* CVE-2012-5505 (zope.traversing: atat.py)
  http://plone.org/products/plone/security/advisories/20121106/21

I have attached  to this email the  patches for these two  CVEs and will
upload them soon. I'm CC'ing zope-dev for review.

Regards,
Arnaud Fontaine

Index: zope2.12-2.12.26/source/Zope2/src/AccessControl/SecurityInfo.py
===================================================================
--- zope2.12-2.12.26.orig/source/Zope2/src/AccessControl/SecurityInfo.py	2012-11-22 18:57:27.000000000 +0900
+++ zope2.12-2.12.26/source/Zope2/src/AccessControl/SecurityInfo.py	2012-11-24 13:23:20.669183242 +0900
@@ -311,6 +311,8 @@
         ModuleSecurityInfo(module_name[:dot]).setDefaultAccess(1)
         dot = module_name.find('.', dot + 1)
 
+allow_module.__roles__ = ()
+
 def allow_class(Class):
     """Allow a class and all of its methods to be used from a
     restricted Script.  The argument Class must be a class."""

Index: zope2.12-2.12.26/source/zope.traversing/src/zope/traversing/namespace.py
===================================================================
--- zope2.12-2.12.26.orig/source/zope.traversing/src/zope/traversing/namespace.py	2012-11-22 19:00:29.000000000 +0900
+++ zope2.12-2.12.26/source/zope.traversing/src/zope/traversing/namespace.py	2012-11-24 13:16:40.229707666 +0900
@@ -31,7 +31,7 @@
 from zope.traversing.interfaces import IEtcNamespace
 from zope.traversing.interfaces import IPathAdapter
 from zope.traversing.interfaces import ITraversable
-
+from zope.traversing.interfaces import TraversalError
 
 class UnexpectedParameters(LocationError):
     "Unexpected namespace parameters were provided."
@@ -325,6 +325,9 @@
         self.request = request
 
     def traverse(self, name, ignored):
+        if not name:
+            raise TraversalError(self.context, name)
+
         view = zope.component.queryMultiAdapter((self.context, self.request),
                                                 name=name)
         if view is None:

pgpwv8FZFuTlB.pgp
Description: PGP signature

Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix

Reply via email to