Bug#540463: marked as done (CVE-2009-0668, CVE-2009-0669)

Wed, 12 Aug 2009 03:34:15 -0700 

Your message dated Wed, 12 Aug 2009 10:17:40 +0000
with message-id <e1mbato-0005co...@ries.debian.org>
and subject line Bug#540463: fixed in zope2.11 2.11.4-1
has caused the Debian Bug report #540463,
regarding CVE-2009-0668, CVE-2009-0669
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
540463: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540463
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: zope2.11
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Hi,

Two vulnerabilities have been reported in Zope, which can be exploited by
malicious people to bypass certain
security restrictions and compromise a vulnerable system.

1) A missing access control check was found in the way Zope Enterprise Objects
(ZEO) used to manage remote connections to the Zope server. A remote attacker
could use this flaw to execute arbitrary Python code in the context of
Zope server.  (CVE-2009-0668)[0]

2) A weakness was found in the Zope Enterprise Objects (ZEO) authentication
protocol. A remote attacker could use this flaw to bypass the authentication
to the Zope Object Database (ZODB).  (CVE-2009-0669)[1]

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0668
    http://security-tracker.debian.net/tracker/CVE-2009-0668
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0669
    http://security-tracker.debian.net/tracker/CVE-2009-0669

    http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkp9N10ACgkQNxpp46476apG5ACeLNiuLBV6XnbzBmHI/pDcrtxg
tDIAnjRibKWGS72AAhFhYgfppB9RfJ4A
=yln6
-----END PGP SIGNATURE-----

=== StorageServer.py
==================================================================
--- StorageServer.py	(revision 167632)
+++ StorageServer.py	(local)
@@ -111,7 +111,7 @@
         for func in self.extensions:
             self._extensions[func.func_name] = None
 
-    def finish_auth(self, authenticated):
+    def _finish_auth(self, authenticated):
         if not self.auth_realm:
             return 1
         self.authenticated = authenticated
@@ -421,6 +421,7 @@
 
     def new_oids(self, n=100):
         """Return a sequence of n new oids, where n defaults to 100"""
+        n = min(n, 100)
         if self.read_only:
             raise ReadOnlyError()
         if n <= 0:
=== auth/auth_digest.py
==================================================================
--- auth/auth_digest.py	(revision 167632)
+++ auth/auth_digest.py	(local)
@@ -121,7 +121,7 @@
         check = hexdigest("%s:%s" % (h_up, challenge))
         if check == response:
             self.connection.setSessionKey(session_key(h_up, self._key_nonce))
-        return self.finish_auth(check == response)
+        return self._finish_auth(check == response)
 
     extensions = [auth_get_challenge, auth_response]
 
=== tests/auth_plaintext.py
==================================================================
--- tests/auth_plaintext.py	(revision 167632)
+++ tests/auth_plaintext.py	(local)
@@ -41,7 +41,7 @@
             self.connection.setSessionKey(session_key(username,
                                                       self.database.realm,
                                                       password))
-        return self.finish_auth(dbpw == password_dig)
+        return self._finish_auth(dbpw == password_dig)
 
 class PlaintextClient(Client):
     extensions = ["auth"]
=== zrpc/connection.py
==================================================================
--- zrpc/connection.py	(revision 167632)
+++ zrpc/connection.py	(local)
@@ -24,7 +24,7 @@
 import ThreadedAsync
 from ZEO.zrpc import smac
 from ZEO.zrpc.error import ZRPCError, DisconnectedError
-from ZEO.zrpc.marshal import Marshaller
+from ZEO.zrpc.marshal import Marshaller, ServerMarshaller
 from ZEO.zrpc.trigger import trigger
 from ZEO.zrpc.log import short_repr, log
 from ZODB.loglevels import BLATHER, TRACE
@@ -883,6 +883,7 @@
     def __init__(self, sock, addr, obj, mgr):
         self.mgr = mgr
         self.__super_init(sock, addr, obj, 'S')
+        self.marshal = ServerMarshaller()
         self.obj.notifyConnected(self)
 
     def handshake(self):
=== zrpc/marshal.py
==================================================================
--- zrpc/marshal.py	(revision 167632)
+++ zrpc/marshal.py	(local)
@@ -52,6 +52,20 @@
                 level=logging.ERROR)
             raise
 
+class ServerMarshaller(Marshaller):
+
+    def decode(self, msg):
+        """Decodes msg and returns its parts"""
+        unpickler = cPickle.Unpickler(StringIO(msg))
+        unpickler.find_global = server_find_global
+
+        try:
+            return unpickler.load() # msgid, flags, name, args
+        except:
+            log("can't decode message: %s" % short_repr(msg),
+                level=logging.ERROR)
+            raise
+
 _globals = globals()
 _silly = ('__doc__',)
 
@@ -78,3 +92,21 @@
         return r
 
     raise ZRPCError("Unsafe global: %s.%s" % (module, name))
+
+def server_find_global(module, name):
+    """Helper for message unpickler"""
+    try:
+        m = __import__(module, _globals, _globals, _silly)
+    except ImportError, msg:
+        raise ZRPCError("import error %s: %s" % (module, msg))
+
+    try:
+        r = getattr(m, name)
+    except AttributeError:
+        raise ZRPCError("module %s has no global %s" % (module, name))
+
+    safe = getattr(r, '__no_side_effects__', 0)
+    if safe:
+        return r
+
+    raise ZRPCError("Unsafe global: %s.%s" % (module, name))

--- End Message ---
--- Begin Message --- 
Source: zope2.11
Source-Version: 2.11.4-1

We believe that the bug you reported is fixed in the latest version of
zope2.11, which is due to be installed in the Debian FTP archive:

zope2.11-sandbox_2.11.4-1_all.deb
  to pool/main/z/zope2.11/zope2.11-sandbox_2.11.4-1_all.deb
zope2.11_2.11.4-1.diff.gz
  to pool/main/z/zope2.11/zope2.11_2.11.4-1.diff.gz
zope2.11_2.11.4-1.dsc
  to pool/main/z/zope2.11/zope2.11_2.11.4-1.dsc
zope2.11_2.11.4-1_amd64.deb
  to pool/main/z/zope2.11/zope2.11_2.11.4-1_amd64.deb
zope2.11_2.11.4.orig.tar.gz
  to pool/main/z/zope2.11/zope2.11_2.11.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 540...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Meurer <m...@debian.org> (supplier of updated zope2.11 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 09 Aug 2009 16:00:28 +0200
Source: zope2.11
Binary: zope2.11 zope2.11-sandbox
Architecture: source amd64 all
Version: 2.11.4-1
Distribution: unstable
Urgency: high
Maintainer: Jonas Meurer <m...@debian.org>
Changed-By: Jonas Meurer <m...@debian.org>
Description: 
 zope2.11   - Open Source Web Application Server
 zope2.11-sandbox - sandbox instance for the zope2.11 web application server
Closes: 540158 540463
Changes: 
 zope2.11 (2.11.4-1) unstable; urgency=high
 .
   * New upstream release, fixes two vulnerabilities in the ZEO network
     protocol: CVE-2009-0668 and CVE-2009-0669. (closes: #540463)
   * Add support to start a particular instance to initscript.
   * Bump pre-depends on zope-common to 0.5.49 and build-depends on debhelper
     to 0.3.14 to use invoke-rc.d in maintainer scripts. (closes: #540158)
   * Set urgency=high as this upload fixes two serious bugs.
Checksums-Sha1: 
 04e388fdcd815c03040af4c6904bfa7373280ed9 1425 zope2.11_2.11.4-1.dsc
 5073e6b02c2578ea0dd9f0dc8d35b8982bfb280b 7209105 zope2.11_2.11.4.orig.tar.gz
 614cef2fae7264f245db2aab6ad2a2f22ea7f63a 14891 zope2.11_2.11.4-1.diff.gz
 79e1d541984f61b84cd1de2a6066b5d01308ecda 7153750 zope2.11_2.11.4-1_amd64.deb
 351c2742314bda8048114b1a23160a1b44700a1d 70728 
zope2.11-sandbox_2.11.4-1_all.deb
Checksums-Sha256: 
 6dd084c1769409576c37c09dc035e92424e94bd39c7cf28482b5b09c318e2491 1425 
zope2.11_2.11.4-1.dsc
 3a58da649e8a558eda82ed61d2417a4f48b6d7562a9f0c71a24f8a870178e220 7209105 
zope2.11_2.11.4.orig.tar.gz
 7bf28b997b9178a6a92244484b200c874c2f72285730caac9f06507d841e1830 14891 
zope2.11_2.11.4-1.diff.gz
 a2bcd06e8888f04457097cce6182ec98eae08ef697d5ca46325f105c44382d79 7153750 
zope2.11_2.11.4-1_amd64.deb
 66c6896365273001c804ef968752f0bf8472432d0d4a3f3ca56713583d296c06 70728 
zope2.11-sandbox_2.11.4-1_all.deb
Files: 
 193b967599aa2e9186af311a1b542e20 1425 zope optional zope2.11_2.11.4-1.dsc
 b6ebe2c09ad69e288f90dcdaddd3fd5c 7209105 zope optional 
zope2.11_2.11.4.orig.tar.gz
 103c646de582634c6ab6fe6fec5f6d1f 14891 zope optional zope2.11_2.11.4-1.diff.gz
 4714917a65efd9b9a8666d1f7a9b1e56 7153750 zope optional 
zope2.11_2.11.4-1_amd64.deb
 5094f604c214ae4f206a64f2c44089a3 70728 zope optional 
zope2.11-sandbox_2.11.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqCkLQACgkQd6lUs+JfIQIBHgCgmlqUQu1qCrWCHi9I8WlYh8r1
t0AAoIegJZ8igski3UcoPw2OLMT5/Dg8
=chBr
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to