Hello, two vulnerabilities have been found in the zope ZEO network protocol. CVEs do exist and already are in the debian security tracker: http://security-tracker.debian.net/tracker/CVE-2009-0668 http://security-tracker.debian.net/tracker/CVE-2009-0669 upstream released fixed versions of all affected zope packages: http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html i now prepared fixed zope2.10 packages for stable-security as well. the packages where build in a clean and up-to-date debian/lenny pbuilder environment, with -sa option given to dpkg-buildpackage, and all other rules from developers-reference section 5.8.5.4 applied. i made the packages available publically because patches and fixed versions where already published on a lot of other places. you can find the packages at http://people.debian.org/~mejo/zope/stable-security/ please review the packages and tell me whether it's ok to upload them to stable-security. debdiff is attached as well. greetings, jonas ps: packages with new (fixed) upstream versions are ready for upload to unstable as well, i just wait for comments on pkg-zope-developers due to a rather intrusive fix for another serious bug: http://lists.alioth.debian.org/pipermail/pkg-zope-developers/2009-August/004830.html
diff -u zope2.10-2.10.6/debian/changelog zope2.10-2.10.6/debian/changelog --- zope2.10-2.10.6/debian/changelog +++ zope2.10-2.10.6/debian/changelog @@ -1,3 +1,11 @@ +zope2.10 (2.10.6-1+lenny1) stable-security; urgency=high + + * Fix two vulnerabilities in the ZODB ZEO network protocol (closes: #540464) + - CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers + - CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers + + -- Jonas Meurer <mejo@debian.org> Mon, 10 Aug 2009 00:50:31 +0200 + zope2.10 (2.10.6-1) unstable; urgency=low * New upstream release. diff -u zope2.10-2.10.6/debian/patches/00list zope2.10-2.10.6/debian/patches/00list --- zope2.10-2.10.6/debian/patches/00list +++ zope2.10-2.10.6/debian/patches/00list @@ -2,0 +3 @@ +zeo-vulerabilities only in patch2: unchanged: --- zope2.10-2.10.6.orig/debian/patches/zeo-vulerabilities.dpatch +++ zope2.10-2.10.6/debian/patches/zeo-vulerabilities.dpatch @@ -0,0 +1,112 @@ +#! /bin/sh -e +## +## DP: Fix two vulnerabilites in ZEO network protocol: +## CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers +## CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers + +. $(dirname $0)/DPATCH + +@DPATCH@ +--- zope2.10-2.10.6/z/lib/python/ZEO/StorageServer.py ++++ zope2.10-2.10.6/z/lib/python/ZEO/StorageServer.py +@@ -98,7 +98,7 @@ + for func in self.extensions: + self._extensions[func.func_name] = None + +- def finish_auth(self, authenticated): ++ def _finish_auth(self, authenticated): + if not self.auth_realm: + return 1 + self.authenticated = authenticated +@@ -356,6 +356,7 @@ + + def new_oids(self, n=100): + """Return a sequence of n new oids, where n defaults to 100""" ++ n = min(n, 100) + if self.read_only: + raise ReadOnlyError() + if n <= 0: +--- zope2.10-2.10.6/z/lib/python/ZEO/auth/auth_digest.py ++++ zope2.10-2.10.6/z/lib/python/ZEO/auth/auth_digest.py +@@ -121,7 +121,7 @@ + check = hexdigest("%s:%s" % (h_up, challenge)) + if check == response: + self.connection.setSessionKey(session_key(h_up, self._key_nonce)) +- return self.finish_auth(check == response) ++ return self._finish_auth(check == response) + + extensions = [auth_get_challenge, auth_response] + +--- zope2.10-2.10.6/z/lib/python/ZEO/tests/auth_plaintext.py ++++ zope2.10-2.10.6/z/lib/python/ZEO/tests/auth_plaintext.py +@@ -41,7 +41,7 @@ + self.connection.setSessionKey(session_key(username, + self.database.realm, + password)) +- return self.finish_auth(dbpw == password_dig) ++ return self._finish_auth(dbpw == password_dig) + + class PlaintextClient(Client): + extensions = ["auth"] +--- zope2.10-2.10.6/z/lib/python/ZEO/zrpc/connection.py ++++ zope2.10-2.10.6/z/lib/python/ZEO/zrpc/connection.py +@@ -25,7 +25,7 @@ + import ThreadedAsync + from ZEO.zrpc import smac + from ZEO.zrpc.error import ZRPCError, DisconnectedError +-from ZEO.zrpc.marshal import Marshaller ++from ZEO.zrpc.marshal import Marshaller, ServerMarshaller + from ZEO.zrpc.trigger import trigger + from ZEO.zrpc.log import short_repr, log + from ZODB.loglevels import BLATHER, TRACE +@@ -834,6 +834,7 @@ + def __init__(self, sock, addr, obj, mgr): + self.mgr = mgr + self.__super_init(sock, addr, obj, 'S') ++ self.marshal = ServerMarshaller() + self.obj.notifyConnected(self) + + def handshake(self): +--- zope2.10-2.10.6/z/lib/python/ZEO/zrpc/marshal.py ++++ zope2.10-2.10.6/z/lib/python/ZEO/zrpc/marshal.py +@@ -53,6 +53,20 @@ + level=logging.ERROR) + raise + ++class ServerMarshaller(Marshaller): ++ ++ def decode(self, msg): ++ """Decodes msg and returns its parts""" ++ unpickler = cPickle.Unpickler(StringIO(msg)) ++ unpickler.find_global = server_find_global ++ ++ try: ++ return unpickler.load() # msgid, flags, name, args ++ except: ++ log("can't decode message: %s" % short_repr(msg), ++ level=logging.ERROR) ++ raise ++ + _globals = globals() + _silly = ('__doc__',) + +@@ -77,3 +91,19 @@ + return r + + raise ZRPCError("Unsafe global: %s.%s" % (module, name)) ++ ++def server_find_global(module, name): ++ """Helper for message unpickler""" ++ try: ++ if module != 'ZopeUndo.Prefix': ++ raise ImportError ++ m = __import__(module, _globals, _globals, _silly) ++ except ImportError, msg: ++ raise ZRPCError("import error %s: %s" % (module, msg)) ++ ++ try: ++ r = getattr(m, name) ++ except AttributeError: ++ raise ZRPCError("module %s has no global %s" % (module, name)) ++ ++ return r
Attachment:
signature.asc
Description: Digital signature