Hello,
two vulnerabilities have been found in the zope ZEO network protocol.
CVEs do exist and already are in the debian security tracker:
http://security-tracker.debian.net/tracker/CVE-2009-0668
http://security-tracker.debian.net/tracker/CVE-2009-0669
upstream released fixed versions of all affected zope packages:
http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html
i now prepared fixed zope2.10 packages for stable-security as well.
the packages where build in a clean and up-to-date debian/lenny pbuilder
environment, with -sa option given to dpkg-buildpackage, and all other
rules from developers-reference section 5.8.5.4 applied.
i made the packages available publically because patches and fixed
versions where already published on a lot of other places. you can find
the packages at http://people.debian.org/~mejo/zope/stable-security/
please review the packages and tell me whether it's ok to upload them to
stable-security. debdiff is attached as well.
greetings,
jonas
ps: packages with new (fixed) upstream versions are ready for upload to
unstable as well, i just wait for comments on pkg-zope-developers
due to a rather intrusive fix for another serious bug:
http://lists.alioth.debian.org/pipermail/pkg-zope-developers/2009-August/004830.html
diff -u zope2.10-2.10.6/debian/changelog zope2.10-2.10.6/debian/changelog
--- zope2.10-2.10.6/debian/changelog
+++ zope2.10-2.10.6/debian/changelog
@@ -1,3 +1,11 @@
+zope2.10 (2.10.6-1+lenny1) stable-security; urgency=high
+
+ * Fix two vulnerabilities in the ZODB ZEO network protocol (closes: #540464)
+ - CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers
+ - CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers
+
+ -- Jonas Meurer <mejo@debian.org> Mon, 10 Aug 2009 00:50:31 +0200
+
zope2.10 (2.10.6-1) unstable; urgency=low
* New upstream release.
diff -u zope2.10-2.10.6/debian/patches/00list zope2.10-2.10.6/debian/patches/00list
--- zope2.10-2.10.6/debian/patches/00list
+++ zope2.10-2.10.6/debian/patches/00list
@@ -2,0 +3 @@
+zeo-vulerabilities
only in patch2:
unchanged:
--- zope2.10-2.10.6.orig/debian/patches/zeo-vulerabilities.dpatch
+++ zope2.10-2.10.6/debian/patches/zeo-vulerabilities.dpatch
@@ -0,0 +1,112 @@
+#! /bin/sh -e
+##
+## DP: Fix two vulnerabilites in ZEO network protocol:
+## CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers
+## CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+--- zope2.10-2.10.6/z/lib/python/ZEO/StorageServer.py
++++ zope2.10-2.10.6/z/lib/python/ZEO/StorageServer.py
+@@ -98,7 +98,7 @@
+ for func in self.extensions:
+ self._extensions[func.func_name] = None
+
+- def finish_auth(self, authenticated):
++ def _finish_auth(self, authenticated):
+ if not self.auth_realm:
+ return 1
+ self.authenticated = authenticated
+@@ -356,6 +356,7 @@
+
+ def new_oids(self, n=100):
+ """Return a sequence of n new oids, where n defaults to 100"""
++ n = min(n, 100)
+ if self.read_only:
+ raise ReadOnlyError()
+ if n <= 0:
+--- zope2.10-2.10.6/z/lib/python/ZEO/auth/auth_digest.py
++++ zope2.10-2.10.6/z/lib/python/ZEO/auth/auth_digest.py
+@@ -121,7 +121,7 @@
+ check = hexdigest("%s:%s" % (h_up, challenge))
+ if check == response:
+ self.connection.setSessionKey(session_key(h_up, self._key_nonce))
+- return self.finish_auth(check == response)
++ return self._finish_auth(check == response)
+
+ extensions = [auth_get_challenge, auth_response]
+
+--- zope2.10-2.10.6/z/lib/python/ZEO/tests/auth_plaintext.py
++++ zope2.10-2.10.6/z/lib/python/ZEO/tests/auth_plaintext.py
+@@ -41,7 +41,7 @@
+ self.connection.setSessionKey(session_key(username,
+ self.database.realm,
+ password))
+- return self.finish_auth(dbpw == password_dig)
++ return self._finish_auth(dbpw == password_dig)
+
+ class PlaintextClient(Client):
+ extensions = ["auth"]
+--- zope2.10-2.10.6/z/lib/python/ZEO/zrpc/connection.py
++++ zope2.10-2.10.6/z/lib/python/ZEO/zrpc/connection.py
+@@ -25,7 +25,7 @@
+ import ThreadedAsync
+ from ZEO.zrpc import smac
+ from ZEO.zrpc.error import ZRPCError, DisconnectedError
+-from ZEO.zrpc.marshal import Marshaller
++from ZEO.zrpc.marshal import Marshaller, ServerMarshaller
+ from ZEO.zrpc.trigger import trigger
+ from ZEO.zrpc.log import short_repr, log
+ from ZODB.loglevels import BLATHER, TRACE
+@@ -834,6 +834,7 @@
+ def __init__(self, sock, addr, obj, mgr):
+ self.mgr = mgr
+ self.__super_init(sock, addr, obj, 'S')
++ self.marshal = ServerMarshaller()
+ self.obj.notifyConnected(self)
+
+ def handshake(self):
+--- zope2.10-2.10.6/z/lib/python/ZEO/zrpc/marshal.py
++++ zope2.10-2.10.6/z/lib/python/ZEO/zrpc/marshal.py
+@@ -53,6 +53,20 @@
+ level=logging.ERROR)
+ raise
+
++class ServerMarshaller(Marshaller):
++
++ def decode(self, msg):
++ """Decodes msg and returns its parts"""
++ unpickler = cPickle.Unpickler(StringIO(msg))
++ unpickler.find_global = server_find_global
++
++ try:
++ return unpickler.load() # msgid, flags, name, args
++ except:
++ log("can't decode message: %s" % short_repr(msg),
++ level=logging.ERROR)
++ raise
++
+ _globals = globals()
+ _silly = ('__doc__',)
+
+@@ -77,3 +91,19 @@
+ return r
+
+ raise ZRPCError("Unsafe global: %s.%s" % (module, name))
++
++def server_find_global(module, name):
++ """Helper for message unpickler"""
++ try:
++ if module != 'ZopeUndo.Prefix':
++ raise ImportError
++ m = __import__(module, _globals, _globals, _silly)
++ except ImportError, msg:
++ raise ZRPCError("import error %s: %s" % (module, msg))
++
++ try:
++ r = getattr(m, name)
++ except AttributeError:
++ raise ZRPCError("module %s has no global %s" % (module, name))
++
++ return r
Attachment:
signature.asc
Description: Digital signature