[Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix

Arnaud Fontaine arnau at debian.org
Mon Nov 26 09:53:58 UTC 2012


Hello,

Tres Seaver <tseaver at palladion.com> writes:

>> version 2.12.21: * LP #1079238 fixes CVE 2012-5489.
>>
>> According  to the  upstream changelog,  LP  #1047318 seems  to fix  a
>> security bug, but I could not find it in zope2 launchpad nor anywhere
>> else.
>
> That bug was  still in "Private Security" state: I  have updated it to
> "Public Security", so you whould be able to view it:
>
>  https://bugs.launchpad.net/zope2/+bug/1047318

Thank you very much.

>> Not fixed in latest release of Zope AFAIK:
>>
>> * CVE-2012-5487 (allow_module.py)
>> http://plone.org/products/plone/security/advisories/20121106/03
>
> I  don't  believe that  this  can  be a  bug  in  Zope itself:  adding
> '__roles__' to a module-scope function  is pointless unless the module
> itself    is    importable    by   untrusted    (TTW)    code.     The
> 'AccessControl.SecurityInfo' module should  *certainly* not be exposed
> to untrusted  code.  If  some other  out-of-Zope-core module  which is
> supposed to be importable by TTW  code imports that function at module
> scope, then fix *that* module instead.

Indeed, thanks for your explanation.

>> * CVE-2012-5505 (zope.traversing: atat.py)
>> http://plone.org/products/plone/security/advisories/20121106/21
>
> That "fix" is  also disputed: hiding the "default" view  from the '@@'
> name does not actually improve security  at all.  There is a Launchpad
> bug where  it is being  debated (#1079225), but  that bug is  still in
> "Private Security" mode.  The correct fix is to change the code of the
> multi-adapter to barf if published via a URL.

Any idea when this patch will be released? Thanks.

Cheers,
Arnaud Fontaine
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://mail.zope.org/pipermail/zope-dev/attachments/20121126/c0264b5b/attachment.sig>


More information about the Zope-Dev mailing list