First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 129705
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Raphael Marichez <falco@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 129705 depends on: Show dependency tree
Bug 129705 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-04-12 08:44 0000 
The Plone content management system lacks security declarations for three
internal classes.
This allows manipulation of user portraits by unprivileged users.

The changeMemberPortrait and deletePersonalPortrait lack security declarations,
enabling any anonymous internet user to change and delete portraits on Plone
sites at will.

Our versions 2.0.4 and 2.0.5 and 2.0.5-r1 are not patched

See also DSA 1032-1 (2006-04-12)

------- Comment #1 From Thierry Carrez (RETIRED) 2006-04-15 05:34:47 0000 ------- 
Zope herd please bump with patch from URL

------- Comment #2 From Radoslaw Stachowiak 2006-04-16 04:31:00 0000 ------- 
plone-2.0.5-r2 is in portage and patched. Not marked stable though.
Please test and proceeed with stable and glsa.

------- Comment #3 From Stefan Cornelius (RETIRED) 2006-04-16 05:13:17 0000 ------- 
x86 and ppc please test and mark plone-2.0.5-r2 stable, thx

------- Comment #4 From Tobias Scherbaum 2006-04-16 14:51:26 0000 ------- 
Patch doesn't apply.

 * Applying plone-2.0.5-portrait_security.patch ...

 * Failed Patch: plone-2.0.5-portrait_security.patch !
 *  (
/home/tobias/cvs/gentoo-x86/net-zope/plone/files/plone-2.0.5-portrait_security.patch
)
 *
 * Include in your bugreport the contents of:
 *
 *  
/var/tmp/portage/plone-2.0.5-r2/temp/plone-2.0.5-portrait_security.patch-6632.out

------- Comment #5 From Stefan Cornelius (RETIRED) 2006-04-16 14:54:46 0000 ------- 
net-zope please fix the ebuild, thanks

------- Comment #6 From Radoslaw Stachowiak 2006-04-16 18:03:38 0000 ------- 
Strange, just did emerge sync and tested in on data received from
rsync.gentoo.org and it works:
>>> Unpacking PloneBase-2.0.5.tar.gz to /var/tmp/portage/plone-2.0.5-r2/work
 * Applying plone-2.0.5-portrait_security.patch ...                            
                         [ ok ]
>>> Source unpacked.

Can anyone help me here?

------- Comment #7 From Radoslaw Stachowiak 2006-04-17 06:24:01 0000 ------- 
OK, fixed. Looks like that my patch accepts wide range of patch files, while
standrad one not. I regenerated and commited fixed patch file.

Please proceed. Sorry for the trobules caused.

------- Comment #8 From Stefan Cornelius (RETIRED) 2006-04-17 06:29:05 0000 ------- 
No problem, thank you radek. Arches, you know what to do :)

------- Comment #9 From Tobias Scherbaum 2006-04-17 07:21:07 0000 ------- 
ppc stable

------- Comment #10 From Mark Loeser 2006-04-17 08:46:08 0000 ------- 
x86 done

------- Comment #11 From Stefan Cornelius (RETIRED) 2006-04-17 08:53:24 0000 ------- 
ready for glsa vote, i tend to a NO here.

------- Comment #12 From Raphael Marichez 2006-04-17 08:56:18 0000 ------- 
thanks arches,

not a critical element, only affects plone itself.

I tend to vote no, but unsure.

------- Comment #13 From Thierry Carrez (RETIRED) 2006-04-17 09:42:38 0000 ------- 
Voting NO and closing.
First Last Prev Next    No search results available      Search page      Enter new bug