Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 (Zope2) does not disable the "raw" command when providing untrusted users with restructured text (reStructuredText) functionality from docutils, which allows local users to read arbitrary files.
net-zope please advise and patch as necessary.
Unfortunately I'll be able to provide patch/ebuild no sooner than Jul 31 (vacations). We ll need to patch it.
Radoslaw : back from your vacations ?
Released 2.8.8 and 2.9.4 which contain fix for the bug. I think we should stable 2.8.8 and pmask 2.7
Thx Radoslaw. Arches please test and mark stable 2.8.8 as per comment #4.
due to today discovered http://www.zope.org/Products/Zope/Hotfix-2006-08-21/ we should probably stop before ill be able to fix this altogether (max till saturday).
Back to ebuild status.
Fixed 2.7.9 and 2.8.8. There is no need to mask 2.7.8 now as I previously stated (because i fixed it this time), but there is need to make 2.7.9 stable. In summary, what is needed: 1) mark as stable zope-2.7.9 (new ebuild) 2) mark as stable zope-2.8.8 (changed ebuild, I decided against version bump because 2.8.8 was not marked as stable in portage yet) 3) issue glsa, versions NOT affected are: zope-2.7.9 (the only stable version before the situation) zope-2.8.8 (only after re-emerge!!!) zope-2.9.4 Do not hesitate to ask me if sth is not clear.
Thx Radoslaw. Arches please test and mark stable.
I hate zope and plone but they are done on x86 :(
sparc stable.
ppc stable
amd64 stable
alpha stable. Also marked 2.8.8 stable on amd64.
This one is ready for GLSA decision. I tend to vote NO.
If I should vote (not sure?) i think we should release GLSA. this is pretty serious bug (remote one) - in fact two advisories were issued, and it's happend after long time zope being considered secure app server.
I vote yes.
i vote no. This is not a critical issue. It can not corrupt a server nor execute any kind of script.
I tend to vote no. It's not that often that you provide restructured text functions to untrusted users ?
Current voting status: 2 NO (
Current voting status: 2 NO (½+½+1) 1 YES (+1 from net-zope) So unless I get some YES votes today I'll close this bug with NO GLSA.
closing with noglsa, feel free to reopen if blabla (i should bind a shortcut-key for this)