Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 198357 (CVE-2007-5741)

Summary: net-zope/plone < 2.5.5 statusmessages linkintegrity Command Execution (CVE-2007-5741)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: net-zope+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://plone.org/about/security/advisories/cve-2007-5741
Whiteboard: ~1 [noglsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 13:38:58 UTC 
FrSIRT/ADV-2007-3754:
  A vulnerability has been identified in Plone, which could be
  exploited by remote attackers to compromise a vulnerable system.
  This issue is caused by input validation errors in the
  "statusmessages" and "linkintegrity" modules that interpret unsafe
  network data as python pickles, which could be exploited by remote
  attackers to execute arbitrary commands with the privileges of the
  Zope/Plone process.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 13:40:30 UTC 
"Affected versions
    * Plone 2.5 up to and including 2.5.4
    * Plone 3.0 up to and including 3.0.2

These fixes are included in the 2.5.5 and 3.0.3 releases, at which point this hotfix can be removed."

Net-Zope, please advise.
Comment 2 Radoslaw Stachowiak (RETIRED) gentoo-dev 2007-11-07 15:06:18 UTC 
We will release 2.5.5 version bump version this weekend. Last security problem didnt result in GLSA, so maybe this time it should be done to get some visibilty.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 15:32:59 UTC 
(In reply to comment #2)
> We will release 2.5.5 version bump version this weekend. Last security problem
> didnt result in GLSA, so maybe this time it should be done to get some
> visibilty.

Security policy is that ~arch packages are not subject to GLSAs. If version numbers in the upstream announcement are correct, stable ebuilds are not affected here.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-18 13:49:36 UTC 
(In reply to comment #2)
> We will release 2.5.5 version bump version this weekend. Last security problem
> didnt result in GLSA, so maybe this time it should be done to get some
> visibilty.
> 

any news here?
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-11-21 01:01:33 UTC 
Zope herd, please bump.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-11-26 00:41:24 UTC 
http://plone.org/products/plone-hotfix/releases/20071106-2
Version 2 of the hotfix corrects several bugs found in the original release.

Zope, what'S the status here?
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-08 23:57:36 UTC 
(In reply to comment #6)
> http://plone.org/products/plone-hotfix/releases/20071106-2
> Version 2 of the hotfix corrects several bugs found in the original release.
> 
> Zope, what'S the status here?
> 

*ping*
Comment 8 Radoslaw Stachowiak (RETIRED) gentoo-dev 2007-12-25 23:07:00 UTC 
It took our one-man-herd ;) a little bit longer. Sorry for that.
I commited corrected ebuild for version 2.5.5 to the tree.

BTW: should I change bug's Whiteboard after such action?
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-12-25 23:46:13 UTC 
No need to, we're monitoring comments and do the next steps.
Thanks for bumping!

This issue only affects ~arch ebuilds, so it will not result in a GLSA. If you want the 2.5 branch to be subject to "full" security support, you need to get this current version stable. Please remove the vulnerable 2.5 and 2.5.3 ebuilds if you can.