Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 278824

Summary: net-zope/zodb net-zope/zope Execution of arbitrary code, Authentication Bypass (CVE-2009-0668,CVE-2009-0669)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: net-zope+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html
Whiteboard: B1 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 257545    
Bug Blocks:    
Attachments:
Description Flags
zodb-3.3.1-CVE-2009-0668+0669.patch
none
zodb-3.3.1.ebuild
none
CVE-2009-0668+0669.patch
none
zope-2.9.10.ebuild.patch
none
zope-2.10.7.ebuild.patch
none
bug278824overlay.tar.gz none

Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-23 12:07:08 UTC 
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

A vulnerability in the  Zope Object Database (ZODB) database server (ZEO) allows a client to execute arbitrary Python code in the server process (CVE-2009-0668).

ZEO includes a weak authentication protocol that allows authentication to be bypassed (CVE-2009-0669).
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-07-23 12:10:19 UTC 
Radoslaw, Alfredo, please prepare an ebuild using the attached patch and attach the ebuild to this bug. We can do prestable testing here. Do not commit anything to CVS.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-07-23 12:10:53 UTC 
Created attachment 198895 [details, diff]
zodb-3.3.1-CVE-2009-0668+0669.patch
Comment 3 Tupone Alfredo gentoo-dev 2009-07-27 10:35:21 UTC 
Well, I don't have a reference for the CVE, I guess for that is confidential, but I guess it affects other version of zodb, as the code in ZEO seems is not changed between those versions (from a very very short reading).
If that I guess even zope is affected as is using zodb from the zope omnicomprensive tar.
However is, I'm going to do what you required very soon.
Comment 4 Tupone Alfredo gentoo-dev 2009-07-27 12:00:14 UTC 
Created attachment 199327 [details]
zodb-3.3.1.ebuild

The required updated ebuild.
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-27 13:10:50 UTC 
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords: "amd64 x86"
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-07-27 19:54:14 UTC 
Oh, I was not aware net-zope/zope ships a copy of this as well. Are you maintaining all the zope slots as well?
Comment 7 Tupone Alfredo gentoo-dev 2009-07-28 06:18:02 UTC 
Well, yeah. If you can point the version affected I can see what I can do for those
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-07-28 10:50:49 UTC 
2.8 and later is affected, Please attch ebuilds for the 2.9 and 2.10 slot to this bug, and we'll also test them.
Comment 9 Tupone Alfredo gentoo-dev 2009-07-28 14:29:50 UTC 
Created attachment 199434 [details, diff]
CVE-2009-0668+0669.patch

Same as the attached patch. Different subtree. Used by zope ebuild
Comment 10 Tupone Alfredo gentoo-dev 2009-07-28 14:30:15 UTC 
Created attachment 199435 [details, diff]
zope-2.9.10.ebuild.patch
Comment 11 Tupone Alfredo gentoo-dev 2009-07-28 14:30:35 UTC 
Created attachment 199436 [details, diff]
zope-2.10.7.ebuild.patch
Comment 12 Tupone Alfredo gentoo-dev 2009-07-28 14:31:46 UTC 
A question:
is zodb-3.6.0 not affected?
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-07-28 14:59:07 UTC 
It is affected, please patch/update as soon as this bug is public. But we will not perform prestable testing on those versions as they are not stable.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-07-28 15:21:29 UTC 
Created attachment 199451 [details]
bug278824overlay.tar.gz

This is messy, I'm sorry. I just noticed that zodb-3.6 also has a stable version for x86. Also, the ebuilds are named exactly as the ones in tree without -r1.
I'm attaching the packed updates to the zope and zodb directories -- hopefully that makes it easier to test than yet another two files on the bug.

Arch Security Liaisons, these are for you:
=net-zope/zope-2.10.7-r1
=net-zope/zope-2.9.10-r1
Target keywords : "alpha amd64 ppc sparc x86"

=net-zope/zodb-3.3.1-r1
Target keywords : "amd64 x86"

=net-zope/zodb-3.6.0-r1
Target keywords : "x86"


CC'ing current Liaisons:
   alpha : armin76, klausman
   amd64 : keytoaster, tester
     ppc : josejx, ranger
   sparc : fmccor
     x86 : fauli, maekke
Comment 15 Tupone Alfredo gentoo-dev 2009-07-30 11:54:11 UTC 
I will be out on August. Do what you need to do (like commit the change) when the CVE become public
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2009-08-09 00:25:37 UTC 
This is now public. If anyone has the time, please commit as Tupone is currently away.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2009-08-09 00:26:05 UTC 
*** Bug 280822 has been marked as a duplicate of this bug. ***
Comment 18 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-17 10:32:14 UTC 
+*zope-2.10.7-r1 (17 Aug 2009)
+*zope-2.9.10-r1 (17 Aug 2009)
+
+  17 Aug 2009; Alex Legler <a3li@gentoo.org> +zope-2.9.10-r1.ebuild,
+  +zope-2.10.7-r1.ebuild, +files/CVE-2009-0668+0669.patch:
+  Non-maintainer commit: Version bump for security bug 278824.
+

+*zodb-3.6.0-r1 (17 Aug 2009)
+*zodb-3.3.1-r1 (17 Aug 2009)
+
+  17 Aug 2009; Alex Legler <a3li@gentoo.org> +zodb-3.3.1-r1.ebuild,
+  +files/zodb-3.3.1-CVE-2009-0668+0669.patch, +zodb-3.6.0-r1.ebuild,
+  +files/zodb-3.6.0-CVE-2009-0668+0669.patch:
+  Non-mainatiner commit: Version bump for security bug 278824.
+

Arches, please stable according to comment 14.
Comment 19 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-17 10:33:46 UTC 
Sorry for the spam, forgot to select "remove selected CCs"
Comment 20 Samuli Suominen (RETIRED) gentoo-dev 2009-08-17 13:22:15 UTC 
There's bug 257545 that indicates this won't even work with Python 2.5, so I doubt there is any point in wasting time with this without maintainer (there's none) adding a new version in tree (Like zodb 3.7.x or 3.8.x)
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2009-08-17 13:36:51 UTC 
(In reply to comment #20)
> There's bug 257545 that indicates this won't even work with Python 2.5, so I
> doubt there is any point in wasting time with this without maintainer (there's
> none) adding a new version in tree (Like zodb 3.7.x or 3.8.x)

If treecleaners will mask and remove zodb, we'll limit arch calling to zope only.
Comment 22 nixnut (RETIRED) gentoo-dev 2009-08-23 09:36:18 UTC 
ppc stable
Comment 23 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-25 11:54:26 UTC 
x86 stable
Comment 24 Tobias Klausmann (RETIRED) gentoo-dev 2009-08-25 14:49:17 UTC 
Both stable on alpha.
Comment 25 Raúl Porcel (RETIRED) gentoo-dev 2009-08-25 16:54:16 UTC 
sparc stable
Comment 26 Markus Meier gentoo-dev 2009-09-11 19:12:39 UTC 
amd64 stable, all arches done.
Comment 27 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-07 00:36:47 UTC 
GLSA request filed.
Comment 28 Tobias Heinlein (RETIRED) gentoo-dev 2014-02-09 13:05:22 UTC 
No GLSA for webapps.