198357 – (CVE-2007-5741) net-zope/plone < 2.5.5 statusmessages linkintegrity Command Execution (CVE-2007-5741)

Bug 198357 (CVE-2007-5741) - net-zope/plone < 2.5.5 statusmessages linkintegrity Command Execution (CVE-2007-5741)

Summary: net-zope/plone < 2.5.5 statusmessages linkintegrity Command Execution (CVE-20...

Status:	RESOLVED FIXED

Alias:	CVE-2007-5741

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://plone.org/about/security/advis...
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2007-11-07 13:38 UTC by Robert Buchholz (RETIRED)
Modified:	2007-12-25 23:46 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2007-11-07 13:38:58 UTC

FrSIRT/ADV-2007-3754:
  A vulnerability has been identified in Plone, which could be
  exploited by remote attackers to compromise a vulnerable system.
  This issue is caused by input validation errors in the
  "statusmessages" and "linkintegrity" modules that interpret unsafe
  network data as python pickles, which could be exploited by remote
  attackers to execute arbitrary commands with the privileges of the
  Zope/Plone process.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-11-07 13:40:30 UTC

"Affected versions
    * Plone 2.5 up to and including 2.5.4
    * Plone 3.0 up to and including 3.0.2

These fixes are included in the 2.5.5 and 3.0.3 releases, at which point this hotfix can be removed."

Net-Zope, please advise.

Comment 2 Radoslaw Stachowiak (RETIRED) gentoo-dev

2007-11-07 15:06:18 UTC

We will release 2.5.5 version bump version this weekend. Last security problem didnt result in GLSA, so maybe this time it should be done to get some visibilty.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2007-11-07 15:32:59 UTC

(In reply to comment #2)
> We will release 2.5.5 version bump version this weekend. Last security problem
> didnt result in GLSA, so maybe this time it should be done to get some
> visibilty.

Security policy is that ~arch packages are not subject to GLSAs. If version numbers in the upstream announcement are correct, stable ebuilds are not affected here.

Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-11-18 13:49:36 UTC

(In reply to comment #2)
> We will release 2.5.5 version bump version this weekend. Last security problem
> didnt result in GLSA, so maybe this time it should be done to get some
> visibilty.
> 

any news here?

Comment 5 Robert Buchholz (RETIRED) gentoo-dev

2007-11-21 01:01:33 UTC

Zope herd, please bump.

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2007-11-26 00:41:24 UTC

http://plone.org/products/plone-hotfix/releases/20071106-2
Version 2 of the hotfix corrects several bugs found in the original release.

Zope, what'S the status here?

Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-12-08 23:57:36 UTC

(In reply to comment #6)
> http://plone.org/products/plone-hotfix/releases/20071106-2
> Version 2 of the hotfix corrects several bugs found in the original release.
> 
> Zope, what'S the status here?
> 

*ping*

Comment 8 Radoslaw Stachowiak (RETIRED) gentoo-dev

2007-12-25 23:07:00 UTC

It took our one-man-herd ;) a little bit longer. Sorry for that.
I commited corrected ebuild for version 2.5.5 to the tree.

BTW: should I change bug's Whiteboard after such action?

Comment 9 Robert Buchholz (RETIRED) gentoo-dev

2007-12-25 23:46:13 UTC

No need to, we're monitoring comments and do the next steps.
Thanks for bumping!

This issue only affects ~arch ebuilds, so it will not result in a GLSA. If you want the 2.5 branch to be subject to "full" security support, you need to get this current version stable. Please remove the vulnerable 2.5 and 2.5.3 ebuilds if you can.