Bug 140120 - VUL-0: zope: arbitrary file exposure
Summary: VUL-0: zope: arbitrary file exposure
Status: RESOLVED INVALID
Alias: None
Product: SUSE Linux 10.1
Classification: openSUSE
Component: Other (show other bugs)
Version: Alpha 4
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Thomas Biege
QA Contact: E-mail List
URL:
Whiteboard: CVE-2005-3323: CVSS v2 Base Score: 7....
Keywords:
Depends on:
Blocks:
 
Reported: 2005-12-19 11:39 UTC by Thomas Biege
Modified: 2009-10-13 20:44 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2005-12-19 11:39:06 UTC 
Hello Martin,
Ubuntu released an advisory for zope.

===========================================================
Ubuntu Security Notice USN-229-1          December 13, 2005
zope2.8 vulnerability
CVE-2005-3323
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

zope2.8
zope2.8-sandbox

The problem can be corrected by upgrading the affected package to
version 2.8.1-5ubuntu0.1.  In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Zope did not deactivate the file inclusion feature when exposing
RestructuredText functionalities to untrusted users. A remote user
with the privilege of editing Zope webpages with RestructuredText
could exploit this to expose arbitrary files that can be read with the
privileges of the Zope server, or execute arbitrary Zope code.


  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/z/zope2.8/zope2.8_2.8.1-5ubuntu0.1.diff.gz
      Size/MD5:    12721 12280d0cc8ba16dc3565199620486f59
    http://security.ubuntu.com/ubuntu/pool/main/z/zope2.8/zope2.8_2.8.1-5ubuntu0.1.dsc
      Size/MD5:      826 bef9b6d223a40195bc51d4d30b81f73d
    http://security.ubuntu.com/ubuntu/pool/main/z/zope2.8/zope2.8_2.8.1.orig.tar.gz
      Size/MD5:  5343921 0ec441a35175bb8d8c557b7d3c63f6f6
[...]
Comment 1 Martin Kudlvasr 2005-12-20 14:11:44 UTC 
Hi Thomas,

thanks for letting me know about the ubuntu patches.

as I can see from the diff.gz, the Ubuntu patch just applies www.zope.org/Products/Zope/Hotfix_2005-10-09/security_alert and adds some Debian specific patches.
This was already solved in 
[Bug 130477]  New: VUL-0: zope file inclusion -> code exec
Current version in stable is 2.7.8, which is not affected. All previous affected versions were fixed in 130477.

I consider this invalid.

The reason I didn't switch to 2.8.X yet is that there are some new security features that are not yet rewritten to C and therefore slow.

PS: I'm on holiday from 19. - 30. Dec :-) merrychristmasandhappynewyear
Comment 2 Thomas Biege 2005-12-21 07:14:56 UTC 
Ok.

Have a nice holiday season. :)
Comment 3 Thomas Biege 2009-10-13 20:44:49 UTC 
CVE-2005-3323: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)