Mailing List Archive: Zope: CMF

CMF security patches in Products.PloneHotfix20121106

Index | Next | Previous | View Threaded

jens at dataflake

Nov 9, 2012, 8:02 AM

Post #1 of 7 (438 views)
Permalink

CMF security patches in Products.PloneHotfix20121106

Hi all,

I don't recall any information being provided to the CMF developers about CMF fixes in the most recent Plone Hotfix:

http://plone.org/products/plone-hotfix/releases/20121106

For example, there's a monkey patch to make sure getToolByName only returns valid tool objects and nothing else, see the attached file.

I'm not sure if there's an oversight of not forwarding this information to us or if it was determined this fix is not relevant for the CMF. Would any list member who also works on Plone have an insight?

Thanks!

jens

Attachments:

gtbn.py (1.09 KB)

smime.p7s (4.22 KB)

charlie.clark at clark-consulting

Nov 9, 2012, 11:23 AM

Post #2 of 7 (406 views)
Permalink

Re: CMF security patches in Products.PloneHotfix20121106 [In reply to]

Am 09.11.2012, 17:02 Uhr, schrieb Jens Vagelpohl <jens [at] dataflake>:

> Hi all,
>
> I don't recall any information being provided to the CMF developers
> about CMF fixes in the most recent Plone Hotfix:
>
> http://plone.org/products/plone-hotfix/releases/20121106
>
> For example, there's a monkey patch to make sure getToolByName only
> returns valid tool objects and nothing else, see the attached file.
>
> I'm not sure if there's an oversight of not forwarding this information
> to us or if it was determined this fix is not relevant for the CMF.
> Would any list member who also works on Plone have an insight?
>
> Thanks!
>
> jens

I got this back from David Glick after asking security [at] plone:

"""
Thanks. We haven't had a chance to start applying the patches in the
hotfix back to where they really belong, but we'll do so soon. Note that
for the time being it should be possible to apply the Plone hotfix to pure
CMF sites as well to patch this issue.
"""

Still no wiser as to why we weren't informed.

Charlie
--
Charlie Clark
Managing Director
Clark Consulting & Research
German Office
Kronenstr. 27a
Düsseldorf
D- 40217
Tel: +49-211-600-3657
Mobile: +49-178-782-6226
_______________________________________________
Zope-CMF maillist - Zope-CMF [at] zope
https://mail.zope.org/mailman/listinfo/zope-cmf

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests

david.glick at plone

Nov 9, 2012, 11:29 AM

Post #3 of 7 (401 views)
Permalink

Re: CMF security patches in Products.PloneHotfix20121106 [In reply to]

On 11/9/12 11:23 AM, Charlie Clark wrote:
> Am 09.11.2012, 17:02 Uhr, schrieb Jens Vagelpohl <jens [at] dataflake>:
>
>> Hi all,
>>
>> I don't recall any information being provided to the CMF developers
>> about CMF fixes in the most recent Plone Hotfix:
>>
>> http://plone.org/products/plone-hotfix/releases/20121106
>>
>> For example, there's a monkey patch to make sure getToolByName only
>> returns valid tool objects and nothing else, see the attached file.
>>
>> I'm not sure if there's an oversight of not forwarding this
>> information to us or if it was determined this fix is not relevant
>> for the CMF. Would any list member who also works on Plone have an
>> insight?
>>
>> Thanks!
>>
>> jens
>
> I got this back from David Glick after asking security [at] plone:
>
> """
> Thanks. We haven't had a chance to start applying the patches in the
> hotfix back to where they really belong, but we'll do so soon. Note
> that for the time being it should be possible to apply the Plone
> hotfix to pure CMF sites as well to patch this issue.
> """
>
> Still no wiser as to why we weren't informed.

We should have informed you earlier. There are a lot of tasks associated
with preparing a hotfix (and this one in particular covered many
vulnerabilities), and it got missed. I apologize.

In the future, what's the best place to report possible CMF security
issues? zope-cmf Launchpad?
David

_______________________________________________
Zope-CMF maillist - Zope-CMF [at] zope
https://mail.zope.org/mailman/listinfo/zope-cmf

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests

charlie.clark at clark-consulting

Nov 9, 2012, 11:33 AM

Post #4 of 7 (401 views)
Permalink

Re: CMF security patches in Products.PloneHotfix20121106 [In reply to]

Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone)
<david.glick [at] plone>:

> We should have informed you earlier. There are a lot of tasks associated
> with preparing a hotfix (and this one in particular covered many
> vulnerabilities), and it got missed. I apologize.
> In the future, what's the best place to report possible CMF security
> issues? zope-cmf Launchpad?

Hi David,

thanks for the quick response. I would definitely say just post to the
list to see if we're still alive. Can you say which versions of CMF are
affected?

Charlie
--
Charlie Clark
Managing Director
Clark Consulting & Research
German Office
Kronenstr. 27a
Düsseldorf
D- 40217
Tel: +49-211-600-3657
Mobile: +49-178-782-6226
_______________________________________________
Zope-CMF maillist - Zope-CMF [at] zope
https://mail.zope.org/mailman/listinfo/zope-cmf

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests

david.glick at plone

Nov 9, 2012, 11:45 AM

Post #5 of 7 (403 views)
Permalink

Re: CMF security patches in Products.PloneHotfix20121106 [In reply to]

On 11/9/12 11:33 AM, Charlie Clark wrote:
> Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone)
> <david.glick [at] plone>:
>
>> We should have informed you earlier. There are a lot of tasks
>> associated with preparing a hotfix (and this one in particular
>> covered many vulnerabilities), and it got missed. I apologize.
>> In the future, what's the best place to report possible CMF security
>> issues? zope-cmf Launchpad?
>
> Hi David,
>
> thanks for the quick response. I would definitely say just post to the
> list to see if we're still alive. Can you say which versions of CMF
> are affected?
>
Probably any that use getToolByName. The problem is that getToolByName
can be used to get attributes that wouldn't normally be accessible from
RestrictedPython. The hotfix adds some checks to make sure that the
object that was found provides IPersistent or IItem (or is explicitly
named in the tool registry), so that it is at least much harder to break
out of the sandbox.

Unfortunately this breaks non-persistent non-item dummy objects used in
tests unless they are made to provide one of the interfaces that is checked.
David
_______________________________________________
Zope-CMF maillist - Zope-CMF [at] zope
https://mail.zope.org/mailman/listinfo/zope-cmf

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests

raggam-nl at adm

Nov 13, 2012, 2:39 AM

Post #6 of 7 (392 views)
Permalink

Re: CMF security patches in Products.PloneHotfix20121106 [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

since most users are on the Zope mailing list (2323 users), i think
it's better to post there (and on Zope-dev).

https://mail.zope.org/mailman/listinfo/zope

johannes

On 11/09/2012 08:45 PM, David Glick (Plone) wrote:
> On 11/9/12 11:33 AM, Charlie Clark wrote:
>> Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone)
>> <david.glick [at] plone>:
>>
>>> We should have informed you earlier. There are a lot of tasks
>>> associated with preparing a hotfix (and this one in particular
>>> covered many vulnerabilities), and it got missed. I apologize.
>>> In the future, what's the best place to report possible CMF
>>> security issues? zope-cmf Launchpad?
>>
>> Hi David,
>>
>> thanks for the quick response. I would definitely say just post
>> to the list to see if we're still alive. Can you say which
>> versions of CMF are affected?
>>
> Probably any that use getToolByName. The problem is that
> getToolByName can be used to get attributes that wouldn't normally
> be accessible from RestrictedPython. The hotfix adds some checks
> to make sure that the object that was found provides IPersistent
> or IItem (or is explicitly named in the tool registry), so that it
> is at least much harder to break out of the sandbox.
>
> Unfortunately this breaks non-persistent non-item dummy objects
> used in tests unless they are made to provide one of the
> interfaces that is checked. David
> _______________________________________________ Zope-CMF maillist -
> Zope-CMF [at] zope https://mail.zope.org/mailman/listinfo/zope-cmf
>
> See https://bugs.launchpad.net/zope-cmf/ for bug reports and
> feature requests

- --
programmatic web development
di(fh) johannes raggam / thet
python plone zope development
mail: office [at] programmatic
web: http://programmatic.pro
http://bluedynamics.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCiI10ACgkQW4mNMQxDgAf6ZwCgygr6rsCMbKC5FqDDOzzTQRv6
qasAnAxWuJAenqLPZShoHCrGcGeO5Uz+
=y8U8
-----END PGP SIGNATURE-----
_______________________________________________
Zope-CMF maillist - Zope-CMF [at] zope
https://mail.zope.org/mailman/listinfo/zope-cmf

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests

tseaver at palladion

Nov 15, 2012, 6:27 PM

Post #7 of 7 (384 views)
Permalink

Re: CMF security patches in Products.PloneHotfix20121106 [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/13/2012 05:39 AM, johannes raggam wrote:
> since most users are on the Zope mailing list (2323 users), i think
> it's better to post there (and on Zope-dev).
>
> https://mail.zope.org/mailman/listinfo/zope
>
> johannes
>
> On 11/09/2012 08:45 PM, David Glick (Plone) wrote:
>> On 11/9/12 11:33 AM, Charlie Clark wrote:
>>> Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone)
>>> <david.glick [at] plone>:
>>>
>>>> We should have informed you earlier. There are a lot of tasks
>>>> associated with preparing a hotfix (and this one in particular
>>>> covered many vulnerabilities), and it got missed. I apologize.
>>>> In the future, what's the best place to report possible CMF
>>>> security issues? zope-cmf Launchpad?
>>>
>>> Hi David,
>>>
>>> thanks for the quick response. I would definitely say just post to
>>> the list to see if we're still alive. Can you say which versions
>>> of CMF are affected?
>>>
>> Probably any that use getToolByName. The problem is that
>> getToolByName can be used to get attributes that wouldn't normally
>> be accessible from RestrictedPython. The hotfix adds some checks to
>> make sure that the object that was found provides IPersistent or
>> IItem (or is explicitly named in the tool registry), so that it is
>> at least much harder to break out of the sandbox.
>
>> Unfortunately this breaks non-persistent non-item dummy objects used
>> in tests unless they are made to provide one of the interfaces that
>> is checked. David

This issue is now in Launchpad:

https://bugs.launchpad.net/zope-cmf/+bug/1079221

Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver [at] palladion
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlClpJoACgkQ+gerLs4ltQ64VgCfTpBXkwd25rME7uaBpcqSCxjq
zY4An3YA809lsfF+obLxx/djzLA+EfdC
=GB3G
-----END PGP SIGNATURE-----

_______________________________________________
Zope-CMF maillist - Zope-CMF [at] zope
https://mail.zope.org/mailman/listinfo/zope-cmf

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads