r2688 - in zope2.12/trunk/debian (3 files)

arnau at users.alioth.debian.org arnau at users.alioth.debian.org
Sat Nov 24 06:00:42 UTC 2012 

    Date: Saturday, November 24, 2012 @ 06:00:40
  Author: arnau
Revision: 2688

Fix Restricted Python sandbox escape (CVE-2012-5487).

Added:
  zope2.12/trunk/debian/patches/CVE-2012-5487.patch
Modified:
  zope2.12/trunk/debian/changelog
  zope2.12/trunk/debian/patches/series

Modified: zope2.12/trunk/debian/changelog
===================================================================
--- zope2.12/trunk/debian/changelog	2012-11-24 05:53:43 UTC (rev 2687)
+++ zope2.12/trunk/debian/changelog	2012-11-24 06:00:40 UTC (rev 2688)
@@ -4,6 +4,8 @@
     + Fix Reflexive HTTP header injection (CVE-2012-5486).
     + Fix Timing attack in password validation (CVE-2012-5507).
     + Fix PRNG which wasn't reseeded (CVE-2012-5508).
+  * debian/patches/CVE-2012-5487.patch:
+    + Fix Restricted Python sandbox escape (CVE-2012-5487).
   * debian/control:
     + Bump zope.common required version as the debconf template
       has been updated to fix #656552.

Added: zope2.12/trunk/debian/patches/CVE-2012-5487.patch
===================================================================
--- zope2.12/trunk/debian/patches/CVE-2012-5487.patch	                        (rev 0)
+++ zope2.12/trunk/debian/patches/CVE-2012-5487.patch	2012-11-24 06:00:40 UTC (rev 2688)
@@ -0,0 +1,13 @@
+Index: zope2.12-2.12.26/source/Zope2/src/AccessControl/SecurityInfo.py
+===================================================================
+--- zope2.12-2.12.26.orig/source/Zope2/src/AccessControl/SecurityInfo.py	2012-11-22 18:57:27.000000000 +0900
++++ zope2.12-2.12.26/source/Zope2/src/AccessControl/SecurityInfo.py	2012-11-24 13:23:20.669183242 +0900
+@@ -311,6 +311,8 @@
+         ModuleSecurityInfo(module_name[:dot]).setDefaultAccess(1)
+         dot = module_name.find('.', dot + 1)
+ 
++allow_module.__roles__ = ()
++
+ def allow_class(Class):
+     """Allow a class and all of its methods to be used from a
+     restricted Script.  The argument Class must be a class."""

Modified: zope2.12/trunk/debian/patches/series
===================================================================
--- zope2.12/trunk/debian/patches/series	2012-11-24 05:53:43 UTC (rev 2687)
+++ zope2.12/trunk/debian/patches/series	2012-11-24 06:00:40 UTC (rev 2688)
@@ -3,3 +3,4 @@
 Zope2-webdav_urljoin.patch
 Zope2-deb_zopeconf.patch
 ZODB3-fix_shebang.patch
+CVE-2012-5487.patch

More information about the pkg-zope-developers mailing list