diff options
Diffstat (limited to 'net-zope/zope')
-rw-r--r-- | net-zope/zope/ChangeLog | 11 | ||||
-rw-r--r-- | net-zope/zope/files/CVE-2009-0668+0669.patch | 117 | ||||
-rw-r--r-- | net-zope/zope/zope-2.10.7-r1.ebuild | 80 | ||||
-rw-r--r-- | net-zope/zope/zope-2.9.10-r1.ebuild | 80 |
4 files changed, 286 insertions, 2 deletions
diff --git a/net-zope/zope/ChangeLog b/net-zope/zope/ChangeLog index 059dad0f29ef..55b832bbedf8 100644 --- a/net-zope/zope/ChangeLog +++ b/net-zope/zope/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for net-zope/zope -# Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-zope/zope/ChangeLog,v 1.151 2008/11/24 09:14:04 tupone Exp $ +# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/net-zope/zope/ChangeLog,v 1.152 2009/08/17 10:14:28 a3li Exp $ + +*zope-2.10.7-r1 (17 Aug 2009) +*zope-2.9.10-r1 (17 Aug 2009) + + 17 Aug 2009; Alex Legler <a3li@gentoo.org> +zope-2.9.10-r1.ebuild, + +zope-2.10.7-r1.ebuild, +files/CVE-2009-0668+0669.patch: + Non-maintainer commit: Version bump for security bug 278824. 24 Nov 2008; Alfredo Tupone <tupone@gentoo.org> -zope-2.9.7.ebuild, -zope-2.9.8.ebuild, -zope-2.9.9.ebuild, -zope-2.10.3.ebuild, diff --git a/net-zope/zope/files/CVE-2009-0668+0669.patch b/net-zope/zope/files/CVE-2009-0668+0669.patch new file mode 100644 index 000000000000..ba8ca9711cc9 --- /dev/null +++ b/net-zope/zope/files/CVE-2009-0668+0669.patch @@ -0,0 +1,117 @@ +=== StorageServer.py +================================================================== +Index: lib/python/ZEO/StorageServer.py +=================================================================== +--- lib/python/ZEO/StorageServer.py ++++ lib/python/ZEO/StorageServer.py +@@ -98,7 +98,7 @@ class ZEOStorage: + for func in self.extensions: + self._extensions[func.func_name] = None + +- def finish_auth(self, authenticated): ++ def _finish_auth(self, authenticated): + if not self.auth_realm: + return 1 + self.authenticated = authenticated +@@ -350,6 +350,7 @@ class ZEOStorage: + + def new_oids(self, n=100): + """Return a sequence of n new oids, where n defaults to 100""" ++ n = min(n, 100) + if self.read_only: + raise ReadOnlyError() + if n <= 0: +Index: lib/python/ZEO/auth/auth_digest.py +=================================================================== +--- lib/python/ZEO/auth/auth_digest.py ++++ lib/python/ZEO/auth/auth_digest.py +@@ -121,7 +121,7 @@ class StorageClass(ZEOStorage): + check = hexdigest("%s:%s" % (h_up, challenge)) + if check == response: + self.connection.setSessionKey(session_key(h_up, self._key_nonce)) +- return self.finish_auth(check == response) ++ return self._finish_auth(check == response) + + extensions = [auth_get_challenge, auth_response] + +Index: lib/python/ZEO/tests/auth_plaintext.py +=================================================================== +--- lib/python/ZEO/tests/auth_plaintext.py ++++ lib/python/ZEO/tests/auth_plaintext.py +@@ -41,7 +41,7 @@ class StorageClass(ZEOStorage): + self.connection.setSessionKey(session_key(username, + self.database.realm, + password)) +- return self.finish_auth(dbpw == password_dig) ++ return self._finish_auth(dbpw == password_dig) + + class PlaintextClient(Client): + extensions = ["auth"] +Index: lib/python/ZEO/zrpc/connection.py +=================================================================== +--- lib/python/ZEO/zrpc/connection.py ++++ lib/python/ZEO/zrpc/connection.py +@@ -22,7 +22,7 @@ import logging + import ThreadedAsync + from ZEO.zrpc import smac + from ZEO.zrpc.error import ZRPCError, DisconnectedError +-from ZEO.zrpc.marshal import Marshaller ++from ZEO.zrpc.marshal import Marshaller, ServerMarshaller + from ZEO.zrpc.trigger import trigger + from ZEO.zrpc.log import short_repr, log + from ZODB.loglevels import BLATHER, TRACE +@@ -716,6 +716,7 @@ class ManagedServerConnection(Connection + def __init__(self, sock, addr, obj, mgr): + self.mgr = mgr + self.__super_init(sock, addr, obj, 'S') ++ self.marshal = ServerMarshaller() + self.obj.notifyConnected(self) + + def handshake(self): +Index: lib/python/ZEO/zrpc/marshal.py +=================================================================== +--- lib/python/ZEO/zrpc/marshal.py ++++ lib/python/ZEO/zrpc/marshal.py +@@ -53,6 +53,20 @@ class Marshaller: + level=logging.ERROR) + raise + ++class ServerMarshaller(Marshaller): ++ ++ def decode(self, msg): ++ """Decodes msg and returns its parts""" ++ unpickler = cPickle.Unpickler(StringIO(msg)) ++ unpickler.find_global = server_find_global ++ ++ try: ++ return unpickler.load() # msgid, flags, name, args ++ except: ++ log("can't decode message: %s" % short_repr(msg), ++ level=logging.ERROR) ++ raise ++ + _globals = globals() + _silly = ('__doc__',) + +@@ -77,3 +91,21 @@ def find_global(module, name): + return r + + raise ZRPCError("Unsafe global: %s.%s" % (module, name)) ++ ++def server_find_global(module, name): ++ """Helper for message unpickler""" ++ try: ++ m = __import__(module, _globals, _globals, _silly) ++ except ImportError, msg: ++ raise ZRPCError("import error %s: %s" % (module, msg)) ++ ++ try: ++ r = getattr(m, name) ++ except AttributeError: ++ raise ZRPCError("module %s has no global %s" % (module, name)) ++ ++ safe = getattr(r, '__no_side_effects__', 0) ++ if safe: ++ return r ++ ++ raise ZRPCError("Unsafe global: %s.%s" % (module, name)) diff --git a/net-zope/zope/zope-2.10.7-r1.ebuild b/net-zope/zope/zope-2.10.7-r1.ebuild new file mode 100644 index 000000000000..75102edfc336 --- /dev/null +++ b/net-zope/zope/zope-2.10.7-r1.ebuild @@ -0,0 +1,80 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-zope/zope/zope-2.10.7-r1.ebuild,v 1.1 2009/08/17 10:14:28 a3li Exp $ +EAPI=2 + +inherit eutils multilib + +DESCRIPTION="Zope is a web application platform used for building high-performance, dynamic web sites" +HOMEPAGE="http://www.zope.org" +SRC_URI="http://www.zope.org/Products/Zope/${PV}/Zope-${PV}-final.tgz" + +LICENSE="ZPL" +SLOT="${PV}" +KEYWORDS="~alpha ~amd64 ~ppc ~sparc ~x86" +IUSE="" + +DEPEND="=dev-lang/python-2.4*" + +S="${WORKDIR}/Zope-${PV}-final" +ZUID=zope +ZGID=zope +ZS_DIR=${ROOT%/}/usr/$(get_libdir) +ZSERVDIR=${ZS_DIR}/${P} + +# Narrow the scope of ownership/permissions. +# Security plan: +# * ZUID is the superuser for all zope instances. +# * ZGID is for a single instance's administration. +# * Other' should not have any access to ${ZSERVDIR}, +# because they can work through the Zope web interface. +# This should protect our code/data better. +# +# UPDATE: ${ZSERVDIR} is a lib directory and should be world readable +# like e.g /usr/lib/python we do not store any user data there, +# currently removed all custom permission stuff, for ${ZSERVDIR} +src_prepare() { + epatch "${FILESDIR}"/CVE-2009-0668+0669.patch +} + +src_configure() { + ./configure --prefix="${D}${ZSERVDIR}" --with-python=/usr/bin/python2.4 || die "Failed to execute ./configure ..." +} + +src_install() { + dodoc README.txt + dodoc doc/*.txt + docinto PLATFORMS ; dodoc doc/PLATFORMS/* + docinto ZEO ; dodoc doc/ZEO/* + + make install prefix="${D}${ZSERVDIR}" || die "Failed to install into ${D}${ZSERVDIR}" + rm -rf "${D}${ZSERVDIR}"/doc + dosym ../../share/doc/${PF} ${ZSERVDIR}/doc + + # copy the init script skeleton to skel directory of our installation + insinto "${ZSERVDIR}"/skel + doins "${FILESDIR}"/zope.initd +} + +src_test() { + einfo "Tests disabled by Gentoo team." +} + +pkg_postinst() { + # create the zope user and group for backward compatibility + enewgroup ${ZGID} 261 + usermod -g ${ZGID} ${ZUID} 2>&1 >/dev/null || \ + enewuser ${ZUID} 261 -1 /var/$(get_libdir)/zope ${ZGID} + + einfo "Be warned that you need at least one zope instance to run zope." + einfo "Please emerge zope-config for futher instance management." +} + +pkg_prerm() { + #Remove old compiled code + rm ${ZSERVDIR}/bin/copyzopeskel.pyc + + #need to remove this symlink because portage keeps links to + #existing targets + rm ${ZSERVDIR}/bin/python +} diff --git a/net-zope/zope/zope-2.9.10-r1.ebuild b/net-zope/zope/zope-2.9.10-r1.ebuild new file mode 100644 index 000000000000..feafff5d00bd --- /dev/null +++ b/net-zope/zope/zope-2.9.10-r1.ebuild @@ -0,0 +1,80 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-zope/zope/zope-2.9.10-r1.ebuild,v 1.1 2009/08/17 10:14:28 a3li Exp $ +EAPI=2 + +inherit eutils multilib + +DESCRIPTION="Zope is a web application platform used for building high-performance, dynamic web sites" +HOMEPAGE="http://www.zope.org" +SRC_URI="http://www.zope.org/Products/Zope/${PV}/Zope-${PV}-final.tgz" + +LICENSE="ZPL" +SLOT="${PV}" +KEYWORDS="~alpha ~amd64 ~ppc ~sparc ~x86" +IUSE="" + +DEPEND="=dev-lang/python-2.4*" + +S="${WORKDIR}/Zope-${PV}-final" +ZUID=zope +ZGID=zope +ZS_DIR=${ROOT%/}/usr/$(get_libdir) +ZSERVDIR=${ZS_DIR}/${P} + +# Narrow the scope of ownership/permissions. +# Security plan: +# * ZUID is the superuser for all zope instances. +# * ZGID is for a single instance's administration. +# * Other' should not have any access to ${ZSERVDIR}, +# because they can work through the Zope web interface. +# This should protect our code/data better. +# +# UPDATE: ${ZSERVDIR} is a lib directory and should be world readable +# like e.g /usr/lib/python we do not store any user data there, +# currently removed all custom permission stuff, for ${ZSERVDIR} + +src_prepare() { + epatch "${FILESDIR}"/CVE-2009-0668+0669.patch +} + +src_configure() { + ./configure --prefix="${D}${ZSERVDIR}" --with-python=/usr/bin/python2.4 || die "Failed to execute ./configure ..." +} + +src_install() { + dodoc README.txt + dodoc Zope/doc/*.txt + docinto PLATFORMS ; dodoc Zope/doc/PLATFORMS/* + docinto ZEO ; dodoc Zope/doc/ZEO/* + + make install prefix="${D}"${ZSERVDIR} || die "Failed to install into ${D}${ZSERVDIR}" + rm -rf "${D}"${ZSERVDIR}/doc + dosym ../../share/doc/${PF} ${ZSERVDIR}/doc + + # copy the init script skeleton to skel directory of our installation + cp "${FILESDIR}"/zope.initd "${D}"/${ZSERVDIR}/skel/zope.initd +} + +src_test() { + einfo "Tests disabled by Gentoo team." +} + +pkg_postinst() { + # create the zope user and group for backward compatibility + enewgroup ${ZGID} 261 + usermod -g ${ZGID} ${ZUID} 2>&1 >/dev/null || \ + enewuser ${ZUID} 261 -1 /var/$(get_libdir)/zope ${ZGID} + + einfo "Be warned that you need at least one zope instance to run zope." + einfo "Please emerge zope-config for futher instance management." +} + +pkg_prerm() { + #Remove old compiled code + rm ${ZSERVDIR}/bin/copyzopeskel.pyc + + #need to remove this symlink because portage keeps links to + #existing targets + rm ${ZSERVDIR}/bin/python +} |