summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'net-zope/zope')
-rw-r--r--net-zope/zope/ChangeLog11
-rw-r--r--net-zope/zope/files/CVE-2009-0668+0669.patch117
-rw-r--r--net-zope/zope/zope-2.10.7-r1.ebuild80
-rw-r--r--net-zope/zope/zope-2.9.10-r1.ebuild80
4 files changed, 286 insertions, 2 deletions
diff --git a/net-zope/zope/ChangeLog b/net-zope/zope/ChangeLog
index 059dad0f29ef..55b832bbedf8 100644
--- a/net-zope/zope/ChangeLog
+++ b/net-zope/zope/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for net-zope/zope
-# Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-zope/zope/ChangeLog,v 1.151 2008/11/24 09:14:04 tupone Exp $
+# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/net-zope/zope/ChangeLog,v 1.152 2009/08/17 10:14:28 a3li Exp $
+
+*zope-2.10.7-r1 (17 Aug 2009)
+*zope-2.9.10-r1 (17 Aug 2009)
+
+ 17 Aug 2009; Alex Legler <a3li@gentoo.org> +zope-2.9.10-r1.ebuild,
+ +zope-2.10.7-r1.ebuild, +files/CVE-2009-0668+0669.patch:
+ Non-maintainer commit: Version bump for security bug 278824.
24 Nov 2008; Alfredo Tupone <tupone@gentoo.org> -zope-2.9.7.ebuild,
-zope-2.9.8.ebuild, -zope-2.9.9.ebuild, -zope-2.10.3.ebuild,
diff --git a/net-zope/zope/files/CVE-2009-0668+0669.patch b/net-zope/zope/files/CVE-2009-0668+0669.patch
new file mode 100644
index 000000000000..ba8ca9711cc9
--- /dev/null
+++ b/net-zope/zope/files/CVE-2009-0668+0669.patch
@@ -0,0 +1,117 @@
+=== StorageServer.py
+==================================================================
+Index: lib/python/ZEO/StorageServer.py
+===================================================================
+--- lib/python/ZEO/StorageServer.py
++++ lib/python/ZEO/StorageServer.py
+@@ -98,7 +98,7 @@ class ZEOStorage:
+ for func in self.extensions:
+ self._extensions[func.func_name] = None
+
+- def finish_auth(self, authenticated):
++ def _finish_auth(self, authenticated):
+ if not self.auth_realm:
+ return 1
+ self.authenticated = authenticated
+@@ -350,6 +350,7 @@ class ZEOStorage:
+
+ def new_oids(self, n=100):
+ """Return a sequence of n new oids, where n defaults to 100"""
++ n = min(n, 100)
+ if self.read_only:
+ raise ReadOnlyError()
+ if n <= 0:
+Index: lib/python/ZEO/auth/auth_digest.py
+===================================================================
+--- lib/python/ZEO/auth/auth_digest.py
++++ lib/python/ZEO/auth/auth_digest.py
+@@ -121,7 +121,7 @@ class StorageClass(ZEOStorage):
+ check = hexdigest("%s:%s" % (h_up, challenge))
+ if check == response:
+ self.connection.setSessionKey(session_key(h_up, self._key_nonce))
+- return self.finish_auth(check == response)
++ return self._finish_auth(check == response)
+
+ extensions = [auth_get_challenge, auth_response]
+
+Index: lib/python/ZEO/tests/auth_plaintext.py
+===================================================================
+--- lib/python/ZEO/tests/auth_plaintext.py
++++ lib/python/ZEO/tests/auth_plaintext.py
+@@ -41,7 +41,7 @@ class StorageClass(ZEOStorage):
+ self.connection.setSessionKey(session_key(username,
+ self.database.realm,
+ password))
+- return self.finish_auth(dbpw == password_dig)
++ return self._finish_auth(dbpw == password_dig)
+
+ class PlaintextClient(Client):
+ extensions = ["auth"]
+Index: lib/python/ZEO/zrpc/connection.py
+===================================================================
+--- lib/python/ZEO/zrpc/connection.py
++++ lib/python/ZEO/zrpc/connection.py
+@@ -22,7 +22,7 @@ import logging
+ import ThreadedAsync
+ from ZEO.zrpc import smac
+ from ZEO.zrpc.error import ZRPCError, DisconnectedError
+-from ZEO.zrpc.marshal import Marshaller
++from ZEO.zrpc.marshal import Marshaller, ServerMarshaller
+ from ZEO.zrpc.trigger import trigger
+ from ZEO.zrpc.log import short_repr, log
+ from ZODB.loglevels import BLATHER, TRACE
+@@ -716,6 +716,7 @@ class ManagedServerConnection(Connection
+ def __init__(self, sock, addr, obj, mgr):
+ self.mgr = mgr
+ self.__super_init(sock, addr, obj, 'S')
++ self.marshal = ServerMarshaller()
+ self.obj.notifyConnected(self)
+
+ def handshake(self):
+Index: lib/python/ZEO/zrpc/marshal.py
+===================================================================
+--- lib/python/ZEO/zrpc/marshal.py
++++ lib/python/ZEO/zrpc/marshal.py
+@@ -53,6 +53,20 @@ class Marshaller:
+ level=logging.ERROR)
+ raise
+
++class ServerMarshaller(Marshaller):
++
++ def decode(self, msg):
++ """Decodes msg and returns its parts"""
++ unpickler = cPickle.Unpickler(StringIO(msg))
++ unpickler.find_global = server_find_global
++
++ try:
++ return unpickler.load() # msgid, flags, name, args
++ except:
++ log("can't decode message: %s" % short_repr(msg),
++ level=logging.ERROR)
++ raise
++
+ _globals = globals()
+ _silly = ('__doc__',)
+
+@@ -77,3 +91,21 @@ def find_global(module, name):
+ return r
+
+ raise ZRPCError("Unsafe global: %s.%s" % (module, name))
++
++def server_find_global(module, name):
++ """Helper for message unpickler"""
++ try:
++ m = __import__(module, _globals, _globals, _silly)
++ except ImportError, msg:
++ raise ZRPCError("import error %s: %s" % (module, msg))
++
++ try:
++ r = getattr(m, name)
++ except AttributeError:
++ raise ZRPCError("module %s has no global %s" % (module, name))
++
++ safe = getattr(r, '__no_side_effects__', 0)
++ if safe:
++ return r
++
++ raise ZRPCError("Unsafe global: %s.%s" % (module, name))
diff --git a/net-zope/zope/zope-2.10.7-r1.ebuild b/net-zope/zope/zope-2.10.7-r1.ebuild
new file mode 100644
index 000000000000..75102edfc336
--- /dev/null
+++ b/net-zope/zope/zope-2.10.7-r1.ebuild
@@ -0,0 +1,80 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-zope/zope/zope-2.10.7-r1.ebuild,v 1.1 2009/08/17 10:14:28 a3li Exp $
+EAPI=2
+
+inherit eutils multilib
+
+DESCRIPTION="Zope is a web application platform used for building high-performance, dynamic web sites"
+HOMEPAGE="http://www.zope.org"
+SRC_URI="http://www.zope.org/Products/Zope/${PV}/Zope-${PV}-final.tgz"
+
+LICENSE="ZPL"
+SLOT="${PV}"
+KEYWORDS="~alpha ~amd64 ~ppc ~sparc ~x86"
+IUSE=""
+
+DEPEND="=dev-lang/python-2.4*"
+
+S="${WORKDIR}/Zope-${PV}-final"
+ZUID=zope
+ZGID=zope
+ZS_DIR=${ROOT%/}/usr/$(get_libdir)
+ZSERVDIR=${ZS_DIR}/${P}
+
+# Narrow the scope of ownership/permissions.
+# Security plan:
+# * ZUID is the superuser for all zope instances.
+# * ZGID is for a single instance's administration.
+# * Other' should not have any access to ${ZSERVDIR},
+# because they can work through the Zope web interface.
+# This should protect our code/data better.
+#
+# UPDATE: ${ZSERVDIR} is a lib directory and should be world readable
+# like e.g /usr/lib/python we do not store any user data there,
+# currently removed all custom permission stuff, for ${ZSERVDIR}
+src_prepare() {
+ epatch "${FILESDIR}"/CVE-2009-0668+0669.patch
+}
+
+src_configure() {
+ ./configure --prefix="${D}${ZSERVDIR}" --with-python=/usr/bin/python2.4 || die "Failed to execute ./configure ..."
+}
+
+src_install() {
+ dodoc README.txt
+ dodoc doc/*.txt
+ docinto PLATFORMS ; dodoc doc/PLATFORMS/*
+ docinto ZEO ; dodoc doc/ZEO/*
+
+ make install prefix="${D}${ZSERVDIR}" || die "Failed to install into ${D}${ZSERVDIR}"
+ rm -rf "${D}${ZSERVDIR}"/doc
+ dosym ../../share/doc/${PF} ${ZSERVDIR}/doc
+
+ # copy the init script skeleton to skel directory of our installation
+ insinto "${ZSERVDIR}"/skel
+ doins "${FILESDIR}"/zope.initd
+}
+
+src_test() {
+ einfo "Tests disabled by Gentoo team."
+}
+
+pkg_postinst() {
+ # create the zope user and group for backward compatibility
+ enewgroup ${ZGID} 261
+ usermod -g ${ZGID} ${ZUID} 2>&1 >/dev/null || \
+ enewuser ${ZUID} 261 -1 /var/$(get_libdir)/zope ${ZGID}
+
+ einfo "Be warned that you need at least one zope instance to run zope."
+ einfo "Please emerge zope-config for futher instance management."
+}
+
+pkg_prerm() {
+ #Remove old compiled code
+ rm ${ZSERVDIR}/bin/copyzopeskel.pyc
+
+ #need to remove this symlink because portage keeps links to
+ #existing targets
+ rm ${ZSERVDIR}/bin/python
+}
diff --git a/net-zope/zope/zope-2.9.10-r1.ebuild b/net-zope/zope/zope-2.9.10-r1.ebuild
new file mode 100644
index 000000000000..feafff5d00bd
--- /dev/null
+++ b/net-zope/zope/zope-2.9.10-r1.ebuild
@@ -0,0 +1,80 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-zope/zope/zope-2.9.10-r1.ebuild,v 1.1 2009/08/17 10:14:28 a3li Exp $
+EAPI=2
+
+inherit eutils multilib
+
+DESCRIPTION="Zope is a web application platform used for building high-performance, dynamic web sites"
+HOMEPAGE="http://www.zope.org"
+SRC_URI="http://www.zope.org/Products/Zope/${PV}/Zope-${PV}-final.tgz"
+
+LICENSE="ZPL"
+SLOT="${PV}"
+KEYWORDS="~alpha ~amd64 ~ppc ~sparc ~x86"
+IUSE=""
+
+DEPEND="=dev-lang/python-2.4*"
+
+S="${WORKDIR}/Zope-${PV}-final"
+ZUID=zope
+ZGID=zope
+ZS_DIR=${ROOT%/}/usr/$(get_libdir)
+ZSERVDIR=${ZS_DIR}/${P}
+
+# Narrow the scope of ownership/permissions.
+# Security plan:
+# * ZUID is the superuser for all zope instances.
+# * ZGID is for a single instance's administration.
+# * Other' should not have any access to ${ZSERVDIR},
+# because they can work through the Zope web interface.
+# This should protect our code/data better.
+#
+# UPDATE: ${ZSERVDIR} is a lib directory and should be world readable
+# like e.g /usr/lib/python we do not store any user data there,
+# currently removed all custom permission stuff, for ${ZSERVDIR}
+
+src_prepare() {
+ epatch "${FILESDIR}"/CVE-2009-0668+0669.patch
+}
+
+src_configure() {
+ ./configure --prefix="${D}${ZSERVDIR}" --with-python=/usr/bin/python2.4 || die "Failed to execute ./configure ..."
+}
+
+src_install() {
+ dodoc README.txt
+ dodoc Zope/doc/*.txt
+ docinto PLATFORMS ; dodoc Zope/doc/PLATFORMS/*
+ docinto ZEO ; dodoc Zope/doc/ZEO/*
+
+ make install prefix="${D}"${ZSERVDIR} || die "Failed to install into ${D}${ZSERVDIR}"
+ rm -rf "${D}"${ZSERVDIR}/doc
+ dosym ../../share/doc/${PF} ${ZSERVDIR}/doc
+
+ # copy the init script skeleton to skel directory of our installation
+ cp "${FILESDIR}"/zope.initd "${D}"/${ZSERVDIR}/skel/zope.initd
+}
+
+src_test() {
+ einfo "Tests disabled by Gentoo team."
+}
+
+pkg_postinst() {
+ # create the zope user and group for backward compatibility
+ enewgroup ${ZGID} 261
+ usermod -g ${ZGID} ${ZUID} 2>&1 >/dev/null || \
+ enewuser ${ZUID} 261 -1 /var/$(get_libdir)/zope ${ZGID}
+
+ einfo "Be warned that you need at least one zope instance to run zope."
+ einfo "Please emerge zope-config for futher instance management."
+}
+
+pkg_prerm() {
+ #Remove old compiled code
+ rm ${ZSERVDIR}/bin/copyzopeskel.pyc
+
+ #need to remove this symlink because portage keeps links to
+ #existing targets
+ rm ${ZSERVDIR}/bin/python
+}