Bug 19329

Summary: zope ports security vulnerability
Product: Ports & Packages Reporter: thomas <thomas>
Component: Individual Port(s)Assignee: alex <alex>
Status: Closed FIXED    
Severity: Affects Only Me CC: ports
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description thomas 2000-06-16 06:50:00 UTC 
        A security vulnerability of the Zope release in the current
        ports system was found. Here is the advisory from Digital
        Creations (the creators of Zope)

   		   News Item: Zope security alert and 2.1.7 update 

                   Created by Brian on 2000/06/15. 

                   We have recently become aware of an important security issue 
                   that affects all released Zope versions including the recent 
                   2.2 beta 1 release. 

                   The issue involves an inadequately protected method in one of 
                   the base classes in the DocumentTemplate package that could 
                   allow the contents of DTMLDocuments or DTMLMethods to be changed 
                   remotely or through DTML code without forcing proper user authorization. 

                   A Zope 2.1.7 release has been made that resolves this issue for Zope 
                   2.1.x users. This release is available from Zope.org: 

                   http://www.zope.org/Products/Zope/2.1.7/ 

	.....

                  While we know of no instances of this issue being used to exploit a site, 
                  we *highly* recommend that any Zope site that is accessible by untrusted 
                  clients take the appropriate mitigation steps immediately. 
                   

	Not sure if that would warrant a ports security alert, I sure
	would like to see one.

Fix: A patch is attached to upgrade the port to the recommended
	version. 
	I also took the freedom to change the directory of saving
	Data.fs for the de-install from /tmp to /var/tmp so it will 	
	survive a reboot.An appropriate message is given now too.

	-Th

--0-1804289383-961134678=:9899
Content-Type: TEXT/plain; CHARSET=US-ASCII
Content-Disposition: attachment ; filename="www-zope.diff"



--0-1804289383-961134678=:9899----FTTJk4WULjbWESx3lLltRni8kj2cMKPF9FYAZfxmq7zXlyjE
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

diff -ur zope/Makefile zope.new/Makefile
--- zope/Makefile	Mon May 29 03:14:24 2000
+++ zope.new/Makefile	Thu Jun 15 21:26:09 2000
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	zope
-PORTVERSION=	2.1.6
+PORTVERSION=	2.1.7
 CATEGORIES=	www python
 MASTER_SITES=	http://www.zope.org/Products/Zope/${PORTVERSION}/
 DISTNAME=	Zope-${PORTVERSION}-src
@@ -73,12 +73,5 @@
 		${ECHO} "===>   The Zope license is in ${ZOPEBASEDIR}/LICENSE.txt." ; \
 		${ECHO} "===>   For Apache changes see ${APACHE_CONFDIR}/apache.conf.Zope-Changes." ; \
 		${ECHO} "===>   Zope.cgi and pcgi-wrapper live in ${CGI_BIN_DIR}." )
-
-#pre-deinstall:	# Save Database contents. I expect /tmp to have sufficient
-#		# space to hold it for the time being.
-#		@if [ -e ${ZOPEBASEDIR}/var/Data.fs ] ; then \
-#			${ECHO} "Saving existing Database to /tmp/Data.fs.bak." ; \
-#			${MV} ${ZOPEBASEDIR}/var/Data.fs /tmp/Data.fs.bak ; \
-#			fi
 
 .include <bsd.port.mk>
diff -ur zope/files/md5 zope.new/files/md5
--- zope/files/md5	Mon May 29 03:14:25 2000
+++ zope.new/files/md5	Thu Jun 15 21:28:12 2000
@@ -1 +1 @@
-MD5 (Zope-2.1.6-src.tgz) = 6ec4320afd6925c24f9f1b5cd7c4d7c5
+MD5 (Zope-2.1.7-src.tgz) = b07a0d4055d13eb9f1361cd96a47c265
diff -ur zope/pkg/PLIST zope.new/pkg/PLIST
--- zope/pkg/PLIST	Mon May 29 03:14:30 2000
+++ zope.new/pkg/PLIST	Thu Jun 15 21:49:33 2000
@@ -847,6 +847,18 @@
 %%ZOPEBASEDIR%%/lib/python/ZClasses/propertysheets.gif
 %%ZOPEBASEDIR%%/lib/python/ZClasses/subobjects.dtml
 %%ZOPEBASEDIR%%/lib/python/ZClasses/views.dtml
+%%ZOPEBASEDIR%%/lib/python/ZLogger/FileLogger.py
+%%ZOPEBASEDIR%%/lib/python/ZLogger/FileLogger.pyc
+%%ZOPEBASEDIR%%/lib/python/ZLogger/ZLogger.py
+%%ZOPEBASEDIR%%/lib/python/ZLogger/ZLogger.pyc
+%%ZOPEBASEDIR%%/lib/python/ZLogger/__init__.py
+%%ZOPEBASEDIR%%/lib/python/ZLogger/__init__.pyc
+%%ZOPEBASEDIR%%/lib/python/ZLogger/stupidFileLogger.py
+%%ZOPEBASEDIR%%/lib/python/ZLogger/stupidFileLogger.pyc
+%%ZOPEBASEDIR%%/lib/python/ZLogger/syslog.py
+%%ZOPEBASEDIR%%/lib/python/ZLogger/syslog.pyc
+%%ZOPEBASEDIR%%/lib/python/ZLogger/syslogLogger.py
+%%ZOPEBASEDIR%%/lib/python/ZLogger/syslogLogger.pyc
 %%ZOPEBASEDIR%%/lib/python/ZODB/.cvsignore
 %%ZOPEBASEDIR%%/lib/python/ZODB/BaseStorage.py
 %%ZOPEBASEDIR%%/lib/python/ZODB/BaseStorage.pyc
@@ -1096,6 +1108,7 @@
 @dirrm %%ZOPEBASEDIR%%/lib/python/TreeDisplay/www
 @dirrm %%ZOPEBASEDIR%%/lib/python/TreeDisplay
 @dirrm %%ZOPEBASEDIR%%/lib/python/ZClasses
+@dirrm %%ZOPEBASEDIR%%/lib/python/ZLogger
 @dirrm %%ZOPEBASEDIR%%/lib/python/ZODB
 @dirrm %%ZOPEBASEDIR%%/lib/python/ZPublisher
 @dirrm %%ZOPEBASEDIR%%/lib/python/Zope/ZLogger
@@ -1110,7 +1123,8 @@
 @dirrm %%ZOPEBASEDIR%%/pcgi/Win32
 @dirrm %%ZOPEBASEDIR%%/pcgi
 @dirrm %%ZOPEBASEDIR%%/utilities
-@unexec mv -f %D/%%ZOPEBASEDIR%%/var/Data.fs /tmp/Data.fs.bak
+@unexec /bin/echo Preserving existing Database to /var/tmp/Data.fs.bak
+@unexec mv -f %D/%%ZOPEBASEDIR%%/var/Data.fs /var/tmp/Data.fs.bak
 @unexec rm -f %D/%%ZOPEBASEDIR%%/var/Data.fs.in
 @unexec rm -f %D/%%ZOPEBASEDIR%%/var/Data.fs.lock
 @unexec rm -f %D/%%ZOPEBASEDIR%%/var/Data.fs.tmp
How-To-Repeat: 
	See above
Comment 1 alex freebsd_committer freebsd_triage 2000-06-27 11:28:46 UTC 
State Changed
From-To: open->feedback

alex:~/work/zope $ make
Comment 2 alex freebsd_committer freebsd_triage 2000-06-28 12:11:40 UTC 
State Changed
From-To: feedback->closed

Originator says, that this update is obsolete since hte authors 
decided to update something. Or such. 
However, he said, this PR can be closed.