Bug 366901 (CVE-2007-5741)

Summary: CVE-2007-5741 plone: python code injection via pickle cookie
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jparsons, rmccabe, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-06 14:08:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Plone hotfix none

Description Tomas Hoger 2007-11-05 15:42:10 UTC 
A vulnerability was discovered in the statusmessages and linkintegrity
modules, where unsafe network data was interpreted as python pickles. This
allowed an attacker to run arbitrary python code within the Zope/Plone
process.
Comment 1 Tomas Hoger 2007-11-05 15:43:34 UTC 
Created attachment 248361 [details]
Plone hotfix
Comment 2 Tomas Hoger 2007-11-05 15:49:44 UTC 
Some Plone components are shipped in conga - luci.  Module statusmessages seems
to be included.

James, can you please confirm whether conga packages are affected by this issue?
 Thanks!
Comment 3 Ryan McCabe 2007-11-05 16:25:52 UTC 
Hi, we're (luci) not affected by this. We broke this functionality on purpose.
Even though the code is shipped with luci because of dependencies, the code path
can (AFAICS) never be tripped, as we've stripped down the default page templates
substantially. Confirm by trying something like
https://<luci_server_host>:8084/luci/homebase?portal_status_message=NOTHING_HERE_TO_SEE

We'll upgrade to the latest versions of Zope and Plone for the next version we
ship, though, to be safe.
Comment 4 Jim Parsons 2007-11-05 17:06:57 UTC 
Ryan is spot on with his comment above. Thanks, Ryan.
Comment 5 Mark J. Cox 2007-11-06 14:10:00 UTC 
Now public at
http://plone.org/about/security/advisories/cve-2007-5741/
removing embargo