Bug 522392 (CVE-2009-2701)

Summary: CVE-2009-2701 Zope: Information disclosure (files read, removal) when ZEO server configured with blobs support
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jonathansteffan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://pypi.python.org/pypi/ZODB3/3.8.3
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-05 07:24:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2009-09-10 09:34:51 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2701 to
the following vulnerability:

Unspecified vulnerability in the Zope Enterprise Objects (ZEO)
storage-server functionality in Zope Object Database (ZODB) 3.8 before
3.8.3 and 3.9.x before 3.9.0c2, when certain ZEO database sharing and
blob support are enabled, allows remote authenticated users to read or
delete arbitrary files via unknown vectors.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2701
https://mail.zope.org/pipermail/zope-announce/2009-September/002221.html
http://pypi.python.org/pypi/ZODB3/3.8.3
http://pypi.python.org/pypi/ZODB3/3.9.0c2
http://www.vupen.com/english/advisories/2009/2534

Comment 1 Jan Lieskovsky 2009-09-10 09:43:19 UTC
From:

https://mail.zope.org/pipermail/zope-announce/2009-September/002221.html

Jim Fulton mentions:

"The vulnerability was introduced in ZODB 3.8."

While the latest version of Zope, available in EPEL-5 project
(zope-2.10.9-1.el5 - http://koji.fedoraproject.org/koji/buildinfo?buildID=12612),
seem to use ZODB-3.0 - from BUILD/Zope-2.10.9-final/doc/ZODB.txt:

"The Zope Object Database, ZODB, version 3.0", 

which would indicate this is not an issue for EPEL-5 Zope, 

e.g.: Zope-2.10.9-final/lib/python/ZODB/__init__.py says:

__version__ = "3.7.1"

which is still older than 3.8, but introduces enough doubtfulnis
about the real version of ZODB, we are using here. 

Jonathan, could you have a look at the report details, and provide
final decision if current EPEL-5's Zope version is affected by this
issue? 

(Better to double-check and be sane, than omit something and be sorry).

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 2 Jonathan Steffan 2009-10-04 20:15:23 UTC
After reviewing the information I could find, it does look the ZODB version we are shipping is not vulnerable.

Comment 3 Tomas Hoger 2009-10-05 07:24:20 UTC
Closing based on comment #2.

Thank you for checking!