Personal tools
You are here: Home About Security Advisories CVE-2007-5741: Unsafe data interpreted as pickles
Navigation
Log in


Forgot your password?
New user?
 
Document Actions

CVE-2007-5741: Unsafe data interpreted as pickles

by Wichert Akkerman last modified November 17, 2007 - 09:33

This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.

This issue has been assigned CVE-2007-5741.

Affected versions

  • Plone 2.5 up to and including 2.5.4
  • Plone 3.0 up to and including 3.0.2

These fixes will be included in the 2.5.5 and 3.0.3 releases, at which point this hotfix can be removed.

Installing the hotfix

If an updated Plone is not released by the time you read this, or you can not upgrade your Plone, you can install Plone Hotfix 2007-11-06. The hotfix can be installed as a normal Zope product:

  • Extract it in the Products directory of your Zope instance
  • Restart Zope
  • Verify that the hotfix is listed in the product management page in the Zope Control Panel

Reported incidents

No incidents of this happening to sites in the wild have been reported.

hotfix20071106 vs. statusmessages2.0.2

Posted by Beat Keller at November 6, 2007 - 11:58
statusmessages2.0.2 = "Serious security fix release. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5741 for the details."
Should it be installed in addition to hotfix20071106?

Re: hotfix20071106 vs. statusmessages2.0.2

Posted by Wichert Akkerman at November 6, 2007 - 12:08
Either works - they contain the same changes. statusmessage 2.0.2 is the new version of statusmessage which will be included in Plone 2.5.5.

For Plone 3.0.3 the required changes are in both statusmessage and plone.app.linkintegrity.

Plone 2.5.5.

Posted by Benjamin Carstens at November 22, 2007 - 13:00
Does anyone know when Plone 2.5.5. will be released?
I always thought it'd be around the same time as 3.0.3

Hotfix caused an Apache 502 error

Posted by Edmund Moseley at November 7, 2007 - 17:39
After installing the security hotfix, I started getting an Apache 502 bad gateway error. I narrowed it down to a controller python script which was using state.setNextAction(next_action). When I remove the Hotfix, it works fine again. Any ideas?

Re: Hotfix caused an Apache 502 error

Posted by Martijn Pieters at November 7, 2007 - 21:14
No ideas here. Can you narrow it down further and report a bug at https://dev.plone.org/plone?

Re: Hotfix caused an Apache 502 error

Posted by Edmund Moseley at November 8, 2007 - 17:04
I am trying to create a simple example to recreate my issue, but falling short. One thing to note is that I do not get any error when I run the same process without Apache, but continue to get:
"""Bad Gateway
The proxy server received an invalid response from an upstream server.""", when run behind Apache. Without the hotfix, it works with and without Apache. I will try and figure out if I have just done something silly in my code.

Re: Hotfix caused an Apache 502 error (solved)

Posted by Erico Andrei at November 9, 2007 - 14:24
I faced the same problem using a Plone 3.0.2 w/ this hotfix beeing server behing an Apache 2.2 (VirtualHost, Proxy and Rewrite Rules).
Looking at http://dev.plone.org I've found this similar problem "Plone Hotfix 20071106 breaks long status messages (depends on browser behavior)" documented and closed at http://dev.plone.org/plone/ticket/7325 .
Applied this patch and everything is running again.

Thanks

Posted by Edmund Moseley at November 9, 2007 - 15:05
Thanks erico_andrei,
this did the trick.

Updated hotfix

Posted by Martijn Pieters at November 17, 2007 - 09:35
The hotfix has been updated (version 20071106-2) and includes a fix for the 502 problem.

For any issues with the web site functionality, please file a ticket.

Please consult the policy on plone.org content if you want your content published on this site.

Servers and hosting by