CVE-2007-5741: Unsafe data interpreted as pickles

by Wichert Akkerman — last modified Nov 17, 2007 09:33 AM

This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.

This issue has been assigned CVE-2007-5741.

Affected versions

Plone 2.5 up to and including 2.5.4
Plone 3.0 up to and including 3.0.2

These fixes will be included in the 2.5.5 and 3.0.3 releases, at which point this hotfix can be removed.

Installing the hotfix

If an updated Plone is not released by the time you read this, or you can not upgrade your Plone, you can install Plone Hotfix 2007-11-06. The hotfix can be installed as a normal Zope product:

Extract it in the Products directory of your Zope instance
Restart Zope
Verify that the hotfix is listed in the product management page in the Zope Control Panel

Reported incidents

No incidents of this happening to sites in the wild have been reported.

hotfix20071106 vs. statusmessages2.0.2

Posted by Beat Keller at Nov 06, 2007 11:58 AM

statusmessages2.0.2 = "Serious security fix release. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5741 for the details."
Should it be installed in addition to hotfix20071106?

Re: hotfix20071106 vs. statusmessages2.0.2

Posted by Wichert Akkerman at Nov 06, 2007 12:08 PM

Either works - they contain the same changes. statusmessage 2.0.2 is the new version of statusmessage which will be included in Plone 2.5.5.

For Plone 3.0.3 the required changes are in both statusmessage and plone.app.linkintegrity.

Plone 2.5.5.

Posted by Benjamin Carstens at Nov 22, 2007 01:00 PM

Does anyone know when Plone 2.5.5. will be released?
I always thought it'd be around the same time as 3.0.3

Hotfix caused an Apache 502 error

Posted by Edmund Moseley at Nov 07, 2007 05:39 PM

After installing the security hotfix, I started getting an Apache 502 bad gateway error. I narrowed it down to a controller python script which was using state.setNextAction(next_action). When I remove the Hotfix, it works fine again. Any ideas?

Re: Hotfix caused an Apache 502 error

Posted by Martijn Pieters at Nov 07, 2007 09:14 PM

No ideas here. Can you narrow it down further and report a bug at https://dev.plone.org/plone?

Re: Hotfix caused an Apache 502 error

Posted by Edmund Moseley at Nov 08, 2007 05:04 PM

I am trying to create a simple example to recreate my issue, but falling short. One thing to note is that I do not get any error when I run the same process without Apache, but continue to get:
"""Bad Gateway
The proxy server received an invalid response from an upstream server.""", when run behind Apache. Without the hotfix, it works with and without Apache. I will try and figure out if I have just done something silly in my code.

Re: Hotfix caused an Apache 502 error (solved)

Posted by Erico Andrei at Nov 09, 2007 02:24 PM

I faced the same problem using a Plone 3.0.2 w/ this hotfix beeing server behing an Apache 2.2 (VirtualHost, Proxy and Rewrite Rules).
Looking at http://dev.plone.org I've found this similar problem "Plone Hotfix 20071106 breaks long status messages (depends on browser behavior)" documented and closed at http://dev.plone.org/plone/ticket/7325 .
Applied this patch and everything is running again.

Thanks

Posted by Edmund Moseley at Nov 09, 2007 03:05 PM

Thanks erico_andrei,
this did the trick.

Updated hotfix

Posted by Martijn Pieters at Nov 17, 2007 09:35 AM

The hotfix has been updated (version 20071106-2) and includes a fix for the 502 problem.

Strange behaviour with zeo

Posted by Georg Gogo. BERNHARD at Oct 31, 2008 10:33 AM

I have encountered strage behaviour of this hotfix in a load-balanced zeo environment. Even with a shared temp_folder the decoding of cookies went wrong if a redirect hit an other zope instance than the initial request that created the "statusmessages" cookie. Unfortunately I could not reproduce this behaviour outside a load-balanced zeo environment.