r2689 - in zope2.12/trunk/debian (3 files)

arnau at users.alioth.debian.org arnau at users.alioth.debian.org
Sat Nov 24 06:02:27 UTC 2012 

    Date: Saturday, November 24, 2012 @ 06:02:26
  Author: arnau
Revision: 2689

Fix Attempting to access a view with no name returns an internal data structure (CVE-2012-5505).

Added:
  zope2.12/trunk/debian/patches/CVE-2012-5505.patch
Modified:
  zope2.12/trunk/debian/changelog
  zope2.12/trunk/debian/patches/series

Modified: zope2.12/trunk/debian/changelog
===================================================================
--- zope2.12/trunk/debian/changelog	2012-11-24 06:00:40 UTC (rev 2688)
+++ zope2.12/trunk/debian/changelog	2012-11-24 06:02:26 UTC (rev 2689)
@@ -6,6 +6,9 @@
     + Fix PRNG which wasn't reseeded (CVE-2012-5508).
   * debian/patches/CVE-2012-5487.patch:
     + Fix Restricted Python sandbox escape (CVE-2012-5487).
+  * debian/patches/CVE-2012-5505.patch:
+    + Fix Attempting to access a view with no name returns an internal
+      data structure (CVE-2012-5505).
   * debian/control:
     + Bump zope.common required version as the debconf template
       has been updated to fix #656552.

Added: zope2.12/trunk/debian/patches/CVE-2012-5505.patch
===================================================================
--- zope2.12/trunk/debian/patches/CVE-2012-5505.patch	                        (rev 0)
+++ zope2.12/trunk/debian/patches/CVE-2012-5505.patch	2012-11-24 06:02:26 UTC (rev 2689)
@@ -0,0 +1,23 @@
+Index: zope2.12-2.12.26/source/zope.traversing/src/zope/traversing/namespace.py
+===================================================================
+--- zope2.12-2.12.26.orig/source/zope.traversing/src/zope/traversing/namespace.py	2012-11-22 19:00:29.000000000 +0900
++++ zope2.12-2.12.26/source/zope.traversing/src/zope/traversing/namespace.py	2012-11-24 13:16:40.229707666 +0900
+@@ -31,7 +31,7 @@
+ from zope.traversing.interfaces import IEtcNamespace
+ from zope.traversing.interfaces import IPathAdapter
+ from zope.traversing.interfaces import ITraversable
+-
++from zope.traversing.interfaces import TraversalError
+ 
+ class UnexpectedParameters(LocationError):
+     "Unexpected namespace parameters were provided."
+@@ -325,6 +325,9 @@
+         self.request = request
+ 
+     def traverse(self, name, ignored):
++        if not name:
++            raise TraversalError(self.context, name)
++
+         view = zope.component.queryMultiAdapter((self.context, self.request),
+                                                 name=name)
+         if view is None:

Modified: zope2.12/trunk/debian/patches/series
===================================================================
--- zope2.12/trunk/debian/patches/series	2012-11-24 06:00:40 UTC (rev 2688)
+++ zope2.12/trunk/debian/patches/series	2012-11-24 06:02:26 UTC (rev 2689)
@@ -4,3 +4,4 @@
 Zope2-deb_zopeconf.patch
 ZODB3-fix_shebang.patch
 CVE-2012-5487.patch
+CVE-2012-5505.patch

More information about the pkg-zope-developers mailing list