Debian Bug report logs - #593466
zope-ldapuserfolder: Fails to check password for emergency user

version graph

Package: zope-ldapuserfolder; Maintainer for zope-ldapuserfolder is (unknown);

Reported by: Jeremy James <>

Date: Wed, 18 Aug 2010 13:09:01 UTC

Severity: grave

Tags: security

Found in version zope-ldapuserfolder/2.9-1

Fixed in version zope-ldapuserfolder/2.9-1+lenny1

Done: Sebastien Delafond <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to,,, Mark Hymers <>:
Bug#593466; Package zope-ldapuserfolder. (Wed, 18 Aug 2010 13:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jeremy James <>:
New Bug report received and forwarded. Copy sent to,, Mark Hymers <>. (Wed, 18 Aug 2010 13:09:04 GMT) Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Jeremy James <>
To: Debian Bug Tracking System <>
Subject: zope-ldapuserfolder: Fails to check password for emergency user
Date: Wed, 18 Aug 2010 13:59:05 +0100
Package: zope-ldapuserfolder
Version: 2.9-1
Severity: grave
Tags: security
Justification: user security hole

When an LDAP user folder is enabled, any password is accepted when attempting to log in
as the emergency user (that is, the one defined in the 'access' file using

/usr/share/zope/Products/LDAPUserFolder/ fails to check the password is
correct, leading to the above security issue. Patch should be:

---      2010-08-18 12:58:18.000000000 +0100
+++     2010-08-18 13:50:22.000000000 +0100
@@ -800,7 +800,7 @@
         if not name:
             return None

-        if super and name == super.getUserName():
+        if super and name == super.getUserName() and super.authenticate(password, request):
             user = super
             user = self.getUser(name, password)

-- System Information:
Debian Release: 5.0.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages zope-ldapuserfolder depends on:
ii  python-ldap                 2.3.5-1      An LDAP interface module for Pytho
ii  zope-common                 0.5.45       common settings and scripts for Zo
ii  zope2.9                     2.9.6-4etch2 Open Source Web Application Server

zope-ldapuserfolder recommends no packages.

zope-ldapuserfolder suggests no packages.

-- no debconf information

Reply sent to Sebastien Delafond <>:
You have taken responsibility. (Wed, 25 Aug 2010 08:03:06 GMT) Full text and rfc822 format available.

Notification sent to Jeremy James <>:
Bug acknowledged by developer. (Wed, 25 Aug 2010 08:03:06 GMT) Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Sebastien Delafond <>
Subject: Bug#593466: fixed in zope-ldapuserfolder 2.9-1+lenny1
Date: Wed, 25 Aug 2010 07:59:52 +0000
Source: zope-ldapuserfolder
Source-Version: 2.9-1+lenny1

We believe that the bug you reported is fixed in the latest version of
zope-ldapuserfolder, which is due to be installed in the Debian FTP archive:

  to main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1.diff.gz
  to main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1.dsc
  to main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Sebastien Delafond <> (supplier of updated zope-ldapuserfolder package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.8
Date: Fri, 20 Aug 2010 15:33:32 +0200
Source: zope-ldapuserfolder
Binary: zope-ldapuserfolder
Architecture: source all
Version: 2.9-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Mark Hymers <>
Changed-By: Sebastien Delafond <>
 zope-ldapuserfolder - LDAP user and group source for Zope/Plone
Closes: 593466
 zope-ldapuserfolder (2.9-1+lenny1) stable-security; urgency=high
   * Fix authentication bypass problem (Closes: #593466).
 b4253325654b835f42f7b82e7384973e88470afa 1122 zope-ldapuserfolder_2.9-1+lenny1.dsc
 0071cbd5408822733be7c05bbb9ca8a08799eb6e 106677 zope-ldapuserfolder_2.9.orig.tar.gz
 b637534b048563fe71a979699115b183dce9cf42 2635 zope-ldapuserfolder_2.9-1+lenny1.diff.gz
 1d4169077ab0260e940e4b302750de2b95bf5de6 110686 zope-ldapuserfolder_2.9-1+lenny1_all.deb
 2815a1c50c17c367b2a0e8657d0a14e2bbf894728ea30d4d3595e7bc0c6b4c1e 1122 zope-ldapuserfolder_2.9-1+lenny1.dsc
 ed2bd11dff772e9730bea679b860365d3d86c0e5b7c82c1449920362eca485aa 106677 zope-ldapuserfolder_2.9.orig.tar.gz
 b4b7e50c7e60a9037a52a7771c1e575039312c3d350b40516386ddace2c7c7eb 2635 zope-ldapuserfolder_2.9-1+lenny1.diff.gz
 079d462e9cf904c1451fe82c2b4044c0e346556c965727d8b7a223a307f8dd49 110686 zope-ldapuserfolder_2.9-1+lenny1_all.deb
 65bc92834fb17c525b9c5a43589a05e6 1122 web extra zope-ldapuserfolder_2.9-1+lenny1.dsc
 c380401e4de43c4aa5aad8c7af104ac5 106677 web extra zope-ldapuserfolder_2.9.orig.tar.gz
 fdfc884244f970d77f3da18a638a135c 2635 web extra zope-ldapuserfolder_2.9-1+lenny1.diff.gz
 44db774a6142e62e71ac0e0cb9e6fafa 110686 web extra zope-ldapuserfolder_2.9-1+lenny1_all.deb

Version: GnuPG v1.4.10 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Sun, 03 Oct 2010 07:40:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Sun Apr 20 19:19:47 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.