Debian Bug report logs - #593466
zope-ldapuserfolder: Fails to check password for emergency user

version graph

Package: zope-ldapuserfolder; Maintainer for zope-ldapuserfolder is (unknown);

Reported by: Jeremy James <jbj@forbidden.co.uk>

Date: Wed, 18 Aug 2010 13:09:01 UTC

Severity: grave

Tags: security

Found in version zope-ldapuserfolder/2.9-1

Fixed in version zope-ldapuserfolder/2.9-1+lenny1

Done: Sebastien Delafond <seb@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mark Hymers <mhy@debian.org>:
Bug#593466; Package zope-ldapuserfolder. (Wed, 18 Aug 2010 13:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jeremy James <jbj@forbidden.co.uk>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mark Hymers <mhy@debian.org>. (Wed, 18 Aug 2010 13:09:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jeremy James <jbj@forbidden.co.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: zope-ldapuserfolder: Fails to check password for emergency user
Date: Wed, 18 Aug 2010 13:59:05 +0100
Package: zope-ldapuserfolder
Version: 2.9-1
Severity: grave
Tags: security
Justification: user security hole


When an LDAP user folder is enabled, any password is accepted when attempting to log in
as the emergency user (that is, the one defined in the 'access' file using zpasswd.py).

/usr/share/zope/Products/LDAPUserFolder/LDAPUserFolder.py fails to check the password is
correct, leading to the above security issue. Patch should be:

--- LDAPUserFolder.py.orig      2010-08-18 12:58:18.000000000 +0100
+++ LDAPUserFolder.py.fixed     2010-08-18 13:50:22.000000000 +0100
@@ -800,7 +800,7 @@
         if not name:
             return None

-        if super and name == super.getUserName():
+        if super and name == super.getUserName() and super.authenticate(password, request):
             user = super
         else:
             user = self.getUser(name, password)

-- System Information:
Debian Release: 5.0.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages zope-ldapuserfolder depends on:
ii  python-ldap                 2.3.5-1      An LDAP interface module for Pytho
ii  zope-common                 0.5.45       common settings and scripts for Zo
ii  zope2.9                     2.9.6-4etch2 Open Source Web Application Server

zope-ldapuserfolder recommends no packages.

zope-ldapuserfolder suggests no packages.

-- no debconf information




Reply sent to Sebastien Delafond <seb@debian.org>:
You have taken responsibility. (Wed, 25 Aug 2010 08:03:06 GMT) Full text and rfc822 format available.

Notification sent to Jeremy James <jbj@forbidden.co.uk>:
Bug acknowledged by developer. (Wed, 25 Aug 2010 08:03:06 GMT) Full text and rfc822 format available.

Message #10 received at 593466-close@bugs.debian.org (full text, mbox):

From: Sebastien Delafond <seb@debian.org>
To: 593466-close@bugs.debian.org
Subject: Bug#593466: fixed in zope-ldapuserfolder 2.9-1+lenny1
Date: Wed, 25 Aug 2010 07:59:52 +0000
Source: zope-ldapuserfolder
Source-Version: 2.9-1+lenny1

We believe that the bug you reported is fixed in the latest version of
zope-ldapuserfolder, which is due to be installed in the Debian FTP archive:

zope-ldapuserfolder_2.9-1+lenny1.diff.gz
  to main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1.diff.gz
zope-ldapuserfolder_2.9-1+lenny1.dsc
  to main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1.dsc
zope-ldapuserfolder_2.9-1+lenny1_all.deb
  to main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 593466@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated zope-ldapuserfolder package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 20 Aug 2010 15:33:32 +0200
Source: zope-ldapuserfolder
Binary: zope-ldapuserfolder
Architecture: source all
Version: 2.9-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Mark Hymers <mhy@debian.org>
Changed-By: Sebastien Delafond <seb@debian.org>
Description: 
 zope-ldapuserfolder - LDAP user and group source for Zope/Plone
Closes: 593466
Changes: 
 zope-ldapuserfolder (2.9-1+lenny1) stable-security; urgency=high
 .
   * Fix authentication bypass problem (Closes: #593466).
     CVE-2010-2944.
Checksums-Sha1: 
 b4253325654b835f42f7b82e7384973e88470afa 1122 zope-ldapuserfolder_2.9-1+lenny1.dsc
 0071cbd5408822733be7c05bbb9ca8a08799eb6e 106677 zope-ldapuserfolder_2.9.orig.tar.gz
 b637534b048563fe71a979699115b183dce9cf42 2635 zope-ldapuserfolder_2.9-1+lenny1.diff.gz
 1d4169077ab0260e940e4b302750de2b95bf5de6 110686 zope-ldapuserfolder_2.9-1+lenny1_all.deb
Checksums-Sha256: 
 2815a1c50c17c367b2a0e8657d0a14e2bbf894728ea30d4d3595e7bc0c6b4c1e 1122 zope-ldapuserfolder_2.9-1+lenny1.dsc
 ed2bd11dff772e9730bea679b860365d3d86c0e5b7c82c1449920362eca485aa 106677 zope-ldapuserfolder_2.9.orig.tar.gz
 b4b7e50c7e60a9037a52a7771c1e575039312c3d350b40516386ddace2c7c7eb 2635 zope-ldapuserfolder_2.9-1+lenny1.diff.gz
 079d462e9cf904c1451fe82c2b4044c0e346556c965727d8b7a223a307f8dd49 110686 zope-ldapuserfolder_2.9-1+lenny1_all.deb
Files: 
 65bc92834fb17c525b9c5a43589a05e6 1122 web extra zope-ldapuserfolder_2.9-1+lenny1.dsc
 c380401e4de43c4aa5aad8c7af104ac5 106677 web extra zope-ldapuserfolder_2.9.orig.tar.gz
 fdfc884244f970d77f3da18a638a135c 2635 web extra zope-ldapuserfolder_2.9-1+lenny1.diff.gz
 44db774a6142e62e71ac0e0cb9e6fafa 110686 web extra zope-ldapuserfolder_2.9-1+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxuhRQACgkQiZgNKcDdyD/5GACeL0dNDzSlBZMjj4he8PdFOs1D
o+cAn2UPYrBs5Dls8hgS8hsjjBG5ql8n
=/XuT
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 03 Oct 2010 07:40:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 19:19:47 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.