--On 12. August 2008 16:05:47 +0200 Andreas Jung <[EMAIL PROTECTED]> wrote:
--On 12. August 2008 14:16:44 +0200 Andreas Jung <[EMAIL PROTECTED]> wrote:*sigh* I wished that both exploits were reported to the Zope bugtracker in order to work on solutions before making the exploits public. --On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" <[EMAIL PROTECTED]> wrote:Hello,1. Attack: Put this into a "Script (Python)" object and run it: return 'kaboom'.encode('test.testall') This results in a denial-of-service, since Zope will hang running the Python test suite. The reason for this is a problem in the way the encoding search function works in Python 2.4. This was changed in 2.5 to no longer allow searching for codecs outside the encodings package.That's pretty obscure behavior of Python 2.4...anyway.The followup for this issue is also on Launchpad including a possible solution: <https://bugs.launchpad.net/zope2/+bug/257276> The patches/monkey patches for both issues need review and testing. I am now working on a security advisory. For the hotfixes and testing I need definitely help since I am the road for the rest of the week and pretty busy and limited network connectivity.
I created a preliminary hotfix <http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz/view> After rough test: it seems to work for Zope trunk, 2.10 and 2.11 but has a failure for Zope 2.8. That's all I can do for now - please test and improve the hotfix if needed. Thanks, Andreas
pgpp8qS4848ZB.pgp
Description: PGP signature
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
