Secure testing team - Aug 2010 - Bug#593466: zope-ldapuserfolder: Fails to check password for emergency user

Package: zope-ldapuserfolder
Version: 2.9-1
Severity: grave
Tags: security
Justification: user security hole


When an LDAP user folder is enabled, any password is accepted when attempting to
log in
as the emergency user (that is, the one defined in the
''access'' file using zpasswd.py).

/usr/share/zope/Products/LDAPUserFolder/LDAPUserFolder.py fails to check the
password is
correct, leading to the above security issue. Patch should be:

--- LDAPUserFolder.py.orig      2010-08-18 12:58:18.000000000 +0100
+++ LDAPUserFolder.py.fixed     2010-08-18 13:50:22.000000000 +0100
@@ -800,7 +800,7 @@
         if not name:
             return None

-        if super and name == super.getUserName():
+        if super and name == super.getUserName() and
super.authenticate(password, request):
             user = super
         else:
             user = self.getUser(name, password)

-- System Information:
Debian Release: 5.0.5
  APT prefers stable
  APT policy: (500, ''stable'')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages zope-ldapuserfolder depends on:
ii  python-ldap                 2.3.5-1      An LDAP interface module for Pytho
ii  zope-common                 0.5.45       common settings and scripts for Zo
ii  zope2.9                     2.9.6-4etch2 Open Source Web Application Server

zope-ldapuserfolder recommends no packages.

zope-ldapuserfolder suggests no packages.

-- no debconf information