Bug#926439: unblock: tryton-server/5.0.4-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#926439: unblock: tryton-server/5.0.4-2
From: Mathias Behrle <mbehrle@debian.org>
Date: Fri, 05 Apr 2019 11:11:21 +0200
Message-id: <[🔎] 155445548129.14564.11138483548037079832.reportbug@monsterix.mbehrle.de>
Reply-to: Mathias Behrle <mbehrle@debian.org>, 926439@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package tryton-server

This version fixes CVE-2019-10868.

debdiff attached.

unblock tryton-server/5.0.4-2

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (800, 'testing'), (700, 'unstable'), (600, 'experimental'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru tryton-server-5.0.4/debian/changelog tryton-server-5.0.4/debian/changelog
--- tryton-server-5.0.4/debian/changelog	2019-01-23 16:06:18.000000000 +0100
+++ tryton-server-5.0.4/debian/changelog	2019-04-03 17:29:15.000000000 +0200
@@ -1,3 +1,15 @@
+tryton-server (5.0.4-2) unstable; urgency=high
+
+  * Add 03_sec_issue8189_check_read_access_on_search_order.patch
+    for CVE-2019-10868.
+    This patch fixes security issue http://bugs.tryton.org/issue8189:
+     Check read access on field in search_order.
+     An authenticated user can order records based on a field for which
+     he has no access right. This may allow the user to guess values.
+     See also https://discuss.tryton.org/t/security-release-for-issue8189/
+
+ -- Mathias Behrle <mathiasb@m9s.biz>  Wed, 03 Apr 2019 17:29:15 +0200
+
 tryton-server (5.0.4-1) unstable; urgency=medium
 
   * Add more configuration parameters to trytond.conf.
diff -Nru tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
--- tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch	1970-01-01 01:00:00.000000000 +0100
+++ tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch	2019-04-03 17:16:42.000000000 +0200
@@ -0,0 +1,53 @@
+Description: Check read access on field in search_order.
+ An authenticated user can order records based on a field for which
+ he has no access right. This may allow the user to guess values.
+
+Origin: upstream, http://hg.tryton.org/trytond/rev/b2fab24f9c60 
+Bug: http://bugs.tryton.org/issue8189
+Forwarded: not-needed
+Last-Update: 2019-04-03
+
+--- tryton-server-5.0.4.orig/trytond/model/modelstorage.py
++++ tryton-server-5.0.4/trytond/model/modelstorage.py
+@@ -395,7 +395,7 @@ class ModelStorage(Model):
+ 
+         ModelAccess.check(cls.__name__, 'read')
+ 
+-        def check(domain, cls, to_check):
++        def check_domain(domain, cls, to_check):
+             if is_leaf(domain):
+                 local, relate = (domain[0].split('.', 1) + [None])[:2]
+                 to_check[cls.__name__].add(local)
+@@ -405,16 +405,29 @@ class ModelStorage(Model):
+                     else:
+                         target = cls._fields[local].get_target()
+                     target_domain = [(relate,) + tuple(domain[1:])]
+-                    check(target_domain, target, to_check)
++                    check_domain(target_domain, target, to_check)
+             elif not domain:
+                 return
+             else:
+                 i = 1 if domain[0] in ['OR', 'AND'] else 0
+                 for d in domain[i:]:
+-                    check(d, cls, to_check)
++                    check_domain(d, cls, to_check)
++
++        def check_order(order, cls, to_check):
++            if not order:
++                return
++            for oexpr, otype in order:
++                local, _, relate = oexpr.partition('.')
++                to_check[cls.__name__].add(local)
++                if relate:
++                    target = cls._fields[local].get_target()
++                    target_order = [(relate, otype)]
++                    check_order(target_order, target, to_check)
++
+         if transaction.user and transaction.context.get('_check_access'):
+             to_check = defaultdict(set)
+-            check(domain, cls, to_check)
++            check_domain(domain, cls, to_check)
++            check_order(order, cls, to_check)
+             for name, fields_names in to_check.items():
+                 ModelAccess.check(name, 'read')
+                 ModelFieldAccess.check(name, fields_names, 'read')
diff -Nru tryton-server-5.0.4/debian/patches/series tryton-server-5.0.4/debian/patches/series
--- tryton-server-5.0.4/debian/patches/series	2019-01-23 16:06:17.000000000 +0100
+++ tryton-server-5.0.4/debian/patches/series	2019-04-03 17:11:53.000000000 +0200
@@ -1,2 +1,3 @@
 01_migrate_obsolete_modules.patch
 02_avoid_call_to_pypi.patch
+03_sec_issue8189_check_read_access_on_search_order.patch

Reply to:

Follow-Ups:
- Bug#926439: marked as done (unblock: tryton-server/5.0.4-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: Re: unblock: notary/0.6.1~ds1-3
Next by Date: Bug#926440: unblock: oggvideotools/0.9.1-5
Previous by thread: Bug#926438: marked as done (stretch-pu: package gocode/20150303-3+deb9u1)
Next by thread: Bug#926439: marked as done (unblock: tryton-server/5.0.4-2)
Index(es):
- Date
- Thread