Bug#926439: unblock: tryton-server/5.0.4-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package tryton-server
This version fixes CVE-2019-10868.
debdiff attached.
unblock tryton-server/5.0.4-2
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (800, 'testing'), (700, 'unstable'), (600, 'experimental'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru tryton-server-5.0.4/debian/changelog tryton-server-5.0.4/debian/changelog
--- tryton-server-5.0.4/debian/changelog 2019-01-23 16:06:18.000000000 +0100
+++ tryton-server-5.0.4/debian/changelog 2019-04-03 17:29:15.000000000 +0200
@@ -1,3 +1,15 @@
+tryton-server (5.0.4-2) unstable; urgency=high
+
+ * Add 03_sec_issue8189_check_read_access_on_search_order.patch
+ for CVE-2019-10868.
+ This patch fixes security issue http://bugs.tryton.org/issue8189:
+ Check read access on field in search_order.
+ An authenticated user can order records based on a field for which
+ he has no access right. This may allow the user to guess values.
+ See also https://discuss.tryton.org/t/security-release-for-issue8189/
+
+ -- Mathias Behrle <mathiasb@m9s.biz> Wed, 03 Apr 2019 17:29:15 +0200
+
tryton-server (5.0.4-1) unstable; urgency=medium
* Add more configuration parameters to trytond.conf.
diff -Nru tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
--- tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch 1970-01-01 01:00:00.000000000 +0100
+++ tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch 2019-04-03 17:16:42.000000000 +0200
@@ -0,0 +1,53 @@
+Description: Check read access on field in search_order.
+ An authenticated user can order records based on a field for which
+ he has no access right. This may allow the user to guess values.
+
+Origin: upstream, http://hg.tryton.org/trytond/rev/b2fab24f9c60
+Bug: http://bugs.tryton.org/issue8189
+Forwarded: not-needed
+Last-Update: 2019-04-03
+
+--- tryton-server-5.0.4.orig/trytond/model/modelstorage.py
++++ tryton-server-5.0.4/trytond/model/modelstorage.py
+@@ -395,7 +395,7 @@ class ModelStorage(Model):
+
+ ModelAccess.check(cls.__name__, 'read')
+
+- def check(domain, cls, to_check):
++ def check_domain(domain, cls, to_check):
+ if is_leaf(domain):
+ local, relate = (domain[0].split('.', 1) + [None])[:2]
+ to_check[cls.__name__].add(local)
+@@ -405,16 +405,29 @@ class ModelStorage(Model):
+ else:
+ target = cls._fields[local].get_target()
+ target_domain = [(relate,) + tuple(domain[1:])]
+- check(target_domain, target, to_check)
++ check_domain(target_domain, target, to_check)
+ elif not domain:
+ return
+ else:
+ i = 1 if domain[0] in ['OR', 'AND'] else 0
+ for d in domain[i:]:
+- check(d, cls, to_check)
++ check_domain(d, cls, to_check)
++
++ def check_order(order, cls, to_check):
++ if not order:
++ return
++ for oexpr, otype in order:
++ local, _, relate = oexpr.partition('.')
++ to_check[cls.__name__].add(local)
++ if relate:
++ target = cls._fields[local].get_target()
++ target_order = [(relate, otype)]
++ check_order(target_order, target, to_check)
++
+ if transaction.user and transaction.context.get('_check_access'):
+ to_check = defaultdict(set)
+- check(domain, cls, to_check)
++ check_domain(domain, cls, to_check)
++ check_order(order, cls, to_check)
+ for name, fields_names in to_check.items():
+ ModelAccess.check(name, 'read')
+ ModelFieldAccess.check(name, fields_names, 'read')
diff -Nru tryton-server-5.0.4/debian/patches/series tryton-server-5.0.4/debian/patches/series
--- tryton-server-5.0.4/debian/patches/series 2019-01-23 16:06:17.000000000 +0100
+++ tryton-server-5.0.4/debian/patches/series 2019-04-03 17:11:53.000000000 +0200
@@ -1,2 +1,3 @@
01_migrate_obsolete_modules.patch
02_avoid_call_to_pypi.patch
+03_sec_issue8189_check_read_access_on_search_order.patch
Reply to: