[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#926439: marked as done (unblock: tryton-server/5.0.4-2)

Your message dated Fri, 05 Apr 2019 14:36:19 +0000
with message-id <E1hCPx5-0003bd-Qo@respighi.debian.org>
and subject line unblock tryton-server
has caused the Debian Bug report #926439,
regarding unblock: tryton-server/5.0.4-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
926439: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926439
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package tryton-server

This version fixes CVE-2019-10868.

debdiff attached.

unblock tryton-server/5.0.4-2

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (800, 'testing'), (700, 'unstable'), (600, 'experimental'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru tryton-server-5.0.4/debian/changelog tryton-server-5.0.4/debian/changelog
--- tryton-server-5.0.4/debian/changelog	2019-01-23 16:06:18.000000000 +0100
+++ tryton-server-5.0.4/debian/changelog	2019-04-03 17:29:15.000000000 +0200
@@ -1,3 +1,15 @@
+tryton-server (5.0.4-2) unstable; urgency=high
+
+  * Add 03_sec_issue8189_check_read_access_on_search_order.patch
+    for CVE-2019-10868.
+    This patch fixes security issue http://bugs.tryton.org/issue8189:
+     Check read access on field in search_order.
+     An authenticated user can order records based on a field for which
+     he has no access right. This may allow the user to guess values.
+     See also https://discuss.tryton.org/t/security-release-for-issue8189/
+
+ -- Mathias Behrle <mathiasb@m9s.biz>  Wed, 03 Apr 2019 17:29:15 +0200
+
 tryton-server (5.0.4-1) unstable; urgency=medium
 
   * Add more configuration parameters to trytond.conf.
diff -Nru tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
--- tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch	1970-01-01 01:00:00.000000000 +0100
+++ tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch	2019-04-03 17:16:42.000000000 +0200
@@ -0,0 +1,53 @@
+Description: Check read access on field in search_order.
+ An authenticated user can order records based on a field for which
+ he has no access right. This may allow the user to guess values.
+
+Origin: upstream, http://hg.tryton.org/trytond/rev/b2fab24f9c60 
+Bug: http://bugs.tryton.org/issue8189
+Forwarded: not-needed
+Last-Update: 2019-04-03
+
+--- tryton-server-5.0.4.orig/trytond/model/modelstorage.py
++++ tryton-server-5.0.4/trytond/model/modelstorage.py
+@@ -395,7 +395,7 @@ class ModelStorage(Model):
+ 
+         ModelAccess.check(cls.__name__, 'read')
+ 
+-        def check(domain, cls, to_check):
++        def check_domain(domain, cls, to_check):
+             if is_leaf(domain):
+                 local, relate = (domain[0].split('.', 1) + [None])[:2]
+                 to_check[cls.__name__].add(local)
+@@ -405,16 +405,29 @@ class ModelStorage(Model):
+                     else:
+                         target = cls._fields[local].get_target()
+                     target_domain = [(relate,) + tuple(domain[1:])]
+-                    check(target_domain, target, to_check)
++                    check_domain(target_domain, target, to_check)
+             elif not domain:
+                 return
+             else:
+                 i = 1 if domain[0] in ['OR', 'AND'] else 0
+                 for d in domain[i:]:
+-                    check(d, cls, to_check)
++                    check_domain(d, cls, to_check)
++
++        def check_order(order, cls, to_check):
++            if not order:
++                return
++            for oexpr, otype in order:
++                local, _, relate = oexpr.partition('.')
++                to_check[cls.__name__].add(local)
++                if relate:
++                    target = cls._fields[local].get_target()
++                    target_order = [(relate, otype)]
++                    check_order(target_order, target, to_check)
++
+         if transaction.user and transaction.context.get('_check_access'):
+             to_check = defaultdict(set)
+-            check(domain, cls, to_check)
++            check_domain(domain, cls, to_check)
++            check_order(order, cls, to_check)
+             for name, fields_names in to_check.items():
+                 ModelAccess.check(name, 'read')
+                 ModelFieldAccess.check(name, fields_names, 'read')
diff -Nru tryton-server-5.0.4/debian/patches/series tryton-server-5.0.4/debian/patches/series
--- tryton-server-5.0.4/debian/patches/series	2019-01-23 16:06:17.000000000 +0100
+++ tryton-server-5.0.4/debian/patches/series	2019-04-03 17:11:53.000000000 +0200
@@ -1,2 +1,3 @@
 01_migrate_obsolete_modules.patch
 02_avoid_call_to_pypi.patch
+03_sec_issue8189_check_read_access_on_search_order.patch

--- End Message ---
--- Begin Message --- 
Unblocked tryton-server.

--- End Message ---
Reply to: