Bug#1070478: bookworm-pu: package tryton-server/tryton-server_6.0.29-2+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: tryton-server@packages.debian.org
Control: affects -1 + src:tryton-server
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Backport the patch to fix the vulnerabilty to zip bomb
attacks via decoded gzip content from unauthenticated users.
https://discuss.tryton.org/t/security-release-for-issue-13142/7196
In coordination with the security team it was classified as NO-DSA and
rather be applicable via bookworm-pu.
[ Impact ]
Without the patch any unauthenticated users could perform zimp bomb
attacks against tryton-server.
[ Tests ]
The test suite completes without errors. The patch is now publicly
available and in use since 20 days.
[ Risks ]
The patch has minimal complexity and is from the upstream author
who is generally very knowledgable about his code.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The upstream commit was added as a patch that allows gzip
compressed content only for authenticated users.
01_avoid_call_to_pypi.patch was refreshed to apply cleanly with no
further changes.
[ Other info ]
This patch requires also a patch for tryton-client in a separate upload
to prevent a regression of tryton-client when it tries to send gzipped
content without authentication.
--
Mathias Behrle
PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6
diff -Nru tryton-server-6.0.29/debian/changelog tryton-server-6.0.29/debian/changelog
--- tryton-server-6.0.29/debian/changelog 2023-08-21 17:10:12.000000000 +0200
+++ tryton-server-6.0.29/debian/changelog 2024-04-18 11:59:53.000000000 +0200
@@ -1,3 +1,13 @@
+tryton-server (6.0.29-2+deb12u2) bookworm; urgency=medium
+
+ * Add 03_deny_compressed_content_from_unauth_request.patch.
+ This patch fixes the vulnerabilty to zip bomb attacks via
+ decoded gzip content from unauthenticated users.
+ https://discuss.tryton.org/t/security-release-for-issue-13142/7196
+ * Refresh 01_avoid_call_to_pypi.patch.
+
+ -- Mathias Behrle <mathiasb@m9s.biz> Thu, 18 Apr 2024 11:59:53 +0200
+
tryton-server (6.0.29-2+deb12u1) bookworm-security; urgency=high
* Add 02_enforce_record_rules.patch.
diff -Nru tryton-server-6.0.29/debian/patches/01_avoid_call_to_pypi.patch tryton-server-6.0.29/debian/patches/01_avoid_call_to_pypi.patch
--- tryton-server-6.0.29/debian/patches/01_avoid_call_to_pypi.patch 2023-08-21 15:16:42.000000000 +0200
+++ tryton-server-6.0.29/debian/patches/01_avoid_call_to_pypi.patch 2024-04-18 11:54:21.000000000 +0200
@@ -15,7 +15,7 @@
--- a/setup.py
+++ b/setup.py
-@@ -158,7 +158,7 @@
+@@ -136,7 +136,7 @@
install_requires=[
'defusedxml',
'lxml >= 2.0',
diff -Nru tryton-server-6.0.29/debian/patches/03_deny_compressed_content_from_unauth_request.patch tryton-server-6.0.29/debian/patches/03_deny_compressed_content_from_unauth_request.patch
--- tryton-server-6.0.29/debian/patches/03_deny_compressed_content_from_unauth_request.patch 1970-01-01 01:00:00.000000000 +0100
+++ tryton-server-6.0.29/debian/patches/03_deny_compressed_content_from_unauth_request.patch 2024-04-18 11:45:22.000000000 +0200
@@ -0,0 +1,23 @@
+Description: Deny compressed content from unauthenticated requests
+ This patch fixes the vulnerabilty to zip bomb attacks via
+ decoded gzip content from unauthenticated users.
+ https://discuss.tryton.org/t/security-release-for-issue-13142/7196
+Author: Cédric Krier <cedric.krier@b2ck.com>
+Bug: https://foss.heptapod.net/tryton/tryton/-/issues/13142
+
+--- a/trytond/protocols/wrappers.py
++++ b/trytond/protocols/wrappers.py
+@@ -53,8 +53,11 @@
+ @property
+ def decoded_data(self):
+ if self.content_encoding == 'gzip':
+- zipfile = gzip.GzipFile(fileobj=BytesIO(self.data), mode='rb')
+- return zipfile.read()
++ if self.user_id:
++ zipfile = gzip.GzipFile(fileobj=BytesIO(self.data), mode='rb')
++ return zipfile.read()
++ else:
++ abort(HTTPStatus.UNSUPPORTED_MEDIA_TYPE)
+ else:
+ return self.data
+
diff -Nru tryton-server-6.0.29/debian/patches/series tryton-server-6.0.29/debian/patches/series
--- tryton-server-6.0.29/debian/patches/series 2023-08-21 16:45:08.000000000 +0200
+++ tryton-server-6.0.29/debian/patches/series 2024-04-18 11:38:06.000000000 +0200
@@ -1,2 +1,3 @@
01_avoid_call_to_pypi.patch
02_enforce_record_rules.patch
+03_deny_compressed_content_from_unauth_request.patch
Reply to: