Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: tryton-ser...@packages.debian.org Control: affects -1 + src:tryton-server User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Backport the patch to fix the vulnerabilty to zip bomb attacks via decoded gzip content from unauthenticated users. https://discuss.tryton.org/t/security-release-for-issue-13142/7196 In coordination with the security team it was classified as NO-DSA and rather be applicable via bookworm-pu. [ Impact ] Without the patch any unauthenticated users could perform zimp bomb attacks against tryton-server. [ Tests ] The test suite completes without errors. The patch is now publicly available and in use since 20 days. [ Risks ] The patch has minimal complexity and is from the upstream author who is generally very knowledgable about his code. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The upstream commit was added as a patch that allows gzip compressed content only for authenticated users. 01_avoid_call_to_pypi.patch was refreshed to apply cleanly with no further changes. [ Other info ] This patch requires also a patch for tryton-client in a separate upload to prevent a regression of tryton-client when it tries to send gzipped content without authentication. -- Mathias Behrle PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6 AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6
diff -Nru tryton-server-6.0.29/debian/changelog tryton-server-6.0.29/debian/changelog --- tryton-server-6.0.29/debian/changelog 2023-08-21 17:10:12.000000000 +0200 +++ tryton-server-6.0.29/debian/changelog 2024-04-18 11:59:53.000000000 +0200 @@ -1,3 +1,13 @@ +tryton-server (6.0.29-2+deb12u2) bookworm; urgency=medium + + * Add 03_deny_compressed_content_from_unauth_request.patch. + This patch fixes the vulnerabilty to zip bomb attacks via + decoded gzip content from unauthenticated users. + https://discuss.tryton.org/t/security-release-for-issue-13142/7196 + * Refresh 01_avoid_call_to_pypi.patch. + + -- Mathias Behrle <mathi...@m9s.biz> Thu, 18 Apr 2024 11:59:53 +0200 + tryton-server (6.0.29-2+deb12u1) bookworm-security; urgency=high * Add 02_enforce_record_rules.patch. diff -Nru tryton-server-6.0.29/debian/patches/01_avoid_call_to_pypi.patch tryton-server-6.0.29/debian/patches/01_avoid_call_to_pypi.patch --- tryton-server-6.0.29/debian/patches/01_avoid_call_to_pypi.patch 2023-08-21 15:16:42.000000000 +0200 +++ tryton-server-6.0.29/debian/patches/01_avoid_call_to_pypi.patch 2024-04-18 11:54:21.000000000 +0200 @@ -15,7 +15,7 @@ --- a/setup.py +++ b/setup.py -@@ -158,7 +158,7 @@ +@@ -136,7 +136,7 @@ install_requires=[ 'defusedxml', 'lxml >= 2.0', diff -Nru tryton-server-6.0.29/debian/patches/03_deny_compressed_content_from_unauth_request.patch tryton-server-6.0.29/debian/patches/03_deny_compressed_content_from_unauth_request.patch --- tryton-server-6.0.29/debian/patches/03_deny_compressed_content_from_unauth_request.patch 1970-01-01 01:00:00.000000000 +0100 +++ tryton-server-6.0.29/debian/patches/03_deny_compressed_content_from_unauth_request.patch 2024-04-18 11:45:22.000000000 +0200 @@ -0,0 +1,23 @@ +Description: Deny compressed content from unauthenticated requests + This patch fixes the vulnerabilty to zip bomb attacks via + decoded gzip content from unauthenticated users. + https://discuss.tryton.org/t/security-release-for-issue-13142/7196 +Author: Cédric Krier <cedric.kr...@b2ck.com> +Bug: https://foss.heptapod.net/tryton/tryton/-/issues/13142 + +--- a/trytond/protocols/wrappers.py ++++ b/trytond/protocols/wrappers.py +@@ -53,8 +53,11 @@ + @property + def decoded_data(self): + if self.content_encoding == 'gzip': +- zipfile = gzip.GzipFile(fileobj=BytesIO(self.data), mode='rb') +- return zipfile.read() ++ if self.user_id: ++ zipfile = gzip.GzipFile(fileobj=BytesIO(self.data), mode='rb') ++ return zipfile.read() ++ else: ++ abort(HTTPStatus.UNSUPPORTED_MEDIA_TYPE) + else: + return self.data + diff -Nru tryton-server-6.0.29/debian/patches/series tryton-server-6.0.29/debian/patches/series --- tryton-server-6.0.29/debian/patches/series 2023-08-21 16:45:08.000000000 +0200 +++ tryton-server-6.0.29/debian/patches/series 2024-04-18 11:38:06.000000000 +0200 @@ -1,2 +1,3 @@ 01_avoid_call_to_pypi.patch 02_enforce_record_rules.patch +03_deny_compressed_content_from_unauth_request.patch
