Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: tryton-cli...@packages.debian.org Control: affects -1 + src:tryton-client User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Backport the patch to send only compressed content from authenticated sessions. https://foss.heptapod.net/tryton/tryton/-/commit/96ccd17bd4db4be46bb42eb4217ba5c7dcb7de82 The security release https://discuss.tryton.org/t/security-release-for-issue-13142/7196 and filed for Debian as 1070...@bugs.debian.org introduced a regression for the client shown at https://foss.heptapod.net/tryton/tryton/-/issues/13203 [ Impact ] Without the patch a user could be confronted with an error in the client connecting to a patched server. [ Tests ] The test suite completes without errors. The patch is now publicly available and in use since 2 weeks. [ Risks ] The patch has minimal complexity and is from the upstream author who is generally very knowledgable about his code. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The upstream commit was added as a patch that allows gzip compressed content only for authenticated users. [ Other info ] This patch follows 1070...@bugs.debian.org. -- Mathias Behrle PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6 AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6
diff -Nru tryton-client-6.0.26/debian/changelog tryton-client-6.0.26/debian/changelog --- tryton-client-6.0.26/debian/changelog 2023-03-06 12:43:07.000000000 +0100 +++ tryton-client-6.0.26/debian/changelog 2024-05-06 11:01:29.000000000 +0200 @@ -1,3 +1,13 @@ +tryton-client (6.0.26-1+deb12u1) bookworm; urgency=medium + + * Add 04-send-gzip-only-with-session.patch. + To prevent zip bomb attacks the server accepts since + https://foss.heptapod.net/tryton/tryton/-/commit/1923117e935de62276352585185ced6d854bcb3d + only compressed content from authenticated users. + This patch allows only to send gzip content within a session. + + -- Mathias Behrle <mathi...@m9s.biz> Mon, 06 May 2024 11:01:29 +0200 + tryton-client (6.0.26-1) unstable; urgency=medium * Merging upstream version 6.0.26. diff -Nru tryton-client-6.0.26/debian/patches/04-send-gzip-only-with-session.patch tryton-client-6.0.26/debian/patches/04-send-gzip-only-with-session.patch --- tryton-client-6.0.26/debian/patches/04-send-gzip-only-with-session.patch 1970-01-01 01:00:00.000000000 +0100 +++ tryton-client-6.0.26/debian/patches/04-send-gzip-only-with-session.patch 2024-05-06 10:57:01.000000000 +0200 @@ -0,0 +1,32 @@ +Description: Send gzip content only when in a session. + To prevent zip bomb attacks the server accepts since + https://foss.heptapod.net/tryton/tryton/-/commit/1923117e935de62276352585185ced6d854bcb3d + only compressed content from authenticated users. + This patch allows only to send gzip content within a session. +Author: Cédric Krier <cedric.kr...@b2ck.com> +Bug: https://foss.heptapod.net/tryton/tryton/-/issues/13203 +Origin: https://foss.heptapod.net/tryton/tryton/-/commit/96ccd17bd4db4be46bb42eb4217ba5c7dcb7de82 +Forwarded: not-needed + +--- a/tryton/jsonrpc.py ++++ b/tryton/jsonrpc.py +@@ -130,7 +130,6 @@ + class Transport(xmlrpc.client.SafeTransport): + + accept_gzip_encoding = True +- encode_threshold = 1400 # common MTU + + def __init__( + self, fingerprints=None, ca_certs=None, session=None): +@@ -140,6 +139,11 @@ + self.__ca_certs = ca_certs + self.session = session + ++ @property ++ def encode_threshold(self): ++ if self.session: ++ return 1400 # common MTU ++ + def getparser(self): + target = JSONUnmarshaller() + parser = JSONParser(target) diff -Nru tryton-client-6.0.26/debian/patches/series tryton-client-6.0.26/debian/patches/series --- tryton-client-6.0.26/debian/patches/series 2023-03-06 12:43:07.000000000 +0100 +++ tryton-client-6.0.26/debian/patches/series 2024-05-06 10:46:17.000000000 +0200 @@ -1,3 +1,4 @@ 01-desktop-icon.patch 02-icon-search-path.patch 03-disable-version-check.patch +04-send-gzip-only-with-session.patch