Your message dated Sat, 29 Jun 2024 10:46:19 +0000
with message-id <e1snvb1-002bgk...@coccia.debian.org>
and subject line Released with 12.6
has caused the Debian Bug report #1070478,
regarding bookworm-pu: package tryton-server/tryton-server_6.0.29-2+deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1070478: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070478
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: tryton-ser...@packages.debian.org
Control: affects -1 + src:tryton-server
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
Backport the patch to fix the vulnerabilty to zip bomb
attacks via decoded gzip content from unauthenticated users.
https://discuss.tryton.org/t/security-release-for-issue-13142/7196
In coordination with the security team it was classified as NO-DSA and
rather be applicable via bookworm-pu.
[ Impact ]
Without the patch any unauthenticated users could perform zimp bomb
attacks against tryton-server.
[ Tests ]
The test suite completes without errors. The patch is now publicly
available and in use since 20 days.
[ Risks ]
The patch has minimal complexity and is from the upstream author
who is generally very knowledgable about his code.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The upstream commit was added as a patch that allows gzip
compressed content only for authenticated users.
01_avoid_call_to_pypi.patch was refreshed to apply cleanly with no
further changes.
[ Other info ]
This patch requires also a patch for tryton-client in a separate upload
to prevent a regression of tryton-client when it tries to send gzipped
content without authentication.
--
Mathias Behrle
PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6
diff -Nru tryton-server-6.0.29/debian/changelog tryton-server-6.0.29/debian/changelog
--- tryton-server-6.0.29/debian/changelog 2023-08-21 17:10:12.000000000 +0200
+++ tryton-server-6.0.29/debian/changelog 2024-04-18 11:59:53.000000000 +0200
@@ -1,3 +1,13 @@
+tryton-server (6.0.29-2+deb12u2) bookworm; urgency=medium
+
+ * Add 03_deny_compressed_content_from_unauth_request.patch.
+ This patch fixes the vulnerabilty to zip bomb attacks via
+ decoded gzip content from unauthenticated users.
+ https://discuss.tryton.org/t/security-release-for-issue-13142/7196
+ * Refresh 01_avoid_call_to_pypi.patch.
+
+ -- Mathias Behrle <mathi...@m9s.biz> Thu, 18 Apr 2024 11:59:53 +0200
+
tryton-server (6.0.29-2+deb12u1) bookworm-security; urgency=high
* Add 02_enforce_record_rules.patch.
diff -Nru tryton-server-6.0.29/debian/patches/01_avoid_call_to_pypi.patch tryton-server-6.0.29/debian/patches/01_avoid_call_to_pypi.patch
--- tryton-server-6.0.29/debian/patches/01_avoid_call_to_pypi.patch 2023-08-21 15:16:42.000000000 +0200
+++ tryton-server-6.0.29/debian/patches/01_avoid_call_to_pypi.patch 2024-04-18 11:54:21.000000000 +0200
@@ -15,7 +15,7 @@
--- a/setup.py
+++ b/setup.py
-@@ -158,7 +158,7 @@
+@@ -136,7 +136,7 @@
install_requires=[
'defusedxml',
'lxml >= 2.0',
diff -Nru tryton-server-6.0.29/debian/patches/03_deny_compressed_content_from_unauth_request.patch tryton-server-6.0.29/debian/patches/03_deny_compressed_content_from_unauth_request.patch
--- tryton-server-6.0.29/debian/patches/03_deny_compressed_content_from_unauth_request.patch 1970-01-01 01:00:00.000000000 +0100
+++ tryton-server-6.0.29/debian/patches/03_deny_compressed_content_from_unauth_request.patch 2024-04-18 11:45:22.000000000 +0200
@@ -0,0 +1,23 @@
+Description: Deny compressed content from unauthenticated requests
+ This patch fixes the vulnerabilty to zip bomb attacks via
+ decoded gzip content from unauthenticated users.
+ https://discuss.tryton.org/t/security-release-for-issue-13142/7196
+Author: Cédric Krier <cedric.kr...@b2ck.com>
+Bug: https://foss.heptapod.net/tryton/tryton/-/issues/13142
+
+--- a/trytond/protocols/wrappers.py
++++ b/trytond/protocols/wrappers.py
+@@ -53,8 +53,11 @@
+ @property
+ def decoded_data(self):
+ if self.content_encoding == 'gzip':
+- zipfile = gzip.GzipFile(fileobj=BytesIO(self.data), mode='rb')
+- return zipfile.read()
++ if self.user_id:
++ zipfile = gzip.GzipFile(fileobj=BytesIO(self.data), mode='rb')
++ return zipfile.read()
++ else:
++ abort(HTTPStatus.UNSUPPORTED_MEDIA_TYPE)
+ else:
+ return self.data
+
diff -Nru tryton-server-6.0.29/debian/patches/series tryton-server-6.0.29/debian/patches/series
--- tryton-server-6.0.29/debian/patches/series 2023-08-21 16:45:08.000000000 +0200
+++ tryton-server-6.0.29/debian/patches/series 2024-04-18 11:38:06.000000000 +0200
@@ -1,2 +1,3 @@
01_avoid_call_to_pypi.patch
02_enforce_record_rules.patch
+03_deny_compressed_content_from_unauth_request.patch
--- End Message ---
--- Begin Message ---
Version: 12.6
The upload requested in this bug has been released as part of 12.6.
--- End Message ---
