Bug#1070484: marked as done (bookworm-pu: package tryton-client/tryton-client_6.0.26-1+deb12u1)

Sat, 29 Jun 2024 04:04:55 -0700 

Your message dated Sat, 29 Jun 2024 10:46:19 +0000
with message-id <e1snvb1-002bgq...@coccia.debian.org>
and subject line Released with 12.6
has caused the Debian Bug report #1070484,
regarding bookworm-pu: package tryton-client/tryton-client_6.0.26-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1070484: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070484
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: tryton-cli...@packages.debian.org
Control: affects -1 + src:tryton-client
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
Backport the patch to send only compressed content from
authenticated sessions.
https://foss.heptapod.net/tryton/tryton/-/commit/96ccd17bd4db4be46bb42eb4217ba5c7dcb7de82

The security release
https://discuss.tryton.org/t/security-release-for-issue-13142/7196
and filed for Debian as 1070...@bugs.debian.org
introduced a regression for the client shown at
https://foss.heptapod.net/tryton/tryton/-/issues/13203

[ Impact ]
Without the patch a user could be confronted with an error in the client
connecting to a patched server.

[ Tests ]
The test suite completes without errors. The patch is now publicly
available and in use since 2 weeks.

[ Risks ]
The patch has minimal complexity and is from the upstream author
who is generally very knowledgable about his code.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The upstream commit was added as a patch that allows gzip
compressed content only for authenticated users.

[ Other info ]
This patch follows 1070...@bugs.debian.org.


-- 

    Mathias Behrle
    PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
    AC29 7E5C 46B9 D0B6 1C71  7681 D6D0 9BE4 8405 BBF6

diff -Nru tryton-client-6.0.26/debian/changelog tryton-client-6.0.26/debian/changelog
--- tryton-client-6.0.26/debian/changelog	2023-03-06 12:43:07.000000000 +0100
+++ tryton-client-6.0.26/debian/changelog	2024-05-06 11:01:29.000000000 +0200
@@ -1,3 +1,13 @@
+tryton-client (6.0.26-1+deb12u1) bookworm; urgency=medium
+
+  * Add 04-send-gzip-only-with-session.patch.
+    To prevent zip bomb attacks the server accepts since
+    https://foss.heptapod.net/tryton/tryton/-/commit/1923117e935de62276352585185ced6d854bcb3d
+    only compressed content from authenticated users.
+    This patch allows only to send gzip content within a session.
+
+ -- Mathias Behrle <mathi...@m9s.biz>  Mon, 06 May 2024 11:01:29 +0200
+
 tryton-client (6.0.26-1) unstable; urgency=medium
 
   * Merging upstream version 6.0.26.
diff -Nru tryton-client-6.0.26/debian/patches/04-send-gzip-only-with-session.patch tryton-client-6.0.26/debian/patches/04-send-gzip-only-with-session.patch
--- tryton-client-6.0.26/debian/patches/04-send-gzip-only-with-session.patch	1970-01-01 01:00:00.000000000 +0100
+++ tryton-client-6.0.26/debian/patches/04-send-gzip-only-with-session.patch	2024-05-06 10:57:01.000000000 +0200
@@ -0,0 +1,32 @@
+Description: Send gzip content only when in a session.
+ To prevent zip bomb attacks the server accepts since
+ https://foss.heptapod.net/tryton/tryton/-/commit/1923117e935de62276352585185ced6d854bcb3d
+ only compressed content from authenticated users.
+ This patch allows only to send gzip content within a session.
+Author: Cédric Krier <cedric.kr...@b2ck.com>
+Bug: https://foss.heptapod.net/tryton/tryton/-/issues/13203
+Origin: https://foss.heptapod.net/tryton/tryton/-/commit/96ccd17bd4db4be46bb42eb4217ba5c7dcb7de82
+Forwarded: not-needed
+
+--- a/tryton/jsonrpc.py
++++ b/tryton/jsonrpc.py
+@@ -130,7 +130,6 @@
+ class Transport(xmlrpc.client.SafeTransport):
+ 
+     accept_gzip_encoding = True
+-    encode_threshold = 1400  # common MTU
+ 
+     def __init__(
+             self, fingerprints=None, ca_certs=None, session=None):
+@@ -140,6 +139,11 @@
+         self.__ca_certs = ca_certs
+         self.session = session
+ 
++    @property
++    def encode_threshold(self):
++        if self.session:
++            return 1400  # common MTU
++
+     def getparser(self):
+         target = JSONUnmarshaller()
+         parser = JSONParser(target)
diff -Nru tryton-client-6.0.26/debian/patches/series tryton-client-6.0.26/debian/patches/series
--- tryton-client-6.0.26/debian/patches/series	2023-03-06 12:43:07.000000000 +0100
+++ tryton-client-6.0.26/debian/patches/series	2024-05-06 10:46:17.000000000 +0200
@@ -1,3 +1,4 @@
 01-desktop-icon.patch
 02-icon-search-path.patch
 03-disable-version-check.patch
+04-send-gzip-only-with-session.patch

--- End Message ---
--- Begin Message --- 
Version: 12.6

The upload requested in this bug has been released as part of 12.6.

--- End Message ---

Reply via email to