Bug#926439: marked as done (unblock: tryton-server/5.0.4-2)

Fri, 05 Apr 2019 07:39:34 -0700 

Your message dated Fri, 05 Apr 2019 14:36:19 +0000
with message-id <e1hcpx5-0003bd...@respighi.debian.org>
and subject line unblock tryton-server
has caused the Debian Bug report #926439,
regarding unblock: tryton-server/5.0.4-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
926439: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926439
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package tryton-server

This version fixes CVE-2019-10868.

debdiff attached.

unblock tryton-server/5.0.4-2

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (800, 'testing'), (700, 'unstable'), (600, 'experimental'), (500, 
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), 
LANGUAGE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru tryton-server-5.0.4/debian/changelog 
tryton-server-5.0.4/debian/changelog
--- tryton-server-5.0.4/debian/changelog        2019-01-23 16:06:18.000000000 
+0100
+++ tryton-server-5.0.4/debian/changelog        2019-04-03 17:29:15.000000000 
+0200
@@ -1,3 +1,15 @@
+tryton-server (5.0.4-2) unstable; urgency=high
+
+  * Add 03_sec_issue8189_check_read_access_on_search_order.patch
+    for CVE-2019-10868.
+    This patch fixes security issue http://bugs.tryton.org/issue8189:
+     Check read access on field in search_order.
+     An authenticated user can order records based on a field for which
+     he has no access right. This may allow the user to guess values.
+     See also https://discuss.tryton.org/t/security-release-for-issue8189/
+
+ -- Mathias Behrle <mathi...@m9s.biz>  Wed, 03 Apr 2019 17:29:15 +0200
+
 tryton-server (5.0.4-1) unstable; urgency=medium
 
   * Add more configuration parameters to trytond.conf.
diff -Nru 
tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
 
tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
--- 
tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
 1970-01-01 01:00:00.000000000 +0100
+++ 
tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch
 2019-04-03 17:16:42.000000000 +0200
@@ -0,0 +1,53 @@
+Description: Check read access on field in search_order.
+ An authenticated user can order records based on a field for which
+ he has no access right. This may allow the user to guess values.
+
+Origin: upstream, http://hg.tryton.org/trytond/rev/b2fab24f9c60 
+Bug: http://bugs.tryton.org/issue8189
+Forwarded: not-needed
+Last-Update: 2019-04-03
+
+--- tryton-server-5.0.4.orig/trytond/model/modelstorage.py
++++ tryton-server-5.0.4/trytond/model/modelstorage.py
+@@ -395,7 +395,7 @@ class ModelStorage(Model):
+ 
+         ModelAccess.check(cls.__name__, 'read')
+ 
+-        def check(domain, cls, to_check):
++        def check_domain(domain, cls, to_check):
+             if is_leaf(domain):
+                 local, relate = (domain[0].split('.', 1) + [None])[:2]
+                 to_check[cls.__name__].add(local)
+@@ -405,16 +405,29 @@ class ModelStorage(Model):
+                     else:
+                         target = cls._fields[local].get_target()
+                     target_domain = [(relate,) + tuple(domain[1:])]
+-                    check(target_domain, target, to_check)
++                    check_domain(target_domain, target, to_check)
+             elif not domain:
+                 return
+             else:
+                 i = 1 if domain[0] in ['OR', 'AND'] else 0
+                 for d in domain[i:]:
+-                    check(d, cls, to_check)
++                    check_domain(d, cls, to_check)
++
++        def check_order(order, cls, to_check):
++            if not order:
++                return
++            for oexpr, otype in order:
++                local, _, relate = oexpr.partition('.')
++                to_check[cls.__name__].add(local)
++                if relate:
++                    target = cls._fields[local].get_target()
++                    target_order = [(relate, otype)]
++                    check_order(target_order, target, to_check)
++
+         if transaction.user and transaction.context.get('_check_access'):
+             to_check = defaultdict(set)
+-            check(domain, cls, to_check)
++            check_domain(domain, cls, to_check)
++            check_order(order, cls, to_check)
+             for name, fields_names in to_check.items():
+                 ModelAccess.check(name, 'read')
+                 ModelFieldAccess.check(name, fields_names, 'read')
diff -Nru tryton-server-5.0.4/debian/patches/series 
tryton-server-5.0.4/debian/patches/series
--- tryton-server-5.0.4/debian/patches/series   2019-01-23 16:06:17.000000000 
+0100
+++ tryton-server-5.0.4/debian/patches/series   2019-04-03 17:11:53.000000000 
+0200
@@ -1,2 +1,3 @@
 01_migrate_obsolete_modules.patch
 02_avoid_call_to_pypi.patch
+03_sec_issue8189_check_read_access_on_search_order.patch

--- End Message ---
--- Begin Message --- 
Unblocked tryton-server.

--- End Message ---

Reply via email to