Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package tryton-server This version fixes CVE-2019-10868. debdiff attached. unblock tryton-server/5.0.4-2 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (800, 'testing'), (700, 'unstable'), (600, 'experimental'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru tryton-server-5.0.4/debian/changelog tryton-server-5.0.4/debian/changelog --- tryton-server-5.0.4/debian/changelog 2019-01-23 16:06:18.000000000 +0100 +++ tryton-server-5.0.4/debian/changelog 2019-04-03 17:29:15.000000000 +0200 @@ -1,3 +1,15 @@ +tryton-server (5.0.4-2) unstable; urgency=high + + * Add 03_sec_issue8189_check_read_access_on_search_order.patch + for CVE-2019-10868. + This patch fixes security issue http://bugs.tryton.org/issue8189: + Check read access on field in search_order. + An authenticated user can order records based on a field for which + he has no access right. This may allow the user to guess values. + See also https://discuss.tryton.org/t/security-release-for-issue8189/ + + -- Mathias Behrle <mathi...@m9s.biz> Wed, 03 Apr 2019 17:29:15 +0200 + tryton-server (5.0.4-1) unstable; urgency=medium * Add more configuration parameters to trytond.conf. diff -Nru tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch --- tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch 1970-01-01 01:00:00.000000000 +0100 +++ tryton-server-5.0.4/debian/patches/03_sec_issue8189_check_read_access_on_search_order.patch 2019-04-03 17:16:42.000000000 +0200 @@ -0,0 +1,53 @@ +Description: Check read access on field in search_order. + An authenticated user can order records based on a field for which + he has no access right. This may allow the user to guess values. + +Origin: upstream, http://hg.tryton.org/trytond/rev/b2fab24f9c60 +Bug: http://bugs.tryton.org/issue8189 +Forwarded: not-needed +Last-Update: 2019-04-03 + +--- tryton-server-5.0.4.orig/trytond/model/modelstorage.py ++++ tryton-server-5.0.4/trytond/model/modelstorage.py +@@ -395,7 +395,7 @@ class ModelStorage(Model): + + ModelAccess.check(cls.__name__, 'read') + +- def check(domain, cls, to_check): ++ def check_domain(domain, cls, to_check): + if is_leaf(domain): + local, relate = (domain[0].split('.', 1) + [None])[:2] + to_check[cls.__name__].add(local) +@@ -405,16 +405,29 @@ class ModelStorage(Model): + else: + target = cls._fields[local].get_target() + target_domain = [(relate,) + tuple(domain[1:])] +- check(target_domain, target, to_check) ++ check_domain(target_domain, target, to_check) + elif not domain: + return + else: + i = 1 if domain[0] in ['OR', 'AND'] else 0 + for d in domain[i:]: +- check(d, cls, to_check) ++ check_domain(d, cls, to_check) ++ ++ def check_order(order, cls, to_check): ++ if not order: ++ return ++ for oexpr, otype in order: ++ local, _, relate = oexpr.partition('.') ++ to_check[cls.__name__].add(local) ++ if relate: ++ target = cls._fields[local].get_target() ++ target_order = [(relate, otype)] ++ check_order(target_order, target, to_check) ++ + if transaction.user and transaction.context.get('_check_access'): + to_check = defaultdict(set) +- check(domain, cls, to_check) ++ check_domain(domain, cls, to_check) ++ check_order(order, cls, to_check) + for name, fields_names in to_check.items(): + ModelAccess.check(name, 'read') + ModelFieldAccess.check(name, fields_names, 'read') diff -Nru tryton-server-5.0.4/debian/patches/series tryton-server-5.0.4/debian/patches/series --- tryton-server-5.0.4/debian/patches/series 2019-01-23 16:06:17.000000000 +0100 +++ tryton-server-5.0.4/debian/patches/series 2019-04-03 17:11:53.000000000 +0200 @@ -1,2 +1,3 @@ 01_migrate_obsolete_modules.patch 02_avoid_call_to_pypi.patch +03_sec_issue8189_check_read_access_on_search_order.patch