[tryton-debian-vcs] tryton-server branch debian-jessie updated. debian/3.4.0-2-4-g8c37944

Mathias Behrle tryton-debian-vcs at alioth.debian.org
Wed Dec 16 14:22:58 UTC 2015 

The following commit has been merged in the debian-jessie branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=debian/3.4.0-2-4-g8c37944

commit 8c37944eb533611c754e797a1bbc63c596230357
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Sat Dec 5 12:47:02 2015 +0100

    Releasing debian version 3.4.0-3+deb8u1.
    
    Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>

diff --git a/debian/changelog b/debian/changelog
index ab49bed..8a02529 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+tryton-server (3.4.0-3+deb8u1) stable-security; urgency=high
+
+  * Adding patch 02-CVE-2015-0861_field_access_on_multi_write.patch.
+    Field access was only checked for the field defined in the first
+    values dictionary, but it must be checked for all dictionaries
+    in *args.
+    - https://bugs.tryton.org/issue5167
+    - https://codereview.tryton.org/22631002
+
+ -- Mathias Behrle <mathiasb at m9s.biz>  Sat, 05 Dec 2015 12:37:37 +0100
+
 tryton-server (3.4.0-3) unstable; urgency=medium
 
   * Removing on purge also the data directory of tryton-server.
commit 33c4f429a97781d6c60c68c4dbd21e48a31c043e
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Sat Dec 5 12:33:08 2015 +0100

    Adding patch 02-CVE-2015-0861_field_access_on_multi_write.patch.
    
    Field access was only checked for the field defined in the first
    values dictionary, but it must be checked for all dictionaries in
    *args.
    - https://bugs.tryton.org/issue5167
    - https://codereview.tryton.org/22631002

diff --git a/debian/patches/02-CVE-2015-0861_field_access_on_multi_write.patch b/debian/patches/02-CVE-2015-0861_field_access_on_multi_write.patch
new file mode 100644
index 0000000..4a2a0b4
--- /dev/null
+++ b/debian/patches/02-CVE-2015-0861_field_access_on_multi_write.patch
@@ -0,0 +1,34 @@
+Description: Fix for CVE-2015-0861 field access on multi write
+ Field access was only checked for the field defined in the first 
+ values dictionary, but it must be checked for all dictionaries in *args.
+Author: Cédric Krier <ced at b2ck.com>
+Origin: upstream, https://codereview.tryton.org/22631002
+Bug: https://bugs.tryton.org/issue5167
+Forwarded: not-needed
+
+--- tryton-server.git.orig/trytond/model/modelstorage.py	2015-12-05 12:18:41.000000000 +0100
++++ tryton-server.git/trytond/model/modelstorage.py	2015-12-05 12:18:41.000000000 +0100
+@@ -139,18 +139,19 @@
+         ModelAccess = pool.get('ir.model.access')
+         ModelFieldAccess = pool.get('ir.model.field.access')
+ 
+-        ModelAccess.check(cls.__name__, 'write')
+-        ModelFieldAccess.check(cls.__name__,
+-            [x for x in values if x in cls._fields], 'write')
+-
+         assert not len(args) % 2
+         actions = iter((records, values) + args)
+         all_records = []
++        all_fields = set()
+         for records, values in zip(actions, actions):
+             if not cls.check_xml_record(records, values):
+                 cls.raise_user_error('write_xml_record',
+                         error_description='xml_record_desc')
+             all_records += records
++            all_fields.update(values.iterkeys())
++
++        ModelAccess.check(cls.__name__, 'write')
++        ModelFieldAccess.check(cls.__name__, all_fields, 'write')
+ 
+         # Increase transaction counter
+         Transaction().counter += 1
diff --git a/debian/patches/series b/debian/patches/series
index f9bd601..adb283a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 01_migrate_obsolete_ldap_connection
+02-CVE-2015-0861_field_access_on_multi_write.patch
commit 920bedc707e00fb8e44c3e546b318842cfd6ceeb
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Sun Dec 14 15:48:51 2014 +0100

    Releasing debian version 3.4.0-3.
    
    Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>

diff --git a/debian/changelog b/debian/changelog
index 7ca5077..ab49bed 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+tryton-server (3.4.0-3) unstable; urgency=medium
+
+  * Removing on purge also the data directory of tryton-server.
+
+ -- Mathias Behrle <mathiasb at m9s.biz>  Sun, 14 Dec 2014 15:48:51 +0100
+
 tryton-server (3.4.0-2) unstable; urgency=medium
 
   * Adding path to the configuration file to the commands in the README.
commit 15b13ae6a17b50a0561dd61c67cd31e60d315824
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Sun Dec 14 15:44:15 2014 +0100

    Removing on purge also the data directory of tryton-server.
    
    Fixes a piuparts error at
    https://piuparts.debian.org/sid/fail/tryton-server_3.4.0-2.log

diff --git a/debian/tryton-server.postrm b/debian/tryton-server.postrm
index 0b2e109..4c11566 100644
--- a/debian/tryton-server.postrm
+++ b/debian/tryton-server.postrm
@@ -32,7 +32,7 @@ case "${1}" in
 		rm -f "${TRYTON_CONFFILEPRE34}"
 
 		# Removing (potentially) empty directories
-		for _ITEM in "${TRYTON_CONFDIR}" "${TRYTON_LOGDIR}"
+		for _ITEM in "${TRYTON_CONFDIR}" "${TRYTON_LOGDIR}" "${TRYTON_HOMEDIR}"
 		do
 			rmdir --ignore-fail-on-non-empty ${_ITEM} > /dev/null 2>&1 || true
 		done
-- 
tryton-server

More information about the tryton-debian-vcs mailing list