[tryton-debian-vcs] tryton-server branch debian-jessie-3.4 updated. debian/3.4.13-1-2-ge07f995
Mathias Behrle
tryton-debian-vcs at alioth.debian.org
Tue Aug 30 14:17:30 UTC 2016
The following commit has been merged in the debian-jessie-3.4 branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=debian/3.4.13-1-2-ge07f995
commit e07f99556cd494e640ca84ae3292b2be60838fd7
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Tue Aug 30 15:04:15 2016 +0200
Releasing debian version 3.4.14-1.
Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>
diff --git a/debian/changelog b/debian/changelog
index 27373c3..c10c9f9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tryton-server (3.4.14-1) unstable; urgency=high
+
+ * Merging upstream version 3.4.14.
+ * CVE-2016-1241 Prevent read of password hash.
+ * CVE-2016-1242 Sanitize path in file_open.
+
+ -- Mathias Behrle <mathiasb at m9s.biz> Tue, 30 Aug 2016 15:04:15 +0200
+
tryton-server (3.4.13-1) unstable; urgency=medium
* Merging upstream version 3.4.13.
commit 606b1caaf985dca9081c0e41dce333f6dc586fc6
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Tue Aug 30 15:04:14 2016 +0200
Merging upstream version 3.4.14.
diff --git a/CHANGELOG b/CHANGELOG
index 56e4788..f8a5d3b 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,8 @@
+Version 3.4.14 - 2016-08-30
+* Bug fixes (see mercurial logs for details)
+* Sanitize path in file_open (CVE-2016-1242)
+* Prevent read of user password hash (CVE-2016-1241)
+
Version 3.4.13 - 2016-07-04
* Bug fixes (see mercurial logs for details)
diff --git a/PKG-INFO b/PKG-INFO
index a2bd8d1..96c5b05 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: trytond
-Version: 3.4.13
+Version: 3.4.14
Summary: Tryton server
Home-page: http://www.tryton.org/
Author: Tryton
diff --git a/trytond.egg-info/PKG-INFO b/trytond.egg-info/PKG-INFO
index a2bd8d1..96c5b05 100644
--- a/trytond.egg-info/PKG-INFO
+++ b/trytond.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: trytond
-Version: 3.4.13
+Version: 3.4.14
Summary: Tryton server
Home-page: http://www.tryton.org/
Author: Tryton
diff --git a/trytond/ir/sequence.py b/trytond/ir/sequence.py
index 93bae63..1e88aad 100644
--- a/trytond/ir/sequence.py
+++ b/trytond/ir/sequence.py
@@ -149,7 +149,7 @@ class Sequence(ModelSQL, ModelView):
@staticmethod
def default_last_timestamp():
- return 0.0
+ return 0
@staticmethod
def default_code():
@@ -233,7 +233,8 @@ class Sequence(ModelSQL, ModelView):
for sequence in sequences:
next_timestamp = cls._timestamp(sequence)
- if sequence.last_timestamp > next_timestamp:
+ if (sequence.last_timestamp is not None
+ and sequence.last_timestamp > next_timestamp):
cls.raise_user_error('future_last_timestamp', (
sequence.rec_name,))
diff --git a/trytond/model/fields/many2many.py b/trytond/model/fields/many2many.py
index 46f4da5..d42cecf 100644
--- a/trytond/model/fields/many2many.py
+++ b/trytond/model/fields/many2many.py
@@ -159,11 +159,13 @@ class Many2Many(Field):
(self.target, 'in', list(sub_ids)),
])
for relation in relations:
- existing_ids.add(getattr(relation, self.target).id)
+ existing_ids.add((
+ getattr(relation, self.origin).id,
+ getattr(relation, self.target).id))
for new_id in target_ids:
- if new_id in existing_ids:
- continue
for record_id in ids:
+ if (record_id, new_id) in existing_ids:
+ continue
relation_to_create.append({
self.origin: field_value(record_id),
self.target: new_id,
diff --git a/trytond/model/modelsql.py b/trytond/model/modelsql.py
index e56c2b2..6642f53 100644
--- a/trytond/model/modelsql.py
+++ b/trytond/model/modelsql.py
@@ -639,11 +639,13 @@ class ModelSQL(ModelStorage):
_datetime=row[datetime_field]):
date_results = field.get([row['id']], cls, field_list,
values=[row])
- for fname, date_result in date_results.iteritems():
+ for fname in field_list:
+ date_result = date_results[fname]
row[fname] = date_result[row['id']]
else:
getter_results = field.get(ids, cls, field_list, values=result)
- for fname, getter_result in getter_results.iteritems():
+ for fname in field_list:
+ getter_result = getter_results[fname]
for row in result:
row[fname] = getter_result[row['id']]
diff --git a/trytond/res/user.py b/trytond/res/user.py
index 1af1ce3..f7dd7e2 100644
--- a/trytond/res/user.py
+++ b/trytond/res/user.py
@@ -226,6 +226,14 @@ class User(ModelSQL, ModelView):
return vals
@classmethod
+ def read(cls, ids, fields_names=None):
+ result = super(User, cls).read(ids, fields_names=fields_names)
+ if not fields_names or 'password_hash' in fields_names:
+ for values in result:
+ values['password_hash'] = None
+ return result
+
+ @classmethod
def create(cls, vlist):
vlist = [cls._convert_vals(vals) for vals in vlist]
res = super(User, cls).create(vlist)
diff --git a/trytond/tools/misc.py b/trytond/tools/misc.py
index 39fc673..598f25a 100644
--- a/trytond/tools/misc.py
+++ b/trytond/tools/misc.py
@@ -58,6 +58,14 @@ def file_open(name, mode="r", subdir='modules'):
root_path = os.path.dirname(os.path.dirname(os.path.abspath(
unicode(__file__, sys.getfilesystemencoding()))))
+ def secure_join(root, *paths):
+ "Join paths and ensure it still below root"
+ path = os.path.join(root, *paths)
+ path = os.path.normpath(path)
+ if not path.startswith(root):
+ raise IOError("Permission denied: %s" % name)
+ return path
+
egg_name = False
if subdir == 'modules':
module_name = name.split(os.sep)[0]
@@ -65,19 +73,19 @@ def file_open(name, mode="r", subdir='modules'):
epoint = EGG_MODULES[module_name]
mod_path = os.path.join(epoint.dist.location,
*epoint.module_name.split('.')[:-1])
- egg_name = os.path.join(mod_path, name)
+ egg_name = secure_join(mod_path, name)
if not os.path.isfile(egg_name):
# Find module in path
for path in sys.path:
mod_path = os.path.join(path,
*epoint.module_name.split('.')[:-1])
- egg_name = os.path.join(mod_path, name)
+ egg_name = secure_join(mod_path, name)
if os.path.isfile(egg_name):
break
if not os.path.isfile(egg_name):
# When testing modules from setuptools location is the
# module directory
- egg_name = os.path.join(
+ egg_name = secure_join(
os.path.dirname(epoint.dist.location), name)
if subdir:
@@ -86,11 +94,11 @@ def file_open(name, mode="r", subdir='modules'):
or name.startswith('res' + os.sep)
or name.startswith('webdav' + os.sep)
or name.startswith('tests' + os.sep))):
- name = os.path.join(root_path, name)
+ name = secure_join(root_path, name)
else:
- name = os.path.join(root_path, subdir, name)
+ name = secure_join(root_path, subdir, name)
else:
- name = os.path.join(root_path, name)
+ name = secure_join(root_path, name)
for i in (name, egg_name):
if i and os.path.isfile(i):
diff --git a/trytond/version.py b/trytond/version.py
index 98f96ac..f0cecd6 100644
--- a/trytond/version.py
+++ b/trytond/version.py
@@ -1,6 +1,6 @@
#This file is part of Tryton. The COPYRIGHT file at the top level of
#this repository contains the full copyright notices and license terms.
PACKAGE = "trytond"
-VERSION = "3.4.13"
+VERSION = "3.4.14"
LICENSE = "GPL-3"
WEBSITE = "http://www.tryton.org/"
--
tryton-server
More information about the tryton-debian-vcs
mailing list