[tryton-debian-vcs] tryton-server branch debian-stretch-3.6 updated. debian/3.6.11-1-2-g472334c
Mathias Behrle
tryton-debian-vcs at alioth.debian.org
Tue Aug 30 14:17:30 UTC 2016
The following commit has been merged in the debian-stretch-3.6 branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=debian/3.6.11-1-2-g472334c
commit 472334ce7c11e23e9a2044df19d1dcaaeb629314
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Tue Aug 30 15:05:45 2016 +0200
Releasing debian version 3.6.12-1.
Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>
diff --git a/debian/changelog b/debian/changelog
index 92e41e6..6b4580d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tryton-server (3.6.12-1) unstable; urgency=high
+
+ * Merging upstream version 3.6.12.
+ * CVE-2016-1241 Prevent read of password hash.
+ * CVE-2016-1242 Sanitize path in file_open.
+
+ -- Mathias Behrle <mathiasb at m9s.biz> Tue, 30 Aug 2016 15:05:45 +0200
+
tryton-server (3.6.11-1) unstable; urgency=medium
* Merging upstream version 3.6.11.
commit 4382acad7e692f261f489ecc8ae183292c79ea74
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Tue Aug 30 15:05:45 2016 +0200
Merging upstream version 3.6.12.
diff --git a/CHANGELOG b/CHANGELOG
index cc34def..a5a5204 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,8 @@
+Version 3.6.12 - 2016-08-30
+* Bug fixes (see mercurial logs for details)
+* Sanitize path in file_open (CVE-2016-1242)
+* Prevent read of user password hash (CVE-2016-1241)
+
Version 3.6.11 - 2016-08-02
* Bug fixes (see mercurial logs for details)
diff --git a/PKG-INFO b/PKG-INFO
index 4c25661..6161dd2 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: trytond
-Version: 3.6.11
+Version: 3.6.12
Summary: Tryton server
Home-page: http://www.tryton.org/
Author: Tryton
diff --git a/trytond.egg-info/PKG-INFO b/trytond.egg-info/PKG-INFO
index 4c25661..6161dd2 100644
--- a/trytond.egg-info/PKG-INFO
+++ b/trytond.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: trytond
-Version: 3.6.11
+Version: 3.6.12
Summary: Tryton server
Home-page: http://www.tryton.org/
Author: Tryton
diff --git a/trytond/__init__.py b/trytond/__init__.py
index 813badd..4232853 100644
--- a/trytond/__init__.py
+++ b/trytond/__init__.py
@@ -4,7 +4,7 @@ import os
import time
from email import charset
-__version__ = "3.6.11"
+__version__ = "3.6.12"
os.environ['TZ'] = 'UTC'
if hasattr(time, 'tzset'):
diff --git a/trytond/ir/sequence.py b/trytond/ir/sequence.py
index ab2edaa..fd168c3 100644
--- a/trytond/ir/sequence.py
+++ b/trytond/ir/sequence.py
@@ -149,7 +149,7 @@ class Sequence(ModelSQL, ModelView):
@staticmethod
def default_last_timestamp():
- return 0.0
+ return 0
@staticmethod
def default_code():
@@ -247,7 +247,8 @@ class Sequence(ModelSQL, ModelView):
for sequence in sequences:
next_timestamp = cls._timestamp(sequence)
- if sequence.last_timestamp > next_timestamp:
+ if (sequence.last_timestamp is not None
+ and sequence.last_timestamp > next_timestamp):
cls.raise_user_error('future_last_timestamp', (
sequence.rec_name,))
diff --git a/trytond/model/fields/many2many.py b/trytond/model/fields/many2many.py
index 7816f26..8eccf7d 100644
--- a/trytond/model/fields/many2many.py
+++ b/trytond/model/fields/many2many.py
@@ -160,11 +160,13 @@ class Many2Many(Field):
(self.target, 'in', list(sub_ids)),
])
for relation in relations:
- existing_ids.add(getattr(relation, self.target).id)
+ existing_ids.add((
+ getattr(relation, self.origin).id,
+ getattr(relation, self.target).id))
for new_id in target_ids:
- if new_id in existing_ids:
- continue
for record_id in ids:
+ if (record_id, new_id) in existing_ids:
+ continue
relation_to_create.append({
self.origin: field_value(record_id),
self.target: new_id,
diff --git a/trytond/model/modelsql.py b/trytond/model/modelsql.py
index e53598e..9beae39 100644
--- a/trytond/model/modelsql.py
+++ b/trytond/model/modelsql.py
@@ -657,11 +657,13 @@ class ModelSQL(ModelStorage):
_datetime=row[datetime_field]):
date_results = field.get([row['id']], cls, field_list,
values=[row])
- for fname, date_result in date_results.iteritems():
+ for fname in field_list:
+ date_result = date_results[fname]
row[fname] = date_result[row['id']]
else:
getter_results = field.get(ids, cls, field_list, values=result)
- for fname, getter_result in getter_results.iteritems():
+ for fname in field_list:
+ getter_result = getter_results[fname]
for row in result:
row[fname] = getter_result[row['id']]
diff --git a/trytond/model/modelstorage.py b/trytond/model/modelstorage.py
index 0d447dc..e88b15c 100644
--- a/trytond/model/modelstorage.py
+++ b/trytond/model/modelstorage.py
@@ -1421,46 +1421,49 @@ class ModelStorage(Model):
@dualmethod
def save(cls, records):
- if not records:
- return
- values = {}
- save_values = {}
- to_create = []
- to_write = []
- cursor = records[0]._cursor
- user = records[0]._user
- context = records[0]._context
- for record in records:
- assert cursor == record._cursor
- assert user == record._user
- assert context == record._context
- save_values[record] = record._save_values
- values[record] = record._values
- record._values = None
- if record.id is None or record.id < 0:
- to_create.append(record)
- elif save_values[record]:
- to_write.append(record)
- transaction = Transaction()
- try:
- with transaction.set_cursor(cursor), \
- transaction.set_user(user), \
- transaction.set_context(context):
- if to_create:
- news = cls.create([save_values[r] for r in to_create])
- for record, new in izip(to_create, news):
- record._ids.remove(record.id)
- record.id = new.id
- record._ids.append(record.id)
- if to_write:
- cls.write(*sum(
- (([r], save_values[r]) for r in to_write), ()))
- except:
+ while records:
+ latter = []
+ values = {}
+ save_values = {}
+ to_create = []
+ to_write = []
+ cursor = records[0]._cursor
+ user = records[0]._user
+ context = records[0]._context
for record in records:
- record._values = values[record]
- raise
- for record in records:
- record._init_values = None
+ if (record._cursor != cursor
+ or user != record._user
+ or context != record._context):
+ latter.append(record)
+ continue
+ save_values[record] = record._save_values
+ values[record] = record._values
+ record._values = None
+ if record.id is None or record.id < 0:
+ to_create.append(record)
+ elif save_values[record]:
+ to_write.append(record)
+ transaction = Transaction()
+ try:
+ with transaction.set_cursor(cursor), \
+ transaction.set_user(user), \
+ transaction.set_context(context):
+ if to_create:
+ news = cls.create([save_values[r] for r in to_create])
+ for record, new in izip(to_create, news):
+ record._ids.remove(record.id)
+ record.id = new.id
+ record._ids.append(record.id)
+ if to_write:
+ cls.write(*sum(
+ (([r], save_values[r]) for r in to_write), ()))
+ except:
+ for record in to_create + to_write:
+ record._values = values[record]
+ raise
+ for record in to_create + to_write:
+ record._init_values = None
+ records = latter
class EvalEnvironment(dict):
diff --git a/trytond/res/user.py b/trytond/res/user.py
index a61afc6..794251d 100644
--- a/trytond/res/user.py
+++ b/trytond/res/user.py
@@ -227,6 +227,14 @@ class User(ModelSQL, ModelView):
return vals
@classmethod
+ def read(cls, ids, fields_names=None):
+ result = super(User, cls).read(ids, fields_names=fields_names)
+ if not fields_names or 'password_hash' in fields_names:
+ for values in result:
+ values['password_hash'] = None
+ return result
+
+ @classmethod
def create(cls, vlist):
vlist = [cls._convert_vals(vals) for vals in vlist]
res = super(User, cls).create(vlist)
diff --git a/trytond/tools/misc.py b/trytond/tools/misc.py
index 1951bd2..d85bef3 100644
--- a/trytond/tools/misc.py
+++ b/trytond/tools/misc.py
@@ -57,6 +57,14 @@ def file_open(name, mode="r", subdir='modules'):
root_path = os.path.dirname(os.path.dirname(os.path.abspath(
unicode(__file__, sys.getfilesystemencoding()))))
+ def secure_join(root, *paths):
+ "Join paths and ensure it still below root"
+ path = os.path.join(root, *paths)
+ path = os.path.normpath(path)
+ if not path.startswith(root):
+ raise IOError("Permission denied: %s" % name)
+ return path
+
egg_name = False
if subdir == 'modules':
module_name = name.split(os.sep)[0]
@@ -64,19 +72,19 @@ def file_open(name, mode="r", subdir='modules'):
epoint = EGG_MODULES[module_name]
mod_path = os.path.join(epoint.dist.location,
*epoint.module_name.split('.')[:-1])
- egg_name = os.path.join(mod_path, name)
+ egg_name = secure_join(mod_path, name)
if not os.path.isfile(egg_name):
# Find module in path
for path in sys.path:
mod_path = os.path.join(path,
*epoint.module_name.split('.')[:-1])
- egg_name = os.path.join(mod_path, name)
+ egg_name = secure_join(mod_path, name)
if os.path.isfile(egg_name):
break
if not os.path.isfile(egg_name):
# When testing modules from setuptools location is the
# module directory
- egg_name = os.path.join(
+ egg_name = secure_join(
os.path.dirname(epoint.dist.location), name)
if subdir:
@@ -85,11 +93,11 @@ def file_open(name, mode="r", subdir='modules'):
or name.startswith('res' + os.sep)
or name.startswith('webdav' + os.sep)
or name.startswith('tests' + os.sep))):
- name = os.path.join(root_path, name)
+ name = secure_join(root_path, name)
else:
- name = os.path.join(root_path, subdir, name)
+ name = secure_join(root_path, subdir, name)
else:
- name = os.path.join(root_path, name)
+ name = secure_join(root_path, name)
for i in (name, egg_name):
if i and os.path.isfile(i):
--
tryton-server
More information about the tryton-debian-vcs
mailing list