[tryton-debian-vcs] tryton-server branch debian-jessie updated. debian/3.4.0-3+deb8u1-4-g6ddb6e4
Mathias Behrle
tryton-debian-vcs at alioth.debian.org
Tue Aug 30 14:18:13 UTC 2016
The following commit has been merged in the debian-jessie branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=debian/3.4.0-3+deb8u1-4-g6ddb6e4
commit 6ddb6e43ec552e303f378d87fea506b1de9abc2c
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Fri Aug 26 12:15:32 2016 +0200
Releasing debian version 3.4.0-3+deb8u2.
Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>
diff --git a/debian/changelog b/debian/changelog
index bebbbb5..fcce847 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+tryton-server (3.4.0-3+deb8u2) jessie-security; urgency=high
+
+ * Adapting the release of the last changelog entry to be in sync with
+ the archive.
+ * CVE-2016-1241
+ Adding patch 03-CVE-2016-1241_prevent_read_of_password_hash.patch.
+ * CVE-2016-1242
+ Adding 04-CVE-2016-1242_sanitize_path_in_file_open.patch.
+
+ -- Mathias Behrle <mathiasb at m9s.biz> Fri, 26 Aug 2016 12:07:53 +0200
+
tryton-server (3.4.0-3+deb8u1) jessie-security; urgency=high
* Adding patch 02-CVE-2015-0861_field_access_on_multi_write.patch.
commit 148be893ed38964a6dd68c8b5714ebffc910c04d
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Thu Aug 25 13:43:13 2016 +0200
Adding 04-CVE-2016-1242_sanitize_path_in_file_open.patch.
Fix for CVE-2016-1242 Sanitize path in file_open:
file_open did not prevent to use an up-level reference in a file name.
A forged Report name could be used to open a file outside the root
directory of trytond.
diff --git a/debian/patches/04-CVE-2016-1242_sanitize_path_in_file_open.patch b/debian/patches/04-CVE-2016-1242_sanitize_path_in_file_open.patch
new file mode 100644
index 0000000..2cc4128
--- /dev/null
+++ b/debian/patches/04-CVE-2016-1242_sanitize_path_in_file_open.patch
@@ -0,0 +1,65 @@
+Description: Fix for CVE-2016-1242 Sanitize path in file_open
+ file_open did not prevent to use an up-level reference in a file name.
+ A forged Report name could be used to open a file outside the root
+ directory of trytond.
+Author: Cédric Krier <ced at b2ck.com>
+Origin: upstream, https://tryton-rietveld.appspot.com/28691002/
+Bug: https://bugs.tryton.org/issue5808
+Forwarded: not-needed
+Last-Update: 2016-08-25
+
+--- tryton-server-3.4.0.orig/trytond/tools/misc.py
++++ tryton-server-3.4.0/trytond/tools/misc.py
+@@ -56,6 +56,14 @@ def file_open(name, mode="r", subdir='mo
+ root_path = os.path.dirname(os.path.dirname(os.path.abspath(
+ unicode(__file__, sys.getfilesystemencoding()))))
+
++ def secure_join(root, *paths):
++ "Join paths and ensure it still below root"
++ path = os.path.join(root, *paths)
++ path = os.path.normpath(path)
++ if not path.startswith(root):
++ raise IOError("Permission denied: %s" % name)
++ return path
++
+ egg_name = False
+ if subdir == 'modules':
+ module_name = name.split(os.sep)[0]
+@@ -63,19 +71,19 @@ def file_open(name, mode="r", subdir='mo
+ epoint = EGG_MODULES[module_name]
+ mod_path = os.path.join(epoint.dist.location,
+ *epoint.module_name.split('.')[:-1])
+- egg_name = os.path.join(mod_path, name)
++ egg_name = secure_join(mod_path, name)
+ if not os.path.isfile(egg_name):
+ # Find module in path
+ for path in sys.path:
+ mod_path = os.path.join(path,
+ *epoint.module_name.split('.')[:-1])
+- egg_name = os.path.join(mod_path, name)
++ egg_name = secure_join(mod_path, name)
+ if os.path.isfile(egg_name):
+ break
+ if not os.path.isfile(egg_name):
+ # When testing modules from setuptools location is the
+ # module directory
+- egg_name = os.path.join(
++ egg_name = secure_join(
+ os.path.dirname(epoint.dist.location), name)
+
+ if subdir:
+@@ -84,11 +92,11 @@ def file_open(name, mode="r", subdir='mo
+ or name.startswith('res' + os.sep)
+ or name.startswith('webdav' + os.sep)
+ or name.startswith('tests' + os.sep))):
+- name = os.path.join(root_path, name)
++ name = secure_join(root_path, name)
+ else:
+- name = os.path.join(root_path, subdir, name)
++ name = secure_join(root_path, subdir, name)
+ else:
+- name = os.path.join(root_path, name)
++ name = secure_join(root_path, name)
+
+ for i in (name, egg_name):
+ if i and os.path.isfile(i):
diff --git a/debian/patches/series b/debian/patches/series
index 583dd8d..bc60feb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
01_migrate_obsolete_ldap_connection
02-CVE-2015-0861_field_access_on_multi_write.patch
03-CVE-2016-1241_prevent_read_of_password_hash.patch
+04-CVE-2016-1242_sanitize_path_in_file_open.patch
commit 4e11b39af448cc4498ca0685e7c38d6284fa22d6
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Thu Aug 25 13:24:59 2016 +0200
Adding patch 03-CVE-2016-1241_prevent_read_of_password_hash.patch.
Fix for CVE-2016-1241 Prevent read of user password hash:
When the password_hash field was added (upstream changeset c9be44cd05e1)
it didn't receive the same hiding protection as the password field.
This allows any authenticated user to read the hash of any other
user.
diff --git a/debian/patches/03-CVE-2016-1241_prevent_read_of_password_hash.patch b/debian/patches/03-CVE-2016-1241_prevent_read_of_password_hash.patch
new file mode 100644
index 0000000..91c6d1b
--- /dev/null
+++ b/debian/patches/03-CVE-2016-1241_prevent_read_of_password_hash.patch
@@ -0,0 +1,50 @@
+Description: Fix for CVE-2016-1241 Prevent read of user password hash
+ When the password_hash field was added (upstream changeset c9be44cd05e1)
+ it didn't receive the same hiding protection as the password field.
+ This allows any authenticated user to read the hash of any other user.
+Author: Cédric Krier <ced at b2ck.com>
+Origin: upstream, https://tryton-rietveld.appspot.com/32441002
+Bug: https://bugs.tryton.org/issue5795
+Forwarded: not-needed
+Last-Update: 2016-08-25
+
+--- tryton-server-3.4.0.orig/trytond/res/user.py
++++ tryton-server-3.4.0/trytond/res/user.py
+@@ -225,6 +225,14 @@ class User(ModelSQL, ModelView):
+ return vals
+
+ @classmethod
++ def read(cls, ids, fields_names=None):
++ result = super(User, cls).read(ids, fields_names=fields_names)
++ if not fields_names or 'password_hash' in fields_names:
++ for values in result:
++ values['password_hash'] = None
++ return result
++
++ @classmethod
+ def create(cls, vlist):
+ vlist = [cls._convert_vals(vals) for vals in vlist]
+ res = super(User, cls).create(vlist)
+--- tryton-server-3.4.0.orig/trytond/tests/test_user.py
++++ tryton-server-3.4.0/trytond/tests/test_user.py
+@@ -29,6 +29,7 @@ class UserTestCase(unittest.TestCase):
+ self.user.write([user], {
+ 'password': password,
+ })
++ return user
+
+ def check_user(self, login, password):
+ user, = self.user.search([('login', '=', login)])
+@@ -57,6 +58,12 @@ class UserTestCase(unittest.TestCase):
+ self.create_user('user', '12345', 'bcrypt')
+ self.check_user('user', '12345')
+
++ @with_transaction()
++ def test_read_password_hash(self):
++ "Test password_hash can not be read"
++ user = self.create_user('user', '12345')
++ self.assertIsNone(user.password_hash)
++
+
+ def suite():
+ return unittest.TestLoader().loadTestsFromTestCase(UserTestCase)
diff --git a/debian/patches/series b/debian/patches/series
index adb283a..583dd8d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
01_migrate_obsolete_ldap_connection
02-CVE-2015-0861_field_access_on_multi_write.patch
+03-CVE-2016-1241_prevent_read_of_password_hash.patch
commit ba49ef0d13188aabb20e5a7fe3b87302eb398684
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Fri Aug 26 12:06:46 2016 +0200
Adapting the release of the last changelog entry to be in sync with the archive.
diff --git a/debian/changelog b/debian/changelog
index 8a02529..bebbbb5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-tryton-server (3.4.0-3+deb8u1) stable-security; urgency=high
+tryton-server (3.4.0-3+deb8u1) jessie-security; urgency=high
* Adding patch 02-CVE-2015-0861_field_access_on_multi_write.patch.
Field access was only checked for the field defined in the first
--
tryton-server
More information about the tryton-debian-vcs
mailing list