[tryton-debian-vcs] tryton-server branch debian-wheezy updated. debian/2.2.4-1-6-g3bf04ba

Mathias Behrle tryton-debian-vcs at alioth.debian.org
Wed Aug 31 19:45:01 UTC 2016 

The following commit has been merged in the debian-wheezy branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=debian/2.2.4-1-6-g3bf04ba

commit 3bf04bac8f7698feb22c10441547a3ea2c55f6cc
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Wed Aug 31 14:51:47 2016 +0200

    Releasing debian version 2.2.4-1+deb7u3.
    
    Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>

diff --git a/debian/changelog b/debian/changelog
index 6f8bfd2..d74d5f5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+tryton-server (2.2.4-1+deb7u3) wheezy-security; urgency=high
+
+  * CVE-2016-1242
+    Adding 05-CVE-2016-1242_sanitize_path_in_file_open.patch.
+
+ -- Mathias Behrle <mathiasb at m9s.biz>  Wed, 31 Aug 2016 14:49:27 +0200
+
 tryton-server (2.2.4-1+deb7u2) stable-security; urgency=high
 
   * Adding patch 04-fix-strict-sequences.
commit 0b5b50ecf2ccdc8e7cfa79244235b7a62fdcfb2d
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Wed Aug 31 14:48:28 2016 +0200

    Adding 05-CVE-2016-1242_sanitize_path_in_file_open.patch.
    
    Fix for CVE-2016-1242 Sanitize path in file_open:
    file_open did not prevent to use an up-level reference in a file name.
    A forged Report name could be used to open a file outside the root
    directory of trytond.

diff --git a/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch b/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch
new file mode 100644
index 0000000..72f7efa
--- /dev/null
+++ b/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch
@@ -0,0 +1,65 @@
+Description: Fix for CVE-2016-1242 Sanitize path in file_open
+ file_open did not prevent to use an up-level reference in a file name.
+ A forged Report name could be used to open a file outside the root
+ directory of trytond.
+Author: Cédric Krier <ced at b2ck.com>
+Origin: upstream, https://tryton-rietveld.appspot.com/28691002/
+Bug: https://bugs.tryton.org/issue5808
+Forwarded: not-needed
+Last-Update: 2016-08-31
+
+--- tryton-server-2.2.4.orig/trytond/tools/misc.py
++++ tryton-server-2.2.4/trytond/tools/misc.py
+@@ -77,6 +77,14 @@ def file_open(name, mode="r", subdir='mo
+     from trytond.modules import EGG_MODULES
+     root_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+ 
++    def secure_join(root, *paths):
++        "Join paths and ensure it still below root"
++        path = os.path.join(root, *paths)
++        path = os.path.normpath(path)
++        if not path.startswith(root):
++            raise IOError("Permission denied: %s" % name)
++        return path
++
+     egg_name = False
+     if subdir == 'modules':
+         module_name = name.split(os.sep)[0]
+@@ -84,19 +92,19 @@ def file_open(name, mode="r", subdir='mo
+             epoint = EGG_MODULES[module_name]
+             mod_path = os.path.join(epoint.dist.location,
+                     *epoint.module_name.split('.')[:-1])
+-            egg_name = os.path.join(mod_path, name)
++            egg_name = secure_join(mod_path, name)
+             if not os.path.isfile(egg_name):
+                 # Find module in path
+                 for path in sys.path:
+                     mod_path = os.path.join(path,
+                             *epoint.module_name.split('.')[:-1])
+-                    egg_name = os.path.join(mod_path, name)
++                    egg_name = secure_join(mod_path, name)
+                     if os.path.isfile(egg_name):
+                         break
+                 if not os.path.isfile(egg_name):
+                     # When testing modules from setuptools location is the
+                     # module directory
+-                    egg_name = os.path.join(
++                    egg_name = secure_join(
+                         os.path.dirname(epoint.dist.location), name)
+ 
+     if subdir:
+@@ -106,11 +114,11 @@ def file_open(name, mode="r", subdir='mo
+                     or name.startswith('res' + os.sep) \
+                     or name.startswith('webdav' + os.sep) \
+                     or name.startswith('test' + os.sep)):
+-            name = os.path.join(root_path, name)
++            name = secure_join(root_path, name)
+         else:
+-            name = os.path.join(root_path, subdir, name)
++            name = secure_join(root_path, subdir, name)
+     else:
+-        name = os.path.join(root_path, name)
++        name = secure_join(root_path, name)
+ 
+     for i in (name, egg_name):
+         if i and os.path.isfile(i):
diff --git a/debian/patches/series b/debian/patches/series
index 0f0df0f..156f7b6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 02-support-pywebdav-0.9.8
 03-fix-safe_eval
 04-fix-strict-sequences
+05-CVE-2016-1242_sanitize_path_in_file_open.patch
-- 
tryton-server

More information about the tryton-debian-vcs mailing list