[tryton-debian-vcs] tryton-server branch debian-jessie updated. debian/3.4.0-3+deb8u2-2-g4304339
Mathias Behrle
tryton-debian-vcs at alioth.debian.org
Tue Apr 4 07:32:01 UTC 2017
The following commit has been merged in the debian-jessie branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=debian/3.4.0-3+deb8u2-2-g4304339
commit 43043390fb116624c1885290c7aae01ac8c90389
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Tue Mar 28 12:30:22 2017 +0200
Releasing debian version 3.4.0-3+deb8u3.
Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>
diff --git a/debian/changelog b/debian/changelog
index fcce847..5d2e6be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+tryton-server (3.4.0-3+deb8u3) jessie-security; urgency=high
+
+ * Add 05_CVE-2017-0360_sanitize_file_open.patch (CVE-2017-0360).
+ Sanitize path in file_open against suffix.
+ The patch for CVE-2016-1242 did not cover all cases. Indeed there
+ is a case where an external file could be retrieved if it is stored in a
+ folder next to the root of trytond starting with the same name but
+ with a suffix. Example: '../trytond_suffix'.
+
+ -- Mathias Behrle <mathiasb at m9s.biz> Tue, 28 Mar 2017 12:28:15 +0200
+
tryton-server (3.4.0-3+deb8u2) jessie-security; urgency=high
* Adapting the release of the last changelog entry to be in sync with
commit 70f226d72967f62377908601d233198e242dcb66
Author: Mathias Behrle <mathiasb at m9s.biz>
Date: Tue Mar 28 12:26:59 2017 +0200
Add 05_CVE-2017-0360_sanitize_file_open.patch (CVE-2017-0360).
Sanitize path in file_open against suffix.
The patch for CVE-2016-1242 did not cover all cases. Indeed there
is a case where an external file could be retrieved if it is stored in a
folder next to the root of trytond starting with the same name but with a
suffix. Example: '../trytond_suffix'.
diff --git a/debian/patches/05_CVE-2017-0360_sanitize_file_open.patch b/debian/patches/05_CVE-2017-0360_sanitize_file_open.patch
new file mode 100644
index 0000000..79e496a
--- /dev/null
+++ b/debian/patches/05_CVE-2017-0360_sanitize_file_open.patch
@@ -0,0 +1,35 @@
+Description: Sanitize path in file_open against suffix (CVE-2017-0360).
+ The patch for CVE-2016-1242 did not cover all cases. Indeed there is a
+ case where an external file could be retrieved if it is stored in a folder
+ next to the root of trytond starting with the same name but with a suffix.
+ Example: '../trytond_suffix'.
+Author: Cédric Krier <cedric.krier at b2ck.com>
+Origin: upstream, https://tryton-rietveld.appspot.com/33191002
+Bug: https://bugs.tryton.org/issue6361
+Last-Update: 2017-03-28
+
+--- tryton-server.orig/trytond/tests/test_tools.py 2017-03-28 12:23:39.814842416 +0200
++++ tryton-server/trytond/tests/test_tools.py 2017-03-28 12:23:39.814842416 +0200
+@@ -111,6 +111,11 @@
+ self.assertEqual(reduce_domain(i), j,
+ '%s -> %s != %s' % (i, reduce_domain(i), j))
+
++ def test_file_open_suffix(self):
++ "Test file_open from same root name but with a suffix"
++ with self.assertRaisesRegexp(IOError, "Permission denied:"):
++ file_open('../trytond_suffix', subdir=None)
++
+
+ def suite():
+ func = unittest.TestLoader().loadTestsFromTestCase
+--- tryton-server.orig/trytond/tools/misc.py 2017-03-28 12:23:39.814842416 +0200
++++ tryton-server/trytond/tools/misc.py 2017-03-28 12:23:39.814842416 +0200
+@@ -60,7 +60,7 @@
+ "Join paths and ensure it still below root"
+ path = os.path.join(root, *paths)
+ path = os.path.normpath(path)
+- if not path.startswith(root):
++ if not path.startswith(os.path.join(root, '')):
+ raise IOError("Permission denied: %s" % name)
+ return path
+
diff --git a/debian/patches/series b/debian/patches/series
index bc60feb..47262b7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
02-CVE-2015-0861_field_access_on_multi_write.patch
03-CVE-2016-1241_prevent_read_of_password_hash.patch
04-CVE-2016-1242_sanitize_path_in_file_open.patch
+05_CVE-2017-0360_sanitize_file_open.patch
--
tryton-server
More information about the tryton-debian-vcs
mailing list