[tryton-debian-vcs] tryton-server branch debian-stretch created. debian/4.2.1-2

Mathias Behrle tryton-debian-vcs at alioth.debian.org
Tue Apr 4 07:32:32 UTC 2017 

The following commit has been merged in the debian-stretch branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/tryton-server.git;a=commitdiff;h=debian/4.2.1-2
commit 98e291935f58698dea9494af829b233e9a85e6ae
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Tue Mar 28 11:52:52 2017 +0200

    Releasing debian version 4.2.1-2.
    
    Signed-off-by: Mathias Behrle <mathiasb at m9s.biz>

diff --git a/debian/changelog b/debian/changelog
index 2312f01..75d5b0f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+tryton-server (4.2.1-2) unstable; urgency=high
+
+  * Add 02_CVE-2017-0360_sanitize_file_open.patch (CVE-2017-0360).
+    Sanitize path in file_open against suffix.
+    The patch for CVE-2016-1242 did not cover all cases. Indeed there is a
+    case where an external file could be retrieved if it is stored in a folder
+    next to the root of trytond starting with the same name but with a suffix.
+    Example: '../trytond_suffix'.
+
+ -- Mathias Behrle <mathiasb at m9s.biz>  Tue, 28 Mar 2017 11:51:14 +0200
+
 tryton-server (4.2.1-1) unstable; urgency=medium
 
   * Merging upstream version 4.2.1.
commit 8178254d624301fdcfa0bcb9e041a6b3b124fc9b
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Tue Mar 28 11:49:12 2017 +0200

    Add 02_CVE-2017-0360_sanitize_file_open.patch (CVE-2017-0360).
    
    Sanitize path in file_open against suffix (CVE-2017-0360).
     The patch for CVE-2016-1242 did not cover all cases. Indeed there is a
     case where an external file could be retrieved if it is stored in a
     folder next to the root of trytond starting with the same name but with a
     suffix. Example: '../trytond_suffix'.

diff --git a/debian/patches/02_CVE-2017-0360_sanitize_file_open.patch b/debian/patches/02_CVE-2017-0360_sanitize_file_open.patch
new file mode 100644
index 0000000..2dffa92
--- /dev/null
+++ b/debian/patches/02_CVE-2017-0360_sanitize_file_open.patch
@@ -0,0 +1,35 @@
+Description: Sanitize path in file_open against suffix (CVE-2017-0360).
+ The patch for CVE-2016-1242 did not cover all cases. Indeed there is a
+ case where an external file could be retrieved if it is stored in a folder
+ next to the root of trytond starting with the same name but with a suffix.
+ Example: '../trytond_suffix'.
+Author: Cédric Krier <cedric.krier at b2ck.com>
+Origin: upstream, https://tryton-rietveld.appspot.com/33191002
+Bug: https://bugs.tryton.org/issue6361
+Last-Update: 2017-03-28
+
+--- tryton-server-4.2.2.orig/trytond/tests/test_tools.py
++++ tryton-server-4.2.2/trytond/tests/test_tools.py
+@@ -128,6 +128,11 @@ class ToolsTestCase(unittest.TestCase):
+         with self.assertRaisesRegexp(IOError, "Permission denied:"):
+             file_open('../../foo')
+ 
++    def test_file_open_suffix(self):
++        "Test file_open from same root name but with a suffix"
++        with self.assertRaisesRegexp(IOError, "Permission denied:"):
++            file_open('../trytond_suffix', subdir=None)
++
+ 
+ def suite():
+     func = unittest.TestLoader().loadTestsFromTestCase
+--- tryton-server-4.2.2.orig/trytond/tools/misc.py
++++ tryton-server-4.2.2/trytond/tools/misc.py
+@@ -32,7 +32,7 @@ def file_open(name, mode="r", subdir='mo
+         "Join paths and ensure it still below root"
+         path = os.path.join(root, *paths)
+         path = os.path.normpath(path)
+-        if not path.startswith(root):
++        if not path.startswith(os.path.join(root, '')):
+             raise IOError("Permission denied: %s" % name)
+         return path
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 40b8409..cd91c7f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 01_migrate_obsolete_modules.patch
+02_CVE-2017-0360_sanitize_file_open.patch
-- 
tryton-server

More information about the tryton-debian-vcs mailing list