Wheezy update for tryton-server

[Mathias Behrle <mbehrle@debian.org>]

Hi all, hi Thorsten (IIRC you are currently assigned LTS-FD),

I have prepared a fixed wheezy package for CVE-2016-1242 in tryton-server,
debdiff attached.

The according issue is

The Tryton project (Cédric Krier) discovered a vulnerability in the file_open
function caused by missing sanitization of the name against up-level reference.
This could be used on the field 'name' on a Report definition that represents
the relative path to the report template. As this field is writeable by the
group "admin", this allow any "admin" user to forge a path to read files outside
the trytond directory (or egg path).

I would like to get into the procedures for LTS, so if it is ok for you I would
do the next steps myself. Please just tell me, if I should upload and then
claim the DLA and post the announce according to
https://wiki.debian.org/LTS/Development#secure-testing.

Thanks,
Mathias


-- 

    Mathias Behrle
    PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
    AC29 7E5C 46B9 D0B6 1C71  7681 D6D0 9BE4 8405 BBF6

diff -Nru tryton-server-2.2.4/debian/changelog tryton-server-2.2.4/debian/changelog
--- tryton-server-2.2.4/debian/changelog	2014-10-04 20:49:37.000000000 +0200
+++ tryton-server-2.2.4/debian/changelog	2016-08-31 14:51:15.000000000 +0200
@@ -1,3 +1,10 @@
+tryton-server (2.2.4-1+deb7u3) wheezy-security; urgency=high
+
+  * CVE-2016-1242
+    Adding 05-CVE-2016-1242_sanitize_path_in_file_open.patch.
+
+ -- Mathias Behrle <mathiasb@m9s.biz>  Wed, 31 Aug 2016 14:49:27 +0200
+
 tryton-server (2.2.4-1+deb7u2) stable-security; urgency=high
 
   * Adding patch 04-fix-strict-sequences.
diff -Nru tryton-server-2.2.4/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch tryton-server-2.2.4/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch
--- tryton-server-2.2.4/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch	1970-01-01 01:00:00.000000000 +0100
+++ tryton-server-2.2.4/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch	2016-08-31 14:42:53.000000000 +0200
@@ -0,0 +1,65 @@
+Description: Fix for CVE-2016-1242 Sanitize path in file_open
+ file_open did not prevent to use an up-level reference in a file name.
+ A forged Report name could be used to open a file outside the root
+ directory of trytond.
+Author: Cédric Krier <ced@b2ck.com>
+Origin: upstream, https://tryton-rietveld.appspot.com/28691002/
+Bug: https://bugs.tryton.org/issue5808
+Forwarded: not-needed
+Last-Update: 2016-08-31
+
+--- tryton-server-2.2.4.orig/trytond/tools/misc.py
++++ tryton-server-2.2.4/trytond/tools/misc.py
+@@ -77,6 +77,14 @@ def file_open(name, mode="r", subdir='mo
+     from trytond.modules import EGG_MODULES
+     root_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+ 
++    def secure_join(root, *paths):
++        "Join paths and ensure it still below root"
++        path = os.path.join(root, *paths)
++        path = os.path.normpath(path)
++        if not path.startswith(root):
++            raise IOError("Permission denied: %s" % name)
++        return path
++
+     egg_name = False
+     if subdir == 'modules':
+         module_name = name.split(os.sep)[0]
+@@ -84,19 +92,19 @@ def file_open(name, mode="r", subdir='mo
+             epoint = EGG_MODULES[module_name]
+             mod_path = os.path.join(epoint.dist.location,
+                     *epoint.module_name.split('.')[:-1])
+-            egg_name = os.path.join(mod_path, name)
++            egg_name = secure_join(mod_path, name)
+             if not os.path.isfile(egg_name):
+                 # Find module in path
+                 for path in sys.path:
+                     mod_path = os.path.join(path,
+                             *epoint.module_name.split('.')[:-1])
+-                    egg_name = os.path.join(mod_path, name)
++                    egg_name = secure_join(mod_path, name)
+                     if os.path.isfile(egg_name):
+                         break
+                 if not os.path.isfile(egg_name):
+                     # When testing modules from setuptools location is the
+                     # module directory
+-                    egg_name = os.path.join(
++                    egg_name = secure_join(
+                         os.path.dirname(epoint.dist.location), name)
+ 
+     if subdir:
+@@ -106,11 +114,11 @@ def file_open(name, mode="r", subdir='mo
+                     or name.startswith('res' + os.sep) \
+                     or name.startswith('webdav' + os.sep) \
+                     or name.startswith('test' + os.sep)):
+-            name = os.path.join(root_path, name)
++            name = secure_join(root_path, name)
+         else:
+-            name = os.path.join(root_path, subdir, name)
++            name = secure_join(root_path, subdir, name)
+     else:
+-        name = os.path.join(root_path, name)
++        name = secure_join(root_path, name)
+ 
+     for i in (name, egg_name):
+         if i and os.path.isfile(i):
diff -Nru tryton-server-2.2.4/debian/patches/series tryton-server-2.2.4/debian/patches/series
--- tryton-server-2.2.4/debian/patches/series	2014-10-04 20:49:37.000000000 +0200
+++ tryton-server-2.2.4/debian/patches/series	2016-08-31 14:47:00.000000000 +0200
@@ -2,3 +2,4 @@
 02-support-pywebdav-0.9.8
 03-fix-safe_eval
 04-fix-strict-sequences
+05-CVE-2016-1242_sanitize_path_in_file_open.patch