Wheezy update for tryton-server
Hi all, hi Thorsten (IIRC you are currently assigned LTS-FD),
I have prepared a fixed wheezy package for CVE-2016-1242 in tryton-server,
debdiff attached.
The according issue is
The Tryton project (Cédric Krier) discovered a vulnerability in the file_open
function caused by missing sanitization of the name against up-level reference.
This could be used on the field 'name' on a Report definition that represents
the relative path to the report template. As this field is writeable by the
group "admin", this allow any "admin" user to forge a path to read files outside
the trytond directory (or egg path).
I would like to get into the procedures for LTS, so if it is ok for you I would
do the next steps myself. Please just tell me, if I should upload and then
claim the DLA and post the announce according to
https://wiki.debian.org/LTS/Development#secure-testing.
Thanks,
Mathias
--
Mathias Behrle
PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6
diff -Nru tryton-server-2.2.4/debian/changelog tryton-server-2.2.4/debian/changelog
--- tryton-server-2.2.4/debian/changelog 2014-10-04 20:49:37.000000000 +0200
+++ tryton-server-2.2.4/debian/changelog 2016-08-31 14:51:15.000000000 +0200
@@ -1,3 +1,10 @@
+tryton-server (2.2.4-1+deb7u3) wheezy-security; urgency=high
+
+ * CVE-2016-1242
+ Adding 05-CVE-2016-1242_sanitize_path_in_file_open.patch.
+
+ -- Mathias Behrle <mathiasb@m9s.biz> Wed, 31 Aug 2016 14:49:27 +0200
+
tryton-server (2.2.4-1+deb7u2) stable-security; urgency=high
* Adding patch 04-fix-strict-sequences.
diff -Nru tryton-server-2.2.4/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch tryton-server-2.2.4/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch
--- tryton-server-2.2.4/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch 1970-01-01 01:00:00.000000000 +0100
+++ tryton-server-2.2.4/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch 2016-08-31 14:42:53.000000000 +0200
@@ -0,0 +1,65 @@
+Description: Fix for CVE-2016-1242 Sanitize path in file_open
+ file_open did not prevent to use an up-level reference in a file name.
+ A forged Report name could be used to open a file outside the root
+ directory of trytond.
+Author: Cédric Krier <ced@b2ck.com>
+Origin: upstream, https://tryton-rietveld.appspot.com/28691002/
+Bug: https://bugs.tryton.org/issue5808
+Forwarded: not-needed
+Last-Update: 2016-08-31
+
+--- tryton-server-2.2.4.orig/trytond/tools/misc.py
++++ tryton-server-2.2.4/trytond/tools/misc.py
+@@ -77,6 +77,14 @@ def file_open(name, mode="r", subdir='mo
+ from trytond.modules import EGG_MODULES
+ root_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+
++ def secure_join(root, *paths):
++ "Join paths and ensure it still below root"
++ path = os.path.join(root, *paths)
++ path = os.path.normpath(path)
++ if not path.startswith(root):
++ raise IOError("Permission denied: %s" % name)
++ return path
++
+ egg_name = False
+ if subdir == 'modules':
+ module_name = name.split(os.sep)[0]
+@@ -84,19 +92,19 @@ def file_open(name, mode="r", subdir='mo
+ epoint = EGG_MODULES[module_name]
+ mod_path = os.path.join(epoint.dist.location,
+ *epoint.module_name.split('.')[:-1])
+- egg_name = os.path.join(mod_path, name)
++ egg_name = secure_join(mod_path, name)
+ if not os.path.isfile(egg_name):
+ # Find module in path
+ for path in sys.path:
+ mod_path = os.path.join(path,
+ *epoint.module_name.split('.')[:-1])
+- egg_name = os.path.join(mod_path, name)
++ egg_name = secure_join(mod_path, name)
+ if os.path.isfile(egg_name):
+ break
+ if not os.path.isfile(egg_name):
+ # When testing modules from setuptools location is the
+ # module directory
+- egg_name = os.path.join(
++ egg_name = secure_join(
+ os.path.dirname(epoint.dist.location), name)
+
+ if subdir:
+@@ -106,11 +114,11 @@ def file_open(name, mode="r", subdir='mo
+ or name.startswith('res' + os.sep) \
+ or name.startswith('webdav' + os.sep) \
+ or name.startswith('test' + os.sep)):
+- name = os.path.join(root_path, name)
++ name = secure_join(root_path, name)
+ else:
+- name = os.path.join(root_path, subdir, name)
++ name = secure_join(root_path, subdir, name)
+ else:
+- name = os.path.join(root_path, name)
++ name = secure_join(root_path, name)
+
+ for i in (name, egg_name):
+ if i and os.path.isfile(i):
diff -Nru tryton-server-2.2.4/debian/patches/series tryton-server-2.2.4/debian/patches/series
--- tryton-server-2.2.4/debian/patches/series 2014-10-04 20:49:37.000000000 +0200
+++ tryton-server-2.2.4/debian/patches/series 2016-08-31 14:47:00.000000000 +0200
@@ -2,3 +2,4 @@
02-support-pywebdav-0.9.8
03-fix-safe_eval
04-fix-strict-sequences
+05-CVE-2016-1242_sanitize_path_in_file_open.patch
Reply to: