Hi all, hi Thorsten (IIRC you are currently assigned LTS-FD), I have prepared a fixed wheezy package for CVE-2016-1242 in tryton-server, debdiff attached.
The according issue is The Tryton project (Cédric Krier) discovered a vulnerability in the file_open function caused by missing sanitization of the name against up-level reference. This could be used on the field 'name' on a Report definition that represents the relative path to the report template. As this field is writeable by the group "admin", this allow any "admin" user to forge a path to read files outside the trytond directory (or egg path). I would like to get into the procedures for LTS, so if it is ok for you I would do the next steps myself. Please just tell me, if I should upload and then claim the DLA and post the announce according to https://wiki.debian.org/LTS/Development#secure-testing. Thanks, Mathias -- Mathias Behrle PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6 AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6
diff -Nru tryton-server-2.2.4/debian/changelog tryton-server-2.2.4/debian/changelog --- tryton-server-2.2.4/debian/changelog 2014-10-04 20:49:37.000000000 +0200 +++ tryton-server-2.2.4/debian/changelog 2016-08-31 14:51:15.000000000 +0200 @@ -1,3 +1,10 @@ +tryton-server (2.2.4-1+deb7u3) wheezy-security; urgency=high + + * CVE-2016-1242 + Adding 05-CVE-2016-1242_sanitize_path_in_file_open.patch. + + -- Mathias Behrle <mathi...@m9s.biz> Wed, 31 Aug 2016 14:49:27 +0200 + tryton-server (2.2.4-1+deb7u2) stable-security; urgency=high * Adding patch 04-fix-strict-sequences. diff -Nru tryton-server-2.2.4/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch tryton-server-2.2.4/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch --- tryton-server-2.2.4/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch 1970-01-01 01:00:00.000000000 +0100 +++ tryton-server-2.2.4/debian/patches/05-CVE-2016-1242_sanitize_path_in_file_open.patch 2016-08-31 14:42:53.000000000 +0200 @@ -0,0 +1,65 @@ +Description: Fix for CVE-2016-1242 Sanitize path in file_open + file_open did not prevent to use an up-level reference in a file name. + A forged Report name could be used to open a file outside the root + directory of trytond. +Author: Cédric Krier <c...@b2ck.com> +Origin: upstream, https://tryton-rietveld.appspot.com/28691002/ +Bug: https://bugs.tryton.org/issue5808 +Forwarded: not-needed +Last-Update: 2016-08-31 + +--- tryton-server-2.2.4.orig/trytond/tools/misc.py ++++ tryton-server-2.2.4/trytond/tools/misc.py +@@ -77,6 +77,14 @@ def file_open(name, mode="r", subdir='mo + from trytond.modules import EGG_MODULES + root_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) + ++ def secure_join(root, *paths): ++ "Join paths and ensure it still below root" ++ path = os.path.join(root, *paths) ++ path = os.path.normpath(path) ++ if not path.startswith(root): ++ raise IOError("Permission denied: %s" % name) ++ return path ++ + egg_name = False + if subdir == 'modules': + module_name = name.split(os.sep)[0] +@@ -84,19 +92,19 @@ def file_open(name, mode="r", subdir='mo + epoint = EGG_MODULES[module_name] + mod_path = os.path.join(epoint.dist.location, + *epoint.module_name.split('.')[:-1]) +- egg_name = os.path.join(mod_path, name) ++ egg_name = secure_join(mod_path, name) + if not os.path.isfile(egg_name): + # Find module in path + for path in sys.path: + mod_path = os.path.join(path, + *epoint.module_name.split('.')[:-1]) +- egg_name = os.path.join(mod_path, name) ++ egg_name = secure_join(mod_path, name) + if os.path.isfile(egg_name): + break + if not os.path.isfile(egg_name): + # When testing modules from setuptools location is the + # module directory +- egg_name = os.path.join( ++ egg_name = secure_join( + os.path.dirname(epoint.dist.location), name) + + if subdir: +@@ -106,11 +114,11 @@ def file_open(name, mode="r", subdir='mo + or name.startswith('res' + os.sep) \ + or name.startswith('webdav' + os.sep) \ + or name.startswith('test' + os.sep)): +- name = os.path.join(root_path, name) ++ name = secure_join(root_path, name) + else: +- name = os.path.join(root_path, subdir, name) ++ name = secure_join(root_path, subdir, name) + else: +- name = os.path.join(root_path, name) ++ name = secure_join(root_path, name) + + for i in (name, egg_name): + if i and os.path.isfile(i): diff -Nru tryton-server-2.2.4/debian/patches/series tryton-server-2.2.4/debian/patches/series --- tryton-server-2.2.4/debian/patches/series 2014-10-04 20:49:37.000000000 +0200 +++ tryton-server-2.2.4/debian/patches/series 2016-08-31 14:47:00.000000000 +0200 @@ -2,3 +2,4 @@ 02-support-pywebdav-0.9.8 03-fix-safe_eval 04-fix-strict-sequences +05-CVE-2016-1242_sanitize_path_in_file_open.patch
