Tryton - Issues

 

Issue2476

Title Missing access control on some relation model for Many2Many
Priority critical Status resolved
Superseder Nosy List bch, ced, daniel, nicoe, yangoon
Type security Components trytond
Assigned To ced Keywords
Reviews

Created on 2012-03-03.13:50:43 by ced, last changed by ced.

Files
File name Uploaded Type Edit Remove
add_group.py ced, 2012-03-28.11:52:43 text/plain
Messages
msg10475 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2012-03-29.18:59:56
JFTR:
Related links in Debian:
http://lists.debian.org/debian-security-announce/2012/msg00072.html
http://security-tracker.debian.org/tracker/CVE-2012-0215
and later:
http://www.debian.org/security/2012/dsa-2444
msg10460 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-03-28.19:55:44
Fixed with changeset 8e64d52ecea4
msg10453 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-03-28.11:52:43
I have written a small script to test if vulnerability is fixed.
It just add a group to the current user using XML-RPC calls.
msg10429 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2012-03-24.13:36:31
> I don't understand why commit message should have this number in more of the
link to this issue.

A CVE number is cross identifier. Is is the purpose of this number to help
identifying all procedures/messages/issues related to this subject.
msg10428 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-03-24.13:08:02
On 24/03/12 13:03 +0100, Mathias Behrle wrote:
> 
> Mathias Behrle <mathias.behrle@gmx.de> added the comment:
> 
> >From our (the Debian) side we are prepared to do the uploads.
> 
> I propose Mo, 26.03 as release date. Is this ok for you?

No, I'm not available to do it before 28/03
msg10427 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-03-24.13:05:40
I don't understand why commit message should have this number in more of the
link to this issue.
msg10426 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2012-03-24.13:03:57
From our (the Debian) side we are prepared to do the uploads.

I propose Mo, 26.03 as release date. Is this ok for you?
msg10419 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2012-03-23.13:43:13
CVE-2012-0215 was assigned by the Debian project to this issue.

The according ticket is:
The Tryton project discovered a vulnerability caused by missing checks of 
access permissions on certain models in the Tryton server. The fix consists of
disabling 'create', 'write', 'delete' and 'copy' actions via rpc for those
models.

Please include the CVE number in all commit messages and news related to the
subject.
msg10403 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2012-03-21.13:40:13
FYI: Forwarded to team@security.debian.org (fixed version 1.6.1-2+squeeze1).
Will be uploaded together with unstable immediately after the release.

CVE requested.
msg10402 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-03-21.10:28:08
> Would you like to get a CVE number? AFAIK the security team could assign one.

Why not, I don't know exactly how it works.
msg10401 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-03-21.10:25:43
Here are all the reviews:
2.2: review307001
2.0: review307002
1.8: review304002
1.6: review308001
1.4: review309001
msg10397 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2012-03-21.09:21:00
Could you please push also the fix for version 1.6 to codereview. This is the
version in Debian stable and only this fix will be accepted, not an update to
current 1.6.x.
With this fix I would like to coordinate with the security team to have approval
for simultaneous uploads to stable and unstable.
Would you like to get a CVE number? AFAIK the security team could assign one.
msg10389 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-03-20.19:29:43
If everybody agree on the fix, I propose this way of working:

- Push the fix in trunk and all supported series in one time
- Make a release for every series (preferably the same day)
- Publish a security news that explains the issue.
msg10387 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-03-20.18:18:49
Add security roles to nosy list.
msg10386 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-03-20.18:08:32
Please test the review303001
msg10248 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2012-03-03.13:50:43
Relation models for Many2Many doesn't have ir.model.access record as they are
just ModelSQL but not ModelView.
So I think we must remove create, read, write and delete from _rpc.
History
Date User Action Args
2012-03-29 19:06:11cedsetstatus: chatting -> resolved
2012-03-29 18:59:56yangoonsetstatus: resolved -> chatting
messages: + msg10475
2012-03-28 19:55:44cedsetstatus: testing -> resolved
component: + trytond
messages: + msg10460
2012-03-28 11:52:43cedsetfiles: + add_group.py
messages: + msg10453
2012-03-24 13:36:32yangoonsetmessages: + msg10429
2012-03-24 13:08:03cedsetmessages: + msg10428
2012-03-24 13:05:40cedsetmessages: + msg10427
2012-03-24 13:03:58yangoonsetmessages: + msg10426
2012-03-23 13:43:13yangoonsetmessages: + msg10419
2012-03-21 13:40:13yangoonsetmessages: + msg10403

Showing 10 items. Show all history (warning: this could be VERY long)