Tryton - Issues

 

Issue5167

Title ModelStorage.write doesn't check field access for all fields
Priority bug Status resolved
Superseder Nosy List ajacoutot, bch, ced, nicoe, sharkcz, yangoon
Type security Components trytond
Assigned To ced Keywords review
Reviews 22631002
View: 22631002

Created on 2015-12-03.12:42:34 by ced, last changed by ced.

Messages
msg23389 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2015-12-18.12:07:39
> @yangoon the CVE can be published.

Thanks, This is done on purpose:
https://security-tracker.debian.org/tracker/CVE-2015-0861
msg23388 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2015-12-18.10:22:02
@yangoon the CVE can be published.
msg23373 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2015-12-17.08:21:08
New changeset 06230c381593 by C?dric Krier in branch 'default':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/06230c381593


New changeset 70f988cd76ce by C?dric Krier in branch 'default':
Add test for for check fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/70f988cd76ce


New changeset f0564615ef28 by C?dric Krier in branch '3.8':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/f0564615ef28


New changeset ed9ba85302a2 by C?dric Krier in branch '3.6':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/ed9ba85302a2


New changeset c46c344a2183 by C?dric Krier in branch '3.4':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/c46c344a2183


New changeset a671098903a2 by C?dric Krier in branch '3.2':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/a671098903a2
msg23372 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2015-12-17.08:20:10
News published so the issue can be solved.
msg23370 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2015-12-16.15:27:40
The releases have been published.
msg23317 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2015-12-05.11:29:26
>> I think this deserve a CVE number, @yangoon could you request one?
> CVE requested.

CVE-2015-0861 was assigned from the Debian pool for this
issue. Please reference it in any upstream advisory for the new version.

Ok from our side for the embargo date.
msg23315 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2015-12-05.02:47:17
> I think this deserve a CVE number, @yangoon could you request one?

CVE requested.
msg23314 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2015-12-04.22:54:38
Here is the review22631002 that fixes the issue.
The review is accessible to reviewers so if someone wants to have access please send me an email with your rietveld account.

I think this security issue deserve a synchronised release for all affected series (3.8, 3.4 and 3.2).
I will be abroad the next week, so I propose to make the release the 16th December and publish the news the 17th.

I think this deserve a CVE number, @yangoon could you request one?
msg23298 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2015-12-03.12:42:33
The method checks only for the field defined in the first values dictionary [1] but it should check for all others dictionary from *args.

[1] http://hg.tryton.org/trytond/file/625e03224672/trytond/model/modelstorage.py#l151
History
Date User Action Args
2015-12-18 12:31:15cedsetstatus: chatting -> resolved
2015-12-18 12:07:42yangoonsetstatus: resolved -> chatting
messages: + msg23389
2015-12-18 10:22:10cedsetstatus: chatting -> resolved
2015-12-18 10:22:03cedsetstatus: resolved -> chatting
messages: + msg23388
2015-12-17 08:21:17cedsetstatus: chatting -> resolved
2015-12-17 08:21:09cedsetstatus: resolved -> chatting
messages: + msg23373
2015-12-17 08:20:11cedsetstatus: testing -> resolved
messages: + msg23372
2015-12-16 15:27:40cedsetmessages: + msg23370
2015-12-05 11:29:26yangoonsetmessages: + msg23317
2015-12-05 02:47:18yangoonsetmessages: + msg23315

Showing 10 items. Show all history (warning: this could be VERY long)