ModelStorage.write doesn't check field access for all fields
The method checks only for the field defined in the first values dictionary [1] but it should check for all others dictionary from *args.
[1] http://hg.tryton.org/trytond/file/625e03224672/trytond/model/modelstorage.py#l151
Activity
-
Newest first Oldest first
-
Show all activity Show comments only Show history only
- Cédric Krier added trytond + 1 deleted label
added trytond + 1 deleted label
- Author Owner
Here is the review22631002 that fixes the issue.
The review is accessible to reviewers so if someone wants to have access please send me an email with your rietveld account.
I think this security issue deserve a synchronised release for all affected series (3.8, 3.4 and 3.2).
I will be abroad the next week, so I propose to make the release the 16th December and publish the news the 17th.
I think this deserve a CVE number, @yangoon could you request one? - Cédric Krier assigned to @ced
assigned to @ced
- Cédric Krier added 1 deleted label and removed 1 deleted label
added 1 deleted label and removed 1 deleted label
- Developer
> I think this deserve a CVE number, @yangoon could you request one?
CVE requested. - Developer
>> I think this deserve a CVE number, @yangoon could you request one?
> CVE requested.
CVE-2015-0861 was assigned from the Debian pool for this
issue. Please reference it in any upstream advisory for the new version.
Ok from our side for the embargo date. - Author Owner
The releases have been published.
- Author Owner
News published so the issue can be solved.
- Cédric Krier made the issue visible to everyone
made the issue visible to everyone
- Cédric Krier added 1 deleted label and removed 1 deleted label
added 1 deleted label and removed 1 deleted label
- Cédric Krier closed
closed
- Author Owner
New changeset 06230c381593 by C?dric Krier in branch 'default':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/06230c381593
New changeset 70f988cd76ce by C?dric Krier in branch 'default':
Add test for for check fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/70f988cd76ce
New changeset f0564615ef28 by C?dric Krier in branch '3.8':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/f0564615ef28
New changeset ed9ba85302a2 by C?dric Krier in branch '3.6':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/ed9ba85302a2
New changeset c46c344a2183 by C?dric Krier in branch '3.4':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/c46c344a2183
New changeset a671098903a2 by C?dric Krier in branch '3.2':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/a671098903a2 - Cédric Krier made the issue confidential
made the issue confidential
- Cédric Krier added 1 deleted label and removed 1 deleted label
added 1 deleted label and removed 1 deleted label
- Cédric Krier reopened
reopened
- Cédric Krier made the issue visible to everyone
made the issue visible to everyone
- Cédric Krier added 1 deleted label and removed 1 deleted label
added 1 deleted label and removed 1 deleted label
- Cédric Krier closed
closed
- Author Owner
@yangoon the CVE can be published.
- Cédric Krier reopened
reopened