Issue 5167

Title
ModelStorage.write doesn't check field access for all fields
Priority
bug
Status
resolved
Nosy list
ajacoutot, bch, ced, nicoe, sharkcz, yangoon
Assigned to
ced
Keywords
review

Created on 2015-12-03.12:42:34 by ced, last changed 59 months ago by ced.

Messages

Author: [hidden] (yangoon) Tryton translator
Date: 2015-12-18.12:07:39
> @yangoon the CVE can be published.

Thanks, This is done on purpose:
https://security-tracker.debian.org/tracker/CVE-2015-0861
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2015-12-18.10:22:02
@yangoon the CVE can be published.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2015-12-17.08:21:08
New changeset 06230c381593 by C?dric Krier in branch 'default':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/06230c381593


New changeset 70f988cd76ce by C?dric Krier in branch 'default':
Add test for for check fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/70f988cd76ce


New changeset f0564615ef28 by C?dric Krier in branch '3.8':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/f0564615ef28


New changeset ed9ba85302a2 by C?dric Krier in branch '3.6':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/ed9ba85302a2


New changeset c46c344a2183 by C?dric Krier in branch '3.4':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/c46c344a2183


New changeset a671098903a2 by C?dric Krier in branch '3.2':
Check all fields when writing a sequence of records, values
http://hg.tryton.org/trytond/rev/a671098903a2
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2015-12-17.08:20:10
News published so the issue can be solved.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2015-12-16.15:27:40
The releases have been published.
Author: [hidden] (yangoon) Tryton translator
Date: 2015-12-05.11:29:26
>> I think this deserve a CVE number, @yangoon could you request one?
> CVE requested.

CVE-2015-0861 was assigned from the Debian pool for this
issue. Please reference it in any upstream advisory for the new version.

Ok from our side for the embargo date.
Author: [hidden] (yangoon) Tryton translator
Date: 2015-12-05.02:47:17
> I think this deserve a CVE number, @yangoon could you request one?

CVE requested.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2015-12-04.22:54:38
Here is the review22631002 that fixes the issue.
The review is accessible to reviewers so if someone wants to have access please send me an email with your rietveld account.

I think this security issue deserve a synchronised release for all affected series (3.8, 3.4 and 3.2).
I will be abroad the next week, so I propose to make the release the 16th December and publish the news the 17th.

I think this deserve a CVE number, @yangoon could you request one?
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2015-12-03.12:42:33
The method checks only for the field defined in the first values dictionary [1] but it should check for all others dictionary from *args.

[1] http://hg.tryton.org/trytond/file/625e03224672/trytond/model/modelstorage.py#l151
History
Date User Action Args
2015-12-18 12:31:15cedsetstatus: chatting -> resolved
2015-12-18 12:07:42yangoonsetstatus: resolved -> chatting
messages: + msg23389
2015-12-18 10:22:10cedsetstatus: chatting -> resolved
2015-12-18 10:22:03cedsetstatus: resolved -> chatting
messages: + msg23388
2015-12-17 08:21:17cedsetstatus: chatting -> resolved
2015-12-17 08:21:09cedsetstatus: resolved -> chatting
messages: + msg23373
2015-12-17 08:20:11cedsetstatus: testing -> resolved
messages: + msg23372
2015-12-16 15:27:40cedsetmessages: + msg23370
2015-12-05 11:29:26yangoonsetmessages: + msg23317
2015-12-05 02:47:18yangoonsetmessages: + msg23315

Showing 10 items. Show all history (warning: this could be VERY long)