Tryton - Issues



Title Any user can read the hashed password
Priority urgent Status resolved
Superseder Nosy List ajacoutot, bch, ced, nicoe, pokoli, sharkcz, yangoon
Type security Components trytond
Assigned To ced Keywords review
Reviews 32441002,32491003
View: 32441002, 32491003

Created on 2016-08-17.12:58:25 by ced, last changed by ced.

msg28227 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-08-31.12:27:52
News published.
msg28213 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-08-30.14:49:52
The releases have been published.
msg27995 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-08-25.19:55:28
Here is review32491003 for the announce.
msg27788 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2016-08-19.10:31:23
Please use CVE-2016-1241 for this issue.
msg27783 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2016-08-18.11:54:01
Proposed timeline:
2016-08-30 for release
2016-08-31 for news
msg27761 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2016-08-17.13:07:32
Will do ASAP, back at home later this evening.
msg27757 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-08-17.13:01:09
Here is review32441002 which fix the problem and add test.
I think we will need to publish a CVE, @yangoon could you manage one?
msg27756 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-08-17.12:58:24
While reading [1], I was wondering if trytond was also affected.
Indeed series <=3.0 are not affected but r c9be44cd05e1 removed the protection by mistake. The new password_hash field did not received the same hiding treatment as the password field.
The exploitation is quite difficult because of the existing protections against such leak. The protections are the usage of strong hash (bcrypt and sha1) and the random salt.

Date User Action Args
2016-08-31 12:27:52cedsetstatus: testing -> resolved
messages: + msg28227
2016-08-30 14:49:52cedsetmessages: + msg28213
2016-08-25 19:55:28cedsetreviews: 32441002 -> 32441002,32491003
messages: + msg27995
2016-08-19 10:31:23yangoonsetmessages: + msg27788
2016-08-18 11:54:01yangoonsetmessages: + msg27783
2016-08-17 13:07:33yangoonsetmessages: + msg27761
2016-08-17 13:01:09cedsetstatus: in-progress -> testing
reviews: 32441002
messages: + msg27757
keyword: + review
2016-08-17 12:58:25cedcreate