Tryton - Issues

 

Issue8189

Title Guessing order on field without access
Priority bug Status resolved
Superseder Nosy List bch, ced, nicoe, pokoli, roundup-bot, sharkcz, yangoon
Type security Components trytond
Assigned To ced Keywords review
Reviews 279061002
View: 279061002

Created on 2019-03-09.11:53:25 by ced, last changed by ced.

Messages
msg48421 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2019-04-05.10:47:49
CVE-2019-10868 was assigned by the Debian project to this issue. Please include this identifier whenever you refer to this issue.
msg48341 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2019-04-02.22:19:19
The new is scheduled to be published tomorrow April 3rd at 8:00 CEST.
New changeset fe7c89493b56 by Cédric Krier in branch 'default':
Check read access on field in search order
https://hg.tryton.org/tryton-env/rev/fe7c89493b56
msg48017 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2019-03-26.00:02:28
I guess the place is https://discuss.tryton.org/c/organisation
msg48012 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2019-03-25.14:32:24
> I do not not care about CVE. My last experience with their process was a mess and a waste of time that I do not want to repeat.

I would like to hear the reasons for your personal opinion.

> This issue is not the right place to discuss CVE.

Where is the right place?
msg48007 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2019-03-25.09:59:28
This issue is not the right place to discuss CVE.
msg48006 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2019-03-25.09:59:08
I do not not care about CVE. My last experience with their process was a mess and a waste of time that I do not want to repeat.
msg48005 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2019-03-25.09:36:30
Hi all,

I tried to request a CVE number for this issue.

This is no more possible directly via Debian, because the policy of mitre.org has changed and Debian assigns now only CVEs for internal issues. Nevertheless I was re-assured that requests via https://cveform.mitre.org/ are answered in a timely manner.

I tried that, but couldn't proceed for those reasons:
- Tryton is not yet registered as a vendor. This should be done with an appropriate mail address by the maintainer or a foundation member.
- 'Suggested description of the vulnerability for use in the CVE' should be that on the publication to which I have no access.

@ced, @nicoe: Could you please take the appropriate steps to get proper CVE numbers for the project?
msg48004 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2019-03-24.21:01:28
* Cédric Krier: " [issue8189] Guessing order on field without access" (Sun, 24
  Mar 2019 16:18:43 +0100):

> Cédric Krier <cedric.krier@b2ck.com> added the comment:
> 
> Here is review279061002
> I wrote a news at
> https://discuss.tryton.org/t/security-releate-for-issue8189/1262

Sorry, you don't have access to that topic!
for me.

-- 

    Mathias Behrle
    MBSolutions
    Gilgenmatten 10 A
    D-79114 Freiburg

    Tel: +49(761)471023
    Fax: +49(761)4770816
    http://www.m9s.biz
    UStIdNr: DE 142009020
    PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
    AC29 7E5C 46B9 D0B6 1C71  7681 D6D0 9BE4 8405 BBF6
msg47972 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2019-03-24.16:18:42
Here is review279061002
I wrote a news at https://discuss.tryton.org/t/security-releate-for-issue8189/1262
I propose to make the security release on the next bugfix release batch which will be around 1st April.
msg47525 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2019-03-09.11:53:24
Similar to issue7766, it is possible to retrieve the order of a field for which user has no read access.
E.g.: Employee.search([], order=[('cost_price', 'ASC')])

By reading [1], it shows that it is possible to guess the values if the data has a normal distribution and if we know the maximal range. Even if we are not in the exact same situation as described. Knowing the order of such field may leak too much data.

So I propose to use the same solution as for issue7766 and check read access on the field used in order.

[1] https://blog.cryptographyengineering.com/2019/02/11/attack-of-the-week-searchable-encryption-and-the-ever-expanding-leakage-function/
History
Date User Action Args
2019-04-05 11:01:04cedsetstatus: testing -> resolved
2019-04-05 10:47:49yangoonsetstatus: resolved -> testing
messages: + msg48421
2019-04-02 22:19:26cedsetstatus: chatting -> resolved
2019-04-02 22:19:19cedsetstatus: resolved -> chatting
messages: + msg48341
2019-04-02 19:07:16roundup-botsetnosy: + roundup-bot
messages: + msg48340
2019-04-02 19:07:07cedsetstatus: testing -> resolved
2019-03-26 00:02:28cedsetmessages: + msg48017
2019-03-25 14:32:24yangoonsetmessages: + msg48012
2019-03-25 09:59:28cedsetmessages: + msg48007
2019-03-25 09:59:08cedsetmessages: + msg48006

Showing 10 items. Show all history (warning: this could be VERY long)