Created on 2019-03-09.11:53:25 by ced, last changed 32 months ago by ced.
CVE-2019-10868 was assigned by the Debian project to this issue. Please include this identifier whenever you refer to this issue.
The new is scheduled to be published tomorrow April 3rd at 8:00 CEST.
New changeset fe7c89493b56 by Cédric Krier in branch 'default': Check read access on field in search order https://hg.tryton.org/tryton-env/rev/fe7c89493b56
I guess the place is https://discuss.tryton.org/c/organisation
> I do not not care about CVE. My last experience with their process was a mess and a waste of time that I do not want to repeat. I would like to hear the reasons for your personal opinion. > This issue is not the right place to discuss CVE. Where is the right place?
This issue is not the right place to discuss CVE.
I do not not care about CVE. My last experience with their process was a mess and a waste of time that I do not want to repeat.
Hi all, I tried to request a CVE number for this issue. This is no more possible directly via Debian, because the policy of mitre.org has changed and Debian assigns now only CVEs for internal issues. Nevertheless I was re-assured that requests via https://cveform.mitre.org/ are answered in a timely manner. I tried that, but couldn't proceed for those reasons: - Tryton is not yet registered as a vendor. This should be done with an appropriate mail address by the maintainer or a foundation member. - 'Suggested description of the vulnerability for use in the CVE' should be that on the publication to which I have no access. @ced, @nicoe: Could you please take the appropriate steps to get proper CVE numbers for the project?
* Cédric Krier: " [issue8189] Guessing order on field without access" (Sun, 24 Mar 2019 16:18:43 +0100): > Cédric Krier <firstname.lastname@example.org> added the comment: > > Here is review279061002 > I wrote a news at > https://discuss.tryton.org/t/security-releate-for-issue8189/1262 Sorry, you don't have access to that topic! for me. -- Mathias Behrle MBSolutions Gilgenmatten 10 A D-79114 Freiburg Tel: +49(761)471023 Fax: +49(761)4770816 http://www.m9s.biz UStIdNr: DE 142009020 PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6 AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6
Here is review279061002 I wrote a news at https://discuss.tryton.org/t/security-releate-for-issue8189/1262 I propose to make the security release on the next bugfix release batch which will be around 1st April.
Similar to issue7766, it is possible to retrieve the order of a field for which user has no read access. E.g.: Employee.search(, order=[('cost_price', 'ASC')]) By reading , it shows that it is possible to guess the values if the data has a normal distribution and if we know the maximal range. Even if we are not in the exact same situation as described. Knowing the order of such field may leak too much data. So I propose to use the same solution as for issue7766 and check read access on the field used in order.  https://blog.cryptographyengineering.com/2019/02/11/attack-of-the-week-searchable-encryption-and-the-ever-expanding-leakage-function/
|2019-04-05 11:01:04||ced||set||status: testing -> resolved|
|2019-04-05 10:47:49||yangoon||set||status: resolved -> testing|
messages: + msg48421
|2019-04-02 22:19:26||ced||set||status: chatting -> resolved|
|2019-04-02 22:19:19||ced||set||status: resolved -> chatting|
messages: + msg48341
messages: + msg48340
|2019-04-02 19:07:07||ced||set||status: testing -> resolved|
|2019-03-26 00:02:28||ced||set||messages: + msg48017|
|2019-03-25 14:32:24||yangoon||set||messages: + msg48012|
|2019-03-25 09:59:28||ced||set||messages: + msg48007|
|2019-03-25 09:59:08||ced||set||messages: + msg48006|
Showing 10 items. Show all history (warning: this could be VERY long)