Guessing order on field without access

Similar to #7766 (closed), it is possible to retrieve the order of a field for which user has no read access.
E.g.: Employee.search([], order=[('cost_price', 'ASC')])

By reading [1], it shows that it is possible to guess the values if the data has a normal distribution and if we know the maximal range. Even if we are not in the exact same situation as described. Knowing the order of such field may leak too much data.

So I propose to use the same solution as for #7766 (closed) and check read access on the field used in order.

[1] https://blog.cryptographyengineering.com/2019/02/11/attack-of-the-week-searchable-encryption-and-the-ever-expanding-leakage-function/

assigned to @ced

added trytond + 1 deleted label

Here is review279061002
I wrote a news at https://discuss.tryton.org/t/security-releate-for-#8189/1262
I propose to make the security release on the next bugfix release batch which will be around 1st April.

added 1 deleted label and removed 1 deleted label

* Cédric Krier: " [#8189 (closed)] Guessing order on field without access" (Sun, 24
Mar 2019 16:18:43 +0100):

> Cédric Krier <cedric.krier@b2ck.com> added the comment:
>
> Here is review279061002
> I wrote a news at
> https://discuss.tryton.org/t/security-releate-for-#8189/1262

Sorry, you don't have access to that topic!
for me.

--

Mathias Behrle
MBSolutions
Gilgenmatten 10 A
D-79114 Freiburg

Tel: +49(761)471023
Fax: +49(761)4770816
http://www.m9s.biz
UStIdNr: DE 142009020
PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6

Hi all,

I tried to request a CVE number for this issue.

This is no more possible directly via Debian, because the policy of mitre.org has changed and Debian assigns now only CVEs for internal issues. Nevertheless I was re-assured that requests via https://cveform.mitre.org/ are answered in a timely manner.

I tried that, but couldn't proceed for those reasons:
- Tryton is not yet registered as a vendor. This should be done with an appropriate mail address by the maintainer or a foundation member.
- 'Suggested description of the vulnerability for use in the CVE' should be that on the publication to which I have no access.

@ced, @nicoe: Could you please take the appropriate steps to get proper CVE numbers for the project?

I do not not care about CVE. My last experience with their process was a mess and a waste of time that I do not want to repeat.

This issue is not the right place to discuss CVE.

> I do not not care about CVE. My last experience with their process was a mess and a waste of time that I do not want to repeat.

I would like to hear the reasons for your personal opinion.

> This issue is not the right place to discuss CVE.

Where is the right place?

I guess the place is https://discuss.tryton.org/c/organisation

made the issue visible to everyone

added 1 deleted label and removed 1 deleted label

closed

New changeset fe7c89493b56 by Cédric Krier in branch 'default':
Check read access on field in search order
https://hg.tryton.org/tryton-env/rev/fe7c89493b56

The new is scheduled to be published tomorrow April 3rd at 8:00 CEST.

made the issue confidential

added 1 deleted label and removed 1 deleted label

reopened

added 1 deleted label and removed 1 deleted label

closed

made the issue visible to everyone

CVE-2019-10868 was assigned by the Debian project to this issue. Please include this identifier whenever you refer to this issue.

made the issue confidential

added 1 deleted label and removed 1 deleted label

reopened

made the issue visible to everyone

added 1 deleted label and removed 1 deleted label

closed