Version in base suite: 6.0.29-2+deb12u2 Base version: tryton-server_6.0.29-2+deb12u2 Target version: tryton-server_6.0.29-2+deb12u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/tryton-server/tryton-server_6.0.29-2+deb12u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/t/tryton-server/tryton-server_6.0.29-2+deb12u3.dsc changelog | 21 ++++ patches/04_check_read_access_of_reports_records_13505.patch | 32 ++++++ patches/05_retrieve_groups_actions_wo_check_access_13506.patch | 47 ++++++++++ patches/series | 2 4 files changed, 102 insertions(+) diff -Nru tryton-server-6.0.29/debian/changelog tryton-server-6.0.29/debian/changelog --- tryton-server-6.0.29/debian/changelog 2024-04-18 09:59:53.000000000 +0000 +++ tryton-server-6.0.29/debian/changelog 2024-09-20 07:20:49.000000000 +0000 @@ -1,3 +1,24 @@ +tryton-server (6.0.29-2+deb12u3) bookworm-security; urgency=high + + * Add patches for security release + https://discuss.tryton.org/t/security-release-for- + issues-13505-and-13506. + - Add 04_check_read_access_of_reports_records_13505.patch: + Check read access of report records. + Since 982a131026e7 the access rights are no more checked on instances. + So anyone who has access to the report action, can execute the report + for any records. + + - Add 05_retrieve_groups_actions_wo_check_access_13506.patch: + Check read access of report records. + get_groups does not always returns the group of the action. + When the method is called with access checked as there is a record rule + on ir.action, the method returns an empty set of group ids. This is + because no actions were found if the user does not share a group. + This makes that check access of Report and Wizard never raise an error. + + -- Mathias Behrle Fri, 20 Sep 2024 09:20:49 +0200 + tryton-server (6.0.29-2+deb12u2) bookworm; urgency=medium * Add 03_deny_compressed_content_from_unauth_request.patch. diff -Nru tryton-server-6.0.29/debian/patches/04_check_read_access_of_reports_records_13505.patch tryton-server-6.0.29/debian/patches/04_check_read_access_of_reports_records_13505.patch --- tryton-server-6.0.29/debian/patches/04_check_read_access_of_reports_records_13505.patch 1970-01-01 00:00:00.000000000 +0000 +++ tryton-server-6.0.29/debian/patches/04_check_read_access_of_reports_records_13505.patch 2024-09-20 07:07:28.000000000 +0000 @@ -0,0 +1,32 @@ +Description: Check read access of report records. + This patch is part of the fix for + https://discuss.tryton.org/t/security-release-for-issues-13505-and-13506/7846 + Since 982a131026e7 the access rights are no more checked on instances. + So anyone who has access to the report action, can execute the report to any records. +Author: Cédric Krier +Bug: https://foss.heptapod.net/tryton/tryton/-/issues/13505 + +--- a/trytond/report/report.py ++++ b/trytond/report/report.py +@@ -143,6 +143,7 @@ + ''' + pool = Pool() + ActionReport = pool.get('ir.action.report') ++ ModelAccess = pool.get('ir.model.access') + cls.check_access() + + action_id = data.get('action_id') +@@ -180,6 +181,13 @@ + if model: + records = cls._get_records(ids, model, data) + ++ with Transaction().set_context(_check_access=True): ++ if model: ++ Model = pool.get(model) ++ ModelAccess.check(model, 'read') ++ # Check read access ++ Model.read(ids, ['id']) ++ + if not records: + groups = [[]] + headers = [{}] diff -Nru tryton-server-6.0.29/debian/patches/05_retrieve_groups_actions_wo_check_access_13506.patch tryton-server-6.0.29/debian/patches/05_retrieve_groups_actions_wo_check_access_13506.patch --- tryton-server-6.0.29/debian/patches/05_retrieve_groups_actions_wo_check_access_13506.patch 1970-01-01 00:00:00.000000000 +0000 +++ tryton-server-6.0.29/debian/patches/05_retrieve_groups_actions_wo_check_access_13506.patch 2024-09-20 07:07:28.000000000 +0000 @@ -0,0 +1,47 @@ +Description: Check read access of report records. + This patch is part of the fix for + https://discuss.tryton.org/t/security-release-for-issues-13505-and-13506/7846 + get_groups does not always returns the group of the action. + When the method is called with access checked as there is a record rule on ir.action, + the method returns an empty set of group ids. This is because no actions were found + if the user does not share a group. This makes that check access of Report and Wizard + never raise an error. +Author: Cédric Krier +Bug: https://foss.heptapod.net/tryton/tryton/-/issues/13506 + +--- a/trytond/res/ir.py ++++ b/trytond/res/ir.py +@@ -3,6 +3,7 @@ + from trytond.model import ModelSQL, DeactivableMixin, fields + from trytond.pool import Pool, PoolMeta + from trytond.pyson import Eval ++from trytond.transaction import Transaction + + + class UIMenuGroup(ModelSQL): +@@ -85,15 +86,16 @@ + + @classmethod + def get_groups(cls, name, action_id=None): +- # TODO add cache +- domain = [ +- (cls._action_name, '=', name), +- ] +- if action_id: +- domain.append(('id', '=', action_id)) +- actions = cls.search(domain) +- groups = {g.id for a in actions for g in a.groups} +- return groups ++ with Transaction().set_context(_check_access=False): ++ # TODO add cache ++ domain = [ ++ (cls._action_name, '=', name), ++ ] ++ if action_id: ++ domain.append(('id', '=', action_id)) ++ actions = cls.search(domain) ++ groups = {g.id for a in actions for g in a.groups} ++ return groups + + + class ActionReport(ActionMixin): diff -Nru tryton-server-6.0.29/debian/patches/series tryton-server-6.0.29/debian/patches/series --- tryton-server-6.0.29/debian/patches/series 2024-04-18 09:38:06.000000000 +0000 +++ tryton-server-6.0.29/debian/patches/series 2024-09-20 06:55:42.000000000 +0000 @@ -1,3 +1,5 @@ 01_avoid_call_to_pypi.patch 02_enforce_record_rules.patch 03_deny_compressed_content_from_unauth_request.patch +04_check_read_access_of_reports_records_13505.patch +05_retrieve_groups_actions_wo_check_access_13506.patch