Version in base suite: 5.0.33-2+deb11u1 Base version: tryton-server_5.0.33-2+deb11u1 Target version: tryton-server_5.0.33-2+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/tryton-server/tryton-server_5.0.33-2+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/t/tryton-server/tryton-server_5.0.33-2+deb11u2.dsc changelog | 9 +++++ patches/05_enforce_record_rules.patch | 54 ++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 64 insertions(+) diff -Nru tryton-server-5.0.33/debian/changelog tryton-server-5.0.33/debian/changelog --- tryton-server-5.0.33/debian/changelog 2022-03-09 11:04:36.000000000 +0000 +++ tryton-server-5.0.33/debian/changelog 2023-08-22 13:53:54.000000000 +0000 @@ -1,3 +1,12 @@ +tryton-server (5.0.33-2+deb11u2) bullseye-security; urgency=high + + * Add 05_enforce_record_rules.patch. + This patch fixes the information disclosure leak when reading from + function fields with record rules + https://discuss.tryton.org/t/security-release-for-issue-12428/6397 + + -- Mathias Behrle Tue, 22 Aug 2023 15:53:54 +0200 + tryton-server (5.0.33-2+deb11u1) bullseye-security; urgency=high * This release contains fixes for XML parsing vulnerabilities: diff -Nru tryton-server-5.0.33/debian/patches/05_enforce_record_rules.patch tryton-server-5.0.33/debian/patches/05_enforce_record_rules.patch --- tryton-server-5.0.33/debian/patches/05_enforce_record_rules.patch 1970-01-01 00:00:00.000000000 +0000 +++ tryton-server-5.0.33/debian/patches/05_enforce_record_rules.patch 2023-08-22 13:52:03.000000000 +0000 @@ -0,0 +1,54 @@ +Description: Enforce record rules when only reading fields without an SQL type. + This patch fixes the information disclosure leak when reading from + function fields with record rules + https://discuss.tryton.org/t/security-release-for-issue-12428/6397 +Author: Cédric Krier +Bug: https://foss.heptapod.net/tryton/tryton/-/issues/12428 + +--- a/trytond/model/modelsql.py ++++ b/trytond/model/modelsql.py +@@ -723,7 +723,7 @@ + Coalesce(table.write_date, table.create_date) + ).cast(sql_type).as_('_timestamp')) + +- if len(columns): ++ if len(columns) or domain: + if 'id' not in fields_names: + columns.append(table.id.as_('id')) + +--- a/trytond/tests/test_rule.py ++++ b/trytond/tests/test_rule.py +@@ -282,6 +282,33 @@ + TestRule.read([test.id]) + + @with_transaction() ++ def test_perm_read_with_rule_no_sql_type_fail(self): ++ "Test read with rule fail and without SQL type" ++ pool = Pool() ++ TestRule = pool.get('test.rule') ++ RuleGroup = pool.get('ir.rule.group') ++ Model = pool.get('ir.model') ++ ++ model, = Model.search([('model', '=', 'test.rule')]) ++ rule_group, = RuleGroup.create([{ ++ 'name': "Field different from foo", ++ 'model': model.id, ++ 'global_p': True, ++ 'perm_read': True, ++ 'perm_create': False, ++ 'perm_write': False, ++ 'perm_delete': False, ++ 'rules': [('create', [{ ++ 'domain': json.dumps( ++ [('field', '!=', 'foo')]), ++ }])], ++ }]) ++ test, = TestRule.create([{'field': 'foo'}]) ++ ++ with self.assertRaises(UserError): ++ TestRule.read([test.id], ['rec_name']) ++ ++ @with_transaction() + def test_search_without_rule(self): + "Test search without rule" + pool = Pool() diff -Nru tryton-server-5.0.33/debian/patches/series tryton-server-5.0.33/debian/patches/series --- tryton-server-5.0.33/debian/patches/series 2022-03-09 10:51:23.000000000 +0000 +++ tryton-server-5.0.33/debian/patches/series 2023-08-22 13:50:01.000000000 +0000 @@ -2,3 +2,4 @@ 02_avoid_call_to_pypi.patch 03_werkzeug10_compatibility.patch 04_CVE-2022-26661_CVE-2022-26662.patch +05_enforce_record_rules.patch