Bug 1293282 - (CVE-2015-0861) CVE-2015-0861 trytond: Missing checks of access permissions when writing to record fields
CVE-2015-0861 trytond: Missing checks of access permissions when writing to r...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20151217,reported=2...
: Security
Depends On: 1293284 1293283
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-21 05:28 EST by Adam Mariš
Modified: 2015-12-21 05:28 EST (History)
1 user (show)

See Also:
Fixed In Version: trytond 3.8.1, trytond 3.6.5, trytond 3.4.8, trytond 3.2.10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-12-21 05:28:08 EST
It was found that authenticated malicious user can write arbitrary values in record fields due missed checks of access permissions when multiple records are written.

Upstream patch:

http://hg.tryton.org/trytond/rev/06230c381593/

Upstream advisory:

http://www.tryton.org/posts/security-release-for-issue5167.html
Comment 1 Adam Mariš 2015-12-21 05:28:44 EST
Created trytond tracking bugs for this issue:

Affects: fedora-all [bug 1293283]
Affects: epel-all [bug 1293284]

Note You need to log in before you can comment on or make changes to this bug.