Odoo Addons (MOVED TO GITHUB)

Bug #1196847
Comment #6

Comment 6 for bug 1196847

Revision history for this message

Olivier Dony (Odoo) (odo-openerp) wrote on 2013-07-02:

Hi,

This mechanism allows the OpenERP Security Team to send important notification messages to the relevant OpenERP users, for example for very critical security notifications. It was used in the past to notify all users (not just OE/OPW customers!) about a critical vulnerability in OpenERP 6.0 that needed to be patched urgently [1], and all users of affected versions received a notification. This mechanism is meant to be unobtrusive but it is enabled by default.

Now about your bug report, it's not clear why you are claiming this could allow "arbitrary code execution"?

The return value from the OpenERP Publisher Warranty Servers is always passed to safe_eval (without eval context, which means it is very similar to literal_eval). So unless you want to report a security issue about `safe_eval` (which would be important in its own right), the worst this issue can cause, in case an attacker performed a prior successful attack on the machine's DNS servers (or upstream ones) or on the Publisher Warranty Servers is:
- leak information about the OpenERP installation to the attacker
- allow the attacker to send messages to OpenERP users

Even if this would be a significant problem, it is greatly mitigated by the fact that a prior successful attack is necessary, and still seems to be far from arbitrary code execution.

The fact that this code is located in the mail module is indeed questionable, and is because its main purpose is to be able to send urgent notifications to the users, which is made easiest using the mail facilities. This could be refactored to have the main code in `base` and some default fallback notification system, with `mail` extending it with a regular mail notifications.

Thank you for clarifying your bug description.

PS: The appropriate way to report security issues is always to make them private initially (regardless of any public information about the subject), then to discuss the full disclosure with the security team, ensuring that all appropriate measures are taken in a timely manner (validated patches, proper description of the issue and its consequences, notification to customers, etc.)
Disregarding this procedure is very unfortunate for all OpenERP users, and I'm not sure you would appreciate anyone else doing the same for any issue they would have found first.

Hi,

Now about your bug report, it's not clear why you are claiming this could allow "arbitrary code execution"?

The return value from the OpenERP Publisher Warranty Servers is always passed to safe_eval (without eval context, which means it is very similar to literal_eval). So unless you want to report a security issue about `safe_eval` (which would be important in its own right), the worst this issue can cause, in case an attacker performed a prior successful attack on the machine's DNS servers (or upstream ones) or on the Publisher Warranty Servers is:
 - leak information about the OpenERP installation to the attacker
 - allow the attacker to send messages to OpenERP users

Even if this would be a significant problem, it is greatly mitigated by the fact that a prior successful attack is necessary, and still seems to be far from arbitrary code execution.

Thank you for clarifying your bug description.