Bug 1122675 (CVE-2019-3681)

Summary: VUL-0: CVE-2019-3681: osc: stores downloaded (supposed) RPM in network-controlled filesystem paths
Product: [Internal Novell Products] openSUSE Build Service Reporter: Malte Kraus <malte.kraus>
Component: oscAssignee: Marco Strigl <marco.strigl>
Status: RESOLVED FIXED QA Contact: Adrian Schröter <adrian.schroeter>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, adrian.schroeter, jsegitz, marco.strigl, meissner, security-team, suse-tux, wolfgang.frisch
Version: master   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/223710/
Whiteboard: CVSSv3:SUSE:CVE-2019-3681:4.2:(AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1119444    

Description Malte Kraus 2019-01-21 15:27:47 UTC 
from bnc#1119444:
> > osc/fetch.py/move_package: this builds the destination file name based on the contents of the downloaded file. An attacker with MITM capabilities can manipulate that file name to contains slashes (see osc/util/*query.py), then the package will be stored in an unintended file system location. This way, arbitrary files can be overwritten. At this point, signatures of the package have not been verified.
> 
> You need to bypass SSL and/or deliver from a "trusted" project for that. But
> yes, the code can be improved, can you open
> a dedicated report for this?

Scenario: someone builds a package they trust from e.g. a coffee shop (open Wi-Fi). (Or the ISP gets asked to fiddle with some packets.)

If I'm reading the output of 'osc buildinfo' right, OBS and IBS use plain HTTP for downloads, so TLS doesn't come into play.

I guess an evil project RPM repository does make exploiting this even easier (no man-in-the-middle required), but at least there's a scary warning when trusting a new project.
Comment 2 Malte Kraus 2020-03-02 12:47:47 UTC 
This issue will be handled according to our disclosure policy outlined in
https://en.opensuse.org/openSUSE:Security_disclosure_policy

The information listed here is not public. Please
- do not talk to other people about this unless they're involved in fixing the issue
- do not make this bug public
- do not submit this into OBS (e.g. fix Leap) until this is public

In accordance with our policy we will make this issue public latest at

Internal CRD: 2020-05-31 or earlier

This is the latest possible date and we prefer to make it public earlier if the
situation allows it. In that case we'll post a comment here setting the new date.

Only a member of the security team is allowed to make this issue public. Please speak to us if you want to take part in  the public disclosure.

In doubt please talk to us on IRC (#security) or send us a mail (security@suse.de).
Comment 3 Adrian Schröter 2020-04-01 11:49:54 UTC 
The download protocol matters on the mirror, it can be http, yes.

But the validation happens via gpg.

So I do not see a security issue here.
Comment 4 Malte Kraus 2020-04-01 11:52:29 UTC 
I haven't looked at this in a year, but from comment #0:

> At this point, signatures of the package have not been verified.

So, GPG doesn't seem to be a protection at all.
Comment 5 Adrian Schröter 2020-04-01 11:58:05 UTC 
ah, sorry ... one need to scroll in that comment to see it, sorry.

Re-assigning it to Marco
Comment 10 Marcus Hüwe 2020-05-27 09:42:01 UTC 
(In reply to Malte Kraus from comment #0)
> from bnc#1119444:
> > > osc/fetch.py/move_package: this builds the destination file name based on the contents of the downloaded file.

Good catch! Thanks a lot!
Comment 11 OBSbugzilla Bot 2020-05-28 08:10:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1122675) was mentioned in
https://build.opensuse.org/request/show/809833 Factory / osc
Comment 13 OBSbugzilla Bot 2020-05-29 19:20:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1122675) was mentioned in
https://build.opensuse.org/request/show/810270 Factory / osc
Comment 15 Swamp Workflow Management 2020-06-03 16:14:14 UTC 
SUSE-SU-2020:1528-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1122675
CVE References: CVE-2019-3681
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    osc-0.162.1-15.9.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    osc-0.162.1-15.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-06-19 16:13:42 UTC 
SUSE-SU-2020:1695-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1122675
CVE References: CVE-2019-3681
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    osc-0.169.1-3.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-06-22 22:20:17 UTC 
openSUSE-SU-2020:0852-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1122675
CVE References: CVE-2019-3681
Sources used:
openSUSE Leap 15.1 (src):    osc-0.169.1-lp151.2.15.1
Comment 18 Swamp Workflow Management 2020-07-08 13:13:37 UTC 
SUSE-SU-2020:1695-2: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1122675
CVE References: CVE-2019-3681
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    osc-0.169.1-3.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Johannes Segitz 2022-02-24 09:35:43 UTC 
done
Comment 21 Swamp Workflow Management 2022-12-07 20:21:34 UTC 
SUSE-SU-2022:4351-1: An update that solves two vulnerabilities, contains one feature and has 22 fixes is now available.

Category: security (important)
Bug References: 1089025,1097996,1122675,1125243,1126055,1126058,1127932,1129757,1129889,1131512,1136584,1137477,1138165,1138977,1140697,1142518,1142662,1144211,1154972,1155953,1156501,1160446,1166537,1173926
CVE References: CVE-2019-3681,CVE-2019-3685
JIRA References: OBS-203
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    osc-0.182.0-15.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 OBSbugzilla Bot 2023-03-15 11:15:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1122675) was mentioned in
https://build.opensuse.org/request/show/1072082 Tools / osc