Bugzilla – Bug 967265
VUL-1: CVE-2016-4007: Several maintained source services are vulnerable to code/paramter injection
Last modified: 2022-01-25 14:35:53 UTC
affected packages: * obs-service-source_validator * obs-service-extract_file * obs-service-download_files * obs-service-recompress * obs-service-verify_file
This is an autogenerated message for OBS integration: This bug (967265) was mentioned in https://build.opensuse.org/request/show/360185 13.2 / obs-service-source_validator+obs-service-recompress+obs-service-verify_file+obs-service-extract_file+obs-service-download_files https://build.opensuse.org/request/show/360186 42.1 / obs-service-verify_file+obs-service-download_files+obs-service-extract_file+obs-service-source_validator+obs-service-recompress
bugbot adjusting priority
Moving to security incidents for review
Frank, please fix the regression bug 967610 and resubmit for SLE 12.
Please also include this bsc# into the new submit. Its needed for tracking.
Thanks for your hints. commit https://github.com/openSUSE/obs-service-source_validator/pull/31/files is waiting for Rudi`s review. Must bsc# already in git commit message or only in obs submit request ?
in the .changes files of the submission for us. i think it is also nice to have in the git commit message
https://github.com/M0ses/obs-service-source_validator/commit/d469a76a613d585ede82e2a7857a5ad620364ea8 is the initial commit of the security fixes I think.
as far as i see. if existing source directories have weird filenames (with shell special characters), running source services locally might put local developers at risk.
this probably should not be rated critical?
obs-service-format_spec_file seems to be affected as well. Fixed in https://github.com/openSUSE/obs-service-format_spec_file/pull/10
QA REPRODUCER: touch "bar ;id; foo.spec" "foo ; bar; berk.changes" osc service lr source_validator before: /usr/lib/obs/service/source_validators/20-files-present-and-referenced: line 55: test: /suse/meissner/projects/bs/home:msmeissn/libtpms/libtpms: binary operator expected /usr/lib/obs/service/source_validators/20-files-present-and-referenced: line 55: test: too many arguments /usr/lib/obs/service/source_validators/30-patches-applied: line 14: test: /suse/meissner/projects/bs/home:msmeissn/libtpms/libtpms: binary operator expected /usr/lib/obs/service/source_validators/30-patches-applied: line 14: test: too many arguments /usr/lib/obs/service/source_validators/40-sequence-changes: line 14: test: too many arguments /usr/lib/obs/service/source_validators/45-stale-changes: line 23: test: too many arguments /usr/lib/obs/service/source_validators/50-spec-version: line 14: test: /suse/meissner/projects/bs/home:msmeissn/libtpms/libtpms: binary operator expected /usr/lib/obs/service/source_validators/50-spec-version: line 14: test: too many arguments /usr/lib/obs/service/source_validators/60-spec-filelist: line 13: test: /suse/meissner/projects/bs/home:msmeissn/libtpms/libtpms: binary operator expected /usr/lib/obs/service/source_validators/60-spec-filelist: line 13: test: too many arguments after: different errors complaining abiout the files only.
for i in $DIR_TO_CHECK/*.spec ; do test -f $i || continue the $i also needs to be quoted (in all places, there are some more) but in the end the whole script is full of unuqoted parameters :/
(update was rejected)
ping, please provide updated submits
sent mail to ro and meissner to find proper solution for the problems in source_validator
New PR: https://github.com/openSUSE/obs-service-source_validator/pull/36
PR merged now https://github.com/openSUSE/obs-service-source_validator/pull/36
sorry for delay. just created new SR's: https://build.opensuse.org/request/show/402014 https://build.opensuse.org/request/show/402015 https://build.suse.de/request/show/116542
openSUSE-SU-2016:1659-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 967265,967610 CVE References: CVE-2016-4007 Sources used: openSUSE 13.2 (src): obs-service-source_validator-0.6+git20160531.fbfe336-9.1
openSUSE-SU-2016:1660-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 967265,967610 CVE References: CVE-2016-4007 Sources used: openSUSE Leap 42.1 (src): obs-service-source_validator-0.6+git20160531.fbfe336-11.1
SUSE-SU-2016:1839-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 967265,967610 CVE References: CVE-2016-4007 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): obs-service-source_validator-0.6+git20160531.fbfe336-5.3
released
SUSE-SU-2018:0065-1: An update that solves three vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 1059858,1069904,796918,827480,891829,938556,967265,967610 CVE References: CVE-2016-4007,CVE-2017-14804,CVE-2017-9274 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): build-20171128-8.3.3, osc-0.162.1-7.4.1