Fixing security issues on OBS toolchain SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:3253-1 Final 1 1 2017-12-08T12:54:18Z current 2017-12-08T12:54:18Z 2017-12-08T12:54:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Fixing security issues on OBS toolchain This OBS toolchain update fixes the following issues: Package 'build': - CVE-2010-4226: force use of bsdtar for VMs (bnc#665768) - CVE-2017-14804: Improve file name check extractbuild (bsc#1069904) - switch baselibs scheme for debuginfo packages from foo-debuginfo-32bit to foo-32bit-debuginfo (fate#323217) Package 'obs-service-source_validator': - CVE-2017-9274: Don't use rpmbuild to extract sources, patches etc. from a spec (bnc#938556). - Update to version 0.7 - use spec_query instead of output_versions using the specfile parser from the build package (boo#1059858) Package 'osc': - update to version 0.162.0 - add Recommends: ca-certificates to enable TLS verification without manually installing them. (bnc#1061500) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SDK-12-SP2-2017-2028,SUSE-SLE-SDK-12-SP3-2017-2028 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20173253-1/ Link for SUSE-SU-2017:3253-1 https://lists.suse.com/pipermail/sle-security-updates/2017-December/003487.html E-Mail link for SUSE-SU-2017:3253-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1059858 SUSE Bug 1059858 https://bugzilla.suse.com/1061500 SUSE Bug 1061500 https://bugzilla.suse.com/1069904 SUSE Bug 1069904 https://bugzilla.suse.com/665768 SUSE Bug 665768 https://bugzilla.suse.com/938556 SUSE Bug 938556 https://www.suse.com/security/cve/CVE-2010-4226/ SUSE CVE CVE-2010-4226 page https://www.suse.com/security/cve/CVE-2017-14804/ SUSE CVE CVE-2017-14804 page https://www.suse.com/security/cve/CVE-2017-9274/ SUSE CVE CVE-2017-9274 page SUSE Linux Enterprise Software Development Kit 12 SP2 SUSE Linux Enterprise Software Development Kit 12 SP3 build-20171128-9.3.2 build-initvm-s390-20171128-9.3.2 build-initvm-x86_64-20171128-9.3.2 build-mkbaselibs-20171128-9.3.2 obs-service-source_validator-0.7-9.3.1 osc-0.162.0-15.3.1 build-20171128-9.3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 build-initvm-s390-20171128-9.3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 build-initvm-x86_64-20171128-9.3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 build-mkbaselibs-20171128-9.3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 obs-service-source_validator-0.7-9.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 osc-0.162.0-15.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 build-20171128-9.3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 build-initvm-s390-20171128-9.3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 build-initvm-x86_64-20171128-9.3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 build-mkbaselibs-20171128-9.3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 obs-service-source_validator-0.7-9.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 osc-0.162.0-15.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 cpio, as used in build 2007.05.10, 2010.07.28, and possibly other versions, allows remote attackers to overwrite arbitrary files via a symlink within an RPM package archive. CVE-2010-4226 SUSE Linux Enterprise Software Development Kit 12 SP2:build-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP2:build-initvm-s390-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP2:build-initvm-x86_64-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP2:build-mkbaselibs-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP2:obs-service-source_validator-0.7-9.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:osc-0.162.0-15.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:build-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP3:build-initvm-s390-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP3:build-initvm-x86_64-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP3:build-mkbaselibs-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP3:obs-service-source_validator-0.7-9.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:osc-0.162.0-15.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173253-1/ https://www.suse.com/security/cve/CVE-2010-4226.html CVE-2010-4226 https://bugzilla.suse.com/665768 SUSE Bug 665768 The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots. CVE-2017-14804 SUSE Linux Enterprise Software Development Kit 12 SP2:build-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP2:build-initvm-s390-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP2:build-initvm-x86_64-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP2:build-mkbaselibs-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP2:obs-service-source_validator-0.7-9.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:osc-0.162.0-15.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:build-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP3:build-initvm-s390-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP3:build-initvm-x86_64-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP3:build-mkbaselibs-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP3:obs-service-source_validator-0.7-9.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:osc-0.162.0-15.3.1 important 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173253-1/ https://www.suse.com/security/cve/CVE-2017-14804.html CVE-2017-14804 https://bugzilla.suse.com/1069904 SUSE Bug 1069904 A shell command injection in the obs-service-source_validator before 0.7 could be used to execute code as the packager when checking RPM SPEC files with specific macro constructs. CVE-2017-9274 SUSE Linux Enterprise Software Development Kit 12 SP2:build-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP2:build-initvm-s390-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP2:build-initvm-x86_64-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP2:build-mkbaselibs-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP2:obs-service-source_validator-0.7-9.3.1 SUSE Linux Enterprise Software Development Kit 12 SP2:osc-0.162.0-15.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:build-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP3:build-initvm-s390-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP3:build-initvm-x86_64-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP3:build-mkbaselibs-20171128-9.3.2 SUSE Linux Enterprise Software Development Kit 12 SP3:obs-service-source_validator-0.7-9.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:osc-0.162.0-15.3.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173253-1/ https://www.suse.com/security/cve/CVE-2017-9274.html CVE-2017-9274 https://bugzilla.suse.com/938556 SUSE Bug 938556