Описание
Fixing security issues on OBS toolchain
This OBS toolchain update fixes the following issues:
Package 'build':
- CVE-2010-4226: force use of bsdtar for VMs (bnc#665768)
- CVE-2017-14804: Improve file name check extractbuild (bsc#1069904)
- switch baselibs scheme for debuginfo packages from foo-debuginfo-32bit to foo-32bit-debuginfo (fate#323217)
Package 'obs-service-source_validator':
- CVE-2017-9274: Don't use rpmbuild to extract sources, patches etc. from a spec (bnc#938556).
- Update to version 0.7
- use spec_query instead of output_versions using the specfile parser from the build package (boo#1059858)
Package 'osc':
- update to version 0.162.0
- add Recommends: ca-certificates to enable TLS verification without manually installing them. (bnc#1061500)
Список пакетов
SUSE Linux Enterprise Software Development Kit 12 SP2
build-20171128-9.3.2
build-initvm-s390-20171128-9.3.2
build-initvm-x86_64-20171128-9.3.2
build-mkbaselibs-20171128-9.3.2
obs-service-source_validator-0.7-9.3.1
osc-0.162.0-15.3.1
SUSE Linux Enterprise Software Development Kit 12 SP3
build-20171128-9.3.2
build-initvm-s390-20171128-9.3.2
build-initvm-x86_64-20171128-9.3.2
build-mkbaselibs-20171128-9.3.2
obs-service-source_validator-0.7-9.3.1
osc-0.162.0-15.3.1
Ссылки
- Link for SUSE-SU-2017:3253-1
- E-Mail link for SUSE-SU-2017:3253-1
- SUSE Security Ratings
- SUSE Bug 1059858
- SUSE Bug 1061500
- SUSE Bug 1069904
- SUSE Bug 665768
- SUSE Bug 938556
- SUSE CVE CVE-2010-4226 page
- SUSE CVE CVE-2017-14804 page
- SUSE CVE CVE-2017-9274 page
Описание
cpio, as used in build 2007.05.10, 2010.07.28, and possibly other versions, allows remote attackers to overwrite arbitrary files via a symlink within an RPM package archive.
Затронутые продукты
SUSE Linux Enterprise Software Development Kit 12 SP2:build-20171128-9.3.2
SUSE Linux Enterprise Software Development Kit 12 SP2:build-initvm-s390-20171128-9.3.2
SUSE Linux Enterprise Software Development Kit 12 SP2:build-initvm-x86_64-20171128-9.3.2
SUSE Linux Enterprise Software Development Kit 12 SP2:build-mkbaselibs-20171128-9.3.2
Ссылки
- CVE-2010-4226
- SUSE Bug 665768
Описание
The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots.
Затронутые продукты
SUSE Linux Enterprise Software Development Kit 12 SP2:build-20171128-9.3.2
SUSE Linux Enterprise Software Development Kit 12 SP2:build-initvm-s390-20171128-9.3.2
SUSE Linux Enterprise Software Development Kit 12 SP2:build-initvm-x86_64-20171128-9.3.2
SUSE Linux Enterprise Software Development Kit 12 SP2:build-mkbaselibs-20171128-9.3.2
Ссылки
- CVE-2017-14804
- SUSE Bug 1069904
Описание
A shell command injection in the obs-service-source_validator before 0.7 could be used to execute code as the packager when checking RPM SPEC files with specific macro constructs.
Затронутые продукты
SUSE Linux Enterprise Software Development Kit 12 SP2:build-20171128-9.3.2
SUSE Linux Enterprise Software Development Kit 12 SP2:build-initvm-s390-20171128-9.3.2
SUSE Linux Enterprise Software Development Kit 12 SP2:build-initvm-x86_64-20171128-9.3.2
SUSE Linux Enterprise Software Development Kit 12 SP2:build-mkbaselibs-20171128-9.3.2
Ссылки
- CVE-2017-9274
- SUSE Bug 938556