Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2018:0065-1

Опубликовано: 11 янв. 2018
Источник: suse-cvrf

Описание

Fixing security issues on OBS toolchain

This OBS toolchain update fixes the following issues:

Package 'build':

  • CVE-2017-14804: Improve file name check extractbuild (bsc#1069904)
  • Fixed Dockerfile repository parsing

Package 'obs-service-source_validator':

  • CVE-2017-9274: Don't use rpmbuild to extract sources, patches etc. from a spec (bnc#938556).
  • CVE-2016-4007: Several maintained source services are vulnerable to code/paramter injection (bsc#967265)
  • Update to version 0.7.
  • Use spec_query instead of output_versions using the specfile parser from the build package (boo#1059858)
  • obs-service-source_validator: several occurrences of uninitialized value (bsc#967610)
  • hack for util-linux specfiles (bnc#891829)
  • fix dependency to gnupg2 for Fedora (bnc#827480)
  • exit if tmpdir creation fails (bnc#796918)

Package 'osc':

  • Update to version 0.162.0.

Список пакетов

SUSE Linux Enterprise Software Development Kit 11 SP4
build-20171128-8.3.3
osc-0.162.1-7.4.1

Ссылки

Описание

Multiple unspecified vulnerabilities in the obs-service-extract_file package before 0.3-5.1 in openSUSE Leap 42.1 and before 0.3-3.1 in openSUSE 13.2 allow attackers to execute arbitrary commands via a service definition, related to executing unzip with "illegal options."

Затронутые продукты
SUSE Linux Enterprise Software Development Kit 11 SP4:build-20171128-8.3.3
SUSE Linux Enterprise Software Development Kit 11 SP4:osc-0.162.1-7.4.1
Ссылки

Описание

The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots.

Затронутые продукты
SUSE Linux Enterprise Software Development Kit 11 SP4:build-20171128-8.3.3
SUSE Linux Enterprise Software Development Kit 11 SP4:osc-0.162.1-7.4.1
Ссылки

Описание

A shell command injection in the obs-service-source_validator before 0.7 could be used to execute code as the packager when checking RPM SPEC files with specific macro constructs.

Затронутые продукты
SUSE Linux Enterprise Software Development Kit 11 SP4:build-20171128-8.3.3
SUSE Linux Enterprise Software Development Kit 11 SP4:osc-0.162.1-7.4.1
Ссылки