Описание
Security update for the OBS toolchain
This OBS toolchain update fixes the following issues:
Package 'build':
- CVE-2010-4226: force use of bsdtar for VMs (bnc#665768)
- CVE-2017-14804: Improve file name check extractbuild (bsc#1069904)
- switch baselibs scheme for debuginfo packages from foo-debuginfo-32bit to foo-32bit-debuginfo (fate#323217)
Package 'obs-service-source_validator':
- CVE-2017-9274: Don't use rpmbuild to extract sources, patches etc. from a spec (bnc#938556).
- Update to version 0.7
- use spec_query instead of output_versions using the specfile parser from the build package (boo#1059858)
Package 'osc':
- update to version 0.162.0
- add Recommends: ca-certificates to enable TLS verification without manually installing them. (bnc#1061500)
This update was imported from the SUSE:SLE-12:Update update project.
Список пакетов
openSUSE Leap 42.2
openSUSE Leap 42.3
Ссылки
- E-Mail link for openSUSE-SU-2017:3259-1
- SUSE Security Ratings
Описание
cpio, as used in build 2007.05.10, 2010.07.28, and possibly other versions, allows remote attackers to overwrite arbitrary files via a symlink within an RPM package archive.
Затронутые продукты
Ссылки
- CVE-2010-4226
- SUSE Bug 665768
Описание
The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots.
Затронутые продукты
Ссылки
- CVE-2017-14804
- SUSE Bug 1069904
Описание
A shell command injection in the obs-service-source_validator before 0.7 could be used to execute code as the packager when checking RPM SPEC files with specific macro constructs.
Затронутые продукты
Ссылки
- CVE-2017-9274
- SUSE Bug 938556