Bug 1069904 (CVE-2017-14804)

Summary: VUL-0: CVE-2017-14804: build: Exploit extractbuild to write to files in the host system
Product: [openSUSE] openSUSE.org Reporter: Marcus Meissner <meissner>
Component: BuildServiceAssignee: Michael Schröder <mls>
Status: RESOLVED FIXED QA Contact: Adrian Schröter <adrian.schroeter>
Severity: Normal    
Priority: P3 - Medium CC: adrian.schroeter, faustjonson, jsegitz, meissner, security-team, suse-tux
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2017-14804:8.5:(AV:N/AC:M/Au:S/C:C/I:C/A:C) CVSSv3:SUSE:CVE-2017-14804:9.9:(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: 0001-Improve-sanity-checks-in-extractbuild.patch
worker.txt
test.spec
obs-build_extractbuild_exploit.txt
write_swap.pl
my_bs_worker.pl
CVE-2017-14804.json

Description Marcus Meissner 2017-11-27 10:33:55 UTC 
received via security@suse.de

From: Marcus Hüwe <suse-tux@gmx.de>
Subject: [security@suse.de] Exploit extractbuild to write to files in the host system
Date: Mon, 27 Nov 2017 02:31:17 +0100

Hi,

currently, it is possible to exploit the extractbuild script to write
to files in the host system, in case of a vm build. This can be used,
for instance, to replace a running bs_worker with arbitrary code.
The attached obs-build_extractbuild_exploit.txt file documents the
exploit.

The following files are attached to this mail (<md5> <filename>):

f0958407337f559c95ae0e9e85d03423  0001-Improve-sanity-checks-in-extractbuild.patch
74690090af4b170bccc1d75569dc34d7  my_bs_worker.pl
17ad13d19a7d6a210408e500cda9d48e  obs-build_extractbuild_exploit.txt
8a9de7e3e2084fa644ed188f447afbda  test.spec
823fed5809f654917062f857d6cee6e4  worker.txt
143732600263228b8e864fae336bb081  write_swap.pl

I also CCed security@suse.de.


Marcus
Comment 4 Marcus Meissner 2017-11-27 10:36:59 UTC 
Created attachment 750169 [details]
obs-build_extractbuild_exploit.txt

obs-build_extractbuild_exploit.txt  description of exploit
Comment 6 Marcus Meissner 2017-11-27 10:39:01 UTC 
cc reporter too
Comment 7 Marcus Meissner 2017-11-27 10:50:07 UTC 
use CVE-2017-14804
Comment 10 Adrian Schröter 2017-11-28 13:03:51 UTC 
This is actually a problem in the build script. I would like to release it together with a new osc for all maintained products, since we need anyway the support for the container building...

Marcus, thanks a lot again! Great work!
Comment 11 Swamp Workflow Management 2017-12-08 17:19:15 UTC 
SUSE-SU-2017:3253-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1059858,1061500,1069904,665768,938556
CVE References: CVE-2010-4226,CVE-2017-14804,CVE-2017-9274
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    build-20171128-9.3.2, obs-service-source_validator-0.7-9.3.1, osc-0.162.0-15.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    build-20171128-9.3.2, obs-service-source_validator-0.7-9.3.1, osc-0.162.0-15.3.1
Comment 12 Swamp Workflow Management 2017-12-09 11:09:04 UTC 
openSUSE-SU-2017:3259-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1059858,1061500,1069904,665768,938556
CVE References: CVE-2010-4226,CVE-2017-14804,CVE-2017-9274
Sources used:
openSUSE Leap 42.3 (src):    build-20171128-5.1, obs-service-source_validator-0.7-16.1, osc-0.162.0-10.1
openSUSE Leap 42.2 (src):    build-20171128-2.6.1, obs-service-source_validator-0.7-13.6.1, osc-0.162.0-7.7.1
Comment 13 Marcus Meissner 2017-12-11 07:19:14 UTC 
released, is now public
Comment 14 Swamp Workflow Management 2018-01-11 14:07:07 UTC 
SUSE-SU-2018:0065-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1059858,1069904,796918,827480,891829,938556,967265,967610
CVE References: CVE-2016-4007,CVE-2017-14804,CVE-2017-9274
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    build-20171128-8.3.3, osc-0.162.1-7.4.1
Comment 15 Marcus Meissner 2018-03-01 12:01:11 UTC 
Created attachment 762304 [details]
CVE-2017-14804.json

mitre upload
Comment 17 Swamp Workflow Management 2019-02-14 14:14:53 UTC 
SUSE-SU-2019:0387-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1069904,1122895
CVE References: CVE-2017-14804
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    build-20190128-3.3.2
SUSE Linux Enterprise Module for Development Tools 15 (src):    build-20190128-3.3.2
Comment 18 Swamp Workflow Management 2019-02-22 14:22:23 UTC 
openSUSE-SU-2019:0232-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1069904,1122895
CVE References: CVE-2017-14804
Sources used:
openSUSE Leap 15.0 (src):    build-20190128-lp150.2.3.1
Comment 19 Swamp Workflow Management 2019-06-04 09:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (1069904) was mentioned in
https://build.opensuse.org/request/show/707419 Factory / build
Comment 22 faust jonson 2023-03-02 18:24:21 UTC 
f0958407337f559c95ae0e9e85d03423  0001-Improve-sanity-checks-in-extractbuild.patch 
74690090af4b170bccc1d75569dc34d7  my_bs_worker.pl https://medium.com/@spiringwriter/best-coding-homework-help-websites-5b7ea37bb97
17ad13d19a7d6a210408e500cda9d48e  obs-build_extractbuild_exploit.txt
8a9de7e3e2084fa644ed188f447afbda  test.spec
823fed5809f654917062f857d6cee6e4  worker.txt
143732600263228b8e864fae336bb081  write_swap.pl


openSUSE Leap 42.3 (src):    build-20171128-5.1, obs-service-source_validator-0.7-16.1, osc-0.162.0-10.1
openSUSE Leap 42.2 (src):    build-20171128-2.6.1, obs-service-source_validator-0.7-13.6.1, osc-0.162.0-7.7.1