Bug 1107944 (CVE-2018-12476)

Summary: VUL-0: CVE-2018-12476: obs-service-extract_file: outfilename parameter allows to write files outside of package directory
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: IncidentsAssignee: Frank Schreiner <FSchreiner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: adrian.schroeter, jsegitz, meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Matthias Gerstner 2018-09-11 07:40:05 UTC 
The obs-service-extract_file allows to move extracted files or directories to
more or less arbitrary locations like:

- an absolute path like /tmp, /home/$TARGET_USER, /dev/shm
- a relative path like ../somewhere

This could be used to prepare attacks in combination with other security leaks
or even lead to code execution. When the victims user name is known then e.g.
a file could be extracted to /home/$TARGET_USER/.bashrc. Since files in
tarballs are extracted with executable bits preserved there is little limit to
what can be done. For example an attacker could also write hook scripts into
git repositories cloned into the package directory. Also symlinks can be
extracted and put into the package directory, allowing preparation of attacks
in conjunction with other source services.

Code execution is mostly a client side concern but could hit the server side,
too, when enough effort is put into it.

This package has currently no maintainer in OBS so I'm assigning to you
Adrian. Please assign to someone suitable. Thank you.
Comment 1 Johannes Segitz 2018-09-26 09:28:02 UTC 
Please use CVE-2018-12476 for this
Comment 4 Swamp Workflow Management 2019-02-28 01:20:30 UTC 
This is an autogenerated message for OBS integration:
This bug (1107944) was mentioned in
https://build.opensuse.org/request/show/679987 Factory / obs-service-tar_scm
Comment 5 Swamp Workflow Management 2019-02-28 11:30:29 UTC 
This is an autogenerated message for OBS integration:
This bug (1107944) was mentioned in
https://build.opensuse.org/request/show/680081 15.0+42.3 / obs-service-tar_scm
Comment 7 Swamp Workflow Management 2019-03-04 20:56:16 UTC 
SUSE-SU-2019:0540-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1076410,1082696,1105361,1107507,1107944
CVE References: CVE-2018-12473,CVE-2018-12474,CVE-2018-12476
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    obs-service-tar_scm-0.10.5.1551309990.79898c7-3.3.1
Comment 10 Swamp Workflow Management 2019-03-13 23:09:58 UTC 
openSUSE-SU-2019:0326-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1076410,1082696,1105361,1107507,1107944
CVE References: CVE-2018-12473,CVE-2018-12474,CVE-2018-12476
Sources used:
openSUSE Leap 15.0 (src):    obs-service-tar_scm-0.10.5.1551309990.79898c7-lp150.2.3.1
Comment 11 Swamp Workflow Management 2019-03-15 11:10:12 UTC 
openSUSE-SU-2019:0329-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1076410,1082696,1105361,1107507,1107944
CVE References: CVE-2018-12473,CVE-2018-12474,CVE-2018-12476
Sources used:
openSUSE Backports SLE-15 (src):    obs-service-tar_scm-0.10.5.1551309990.79898c7-bp150.3.3.1
Comment 16 Johannes Segitz 2020-01-27 08:19:23 UTC 
thank you for the submits