Bug 1224450

obs-service-cargo_vendor (github repo name) and obs-service-cargo (rpm package name) contains a security regression where it newly does an online query for vulnerability reports and on finding one stops with failure, which prevents reproducing its normally resulting source archive. This is a failure of ensuring integrity (OWASP A08:2021) as reproducing and comparing the output is required to verify it.

The code location where this is turned into a stopping error is the error handling of this call of the function process_reports: https://github.com/openSUSE/obs-service-cargo_vendor/blob/master/cargo/src/utils/mod.rs#L228

(This source service program and a similarly named one that it replaced is used by many packagers to download sources needed for Rust applications that are then build and shipped in openSUSE and SUSE.)

While there is a workaround in specifying each found report ID to be ignored, that is not sufficient, as the goal for source services is to automatically verify them, see https://github.com/openSUSE/obs-service-source_validator/issues/134 . This bug prevents automated and manual easy verification, that sources that are downloaded with this tool are the expected sources instead of possibly maliciously modified ones. This is also a needed step when reviewing proposed changes by others. Thus this also pushes people further to not do this verification, thus basically to include entirely unreviewed code.

This security bug was reported in https://github.com/openSUSE/obs-service-cargo_vendor/issues/73 to its Github project, but the response was that they will "not maintain the behaviour as a guarantee or a feature" - https://github.com/openSUSE/obs-service-cargo_vendor/issues/64#issuecomment-1967885836 . This response was made by William Brown AKA blackhats.net.au AKA https://github.com/Firstyear AKA https://build.opensuse.org/users/firstyear and supported by Soc Virnyl S. Estela AKA https://github.com/uncomfyhalomacro AKA https://build.opensuse.org/users/uncomfyhalomacro . Furthermore my understanding is that they refused any affordance of scientific discussion. (Note that William now has a many years long history of such actions.)

This is incompatible with current openSUSE and SUSE security policy. But this repository is currently in the openSUSE Github org and this source service program is shipped in openSUSE Tumbleweed.

I'm hesitant against CVE assignment for this class of bugs until we generally improved the state a bit more. Normally maintainers can be convinced to accept this improvement of integrity protection. However sadly in this case I needed to give up and accept that it needs to happen.
My first guess for a CVSSv3.1 score is: 2.3 AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N