|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2017-9274: osc executes spec code during "osc commit" | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Christian Boltz <suse-beta> |
| Component: | Incidents | Assignee: | Ruediger Oertel <ro> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | adrian.schroeter, astieger, jsegitz, lchiquitto, marco.strigl, meissner, mrueckert, suse-beta, suse-tux |
| Version: | unspecified | ||
| Target Milestone: | unspecified | ||
| Hardware: | Other | ||
| OS: | openSUSE 13.2 | ||
| Whiteboard: | CVSSv3:SUSE:CVE-2017-9274:7.8:(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) | ||
| Found By: | Beta-Customer | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: | "osc -v -d commit" output | ||
The attack scenario here is an untrusted packager tricking the victim into making an otherwise unrelated change. The following commands are known to execute commands specified in the spec file for macros: * osc commit * quilt setup The following packages are known to show this: * apparmor (commit) * subversion (quilt setup) (In reply to Christian Boltz from comment #0) > I noticed something interesting while commiting home:cboltz/apparmor > (using osc-0.151.2-2.1.noarch) > > # osc commit > [... gpg check ...] > - package has apparmor-rpmlintrc: (unchanged) > - package has baselibs.conf: (unchanged) > sh: /usr/sbin/apxs2: Datei oder Verzeichnis nicht gefunden <------ huh? This is caused by a local source service run. Can you please run "osc -d commit ..." in order to see which source service causes this behavior? setting needinfo reporter Created attachment 641269 [details]
"osc -v -d commit" output
Most relevant lines:
[...]
Run source service: /usr/lib/obs/service/source_validator --outdir /tmp/tmpLPEyOi
[... GPG check ...]
- package has apparmor-rpmlintrc: (unchanged)
- package has baselibs.conf: (unchanged)
sh: /usr/sbin/apxs2: Datei oder Verzeichnis nicht gefunden
Sending apparmor.spec
[...]
bugbot adjusting priority The obs-service-source_validator's 20-files-present-and-referenced script executes the %prep section in order to check if all files are present (unrelated note: even though executing %prep is successful some sources might still be missing; maybe we should use something like like "rpmspec -P <spec>" and check if all "sources" are present). The problem is that we cannot correctly detect missing sources without expanding all macros. as we fixed filename based inkjection problems we probably also should think how to solve this. or declare source_validator unsafe :( PR 39 (https://github.com/openSUSE/obs-service-source_validator/pull/39) should fix it. Now, we use Build::Rpm for extracting the sources, patches etc. from the spec, which doesn't expand %(...) macros. The drawback is that it might break some packages... A different approach would be executing the rpmbuild command in a vm/chroot, but that's probably too much overhead and not worth the effort (IMHO). doesn't seem like a lot of packages broke, so lets close this (In reply to Johannes Segitz from comment #10) > doesn't seem like a lot of packages broke, so lets close this Hmm nothing broke, because nothing was fixed so far:/ I just updated the PR again. (In reply to Marcus Hüwe from comment #11) > I just updated the PR again. Update: the PR was merged (see commit 0cb8321 [1]). [1] https://github.com/openSUSE/obs-service-source_validator/commit/0cb832185b71e869bb84fc995f483275c5c4158d hm, why is this closed? We still have to release maintenance updates for this... This is really grave IMHO, since it is easy to attack developer workstations via that... Rudi, can you take care or shall I ask Marco? I am working on it. This is CVE-2017-9274 This is an autogenerated message for OBS integration: This bug (938556) was mentioned in https://build.opensuse.org/request/show/515847 Factory / obs-service-source_validator Hrm the 70-baselibs script is also affected... I'm working on it. yep, just submitted a new version ~1 hour ago ignoring this particular problem. This is an autogenerated message for OBS integration: This bug (938556) was mentioned in https://build.opensuse.org/request/show/516094 Factory / obs-service-source_validator This is an autogenerated message for OBS integration: This bug (938556) was mentioned in https://build.opensuse.org/request/show/516111 Factory / obs-service-source_validator Hmm reopening again until the 70-baselibs script is fixed as well (I'm almost done...). I just created PR 51 [1] to fix the 70-baselibs script (note: this could potentially also break some packages). [1] https://github.com/openSUSE/obs-service-source_validator/pull/51 The 70-baselibs script is fixed with commit 7fe8be5 [1]. [1] https://github.com/openSUSE/obs-service-source_validator/commit/7fe8be5 let's close it then (In reply to Ruediger Oertel from comment #25) > let's close it then Hmm iiuc, we haven't released maintenance updates for this (according to comment 13 maintenance updates are needed). I will include the update in the current running build & osc maintenance update. SUSE-SU-2017:3253-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1059858,1061500,1069904,665768,938556 CVE References: CVE-2010-4226,CVE-2017-14804,CVE-2017-9274 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): build-20171128-9.3.2, obs-service-source_validator-0.7-9.3.1, osc-0.162.0-15.3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): build-20171128-9.3.2, obs-service-source_validator-0.7-9.3.1, osc-0.162.0-15.3.1 openSUSE-SU-2017:3259-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1059858,1061500,1069904,665768,938556 CVE References: CVE-2010-4226,CVE-2017-14804,CVE-2017-9274 Sources used: openSUSE Leap 42.3 (src): build-20171128-5.1, obs-service-source_validator-0.7-16.1, osc-0.162.0-10.1 openSUSE Leap 42.2 (src): build-20171128-2.6.1, obs-service-source_validator-0.7-13.6.1, osc-0.162.0-7.7.1 SUSE-SU-2018:0065-1: An update that solves three vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 1059858,1069904,796918,827480,891829,938556,967265,967610 CVE References: CVE-2016-4007,CVE-2017-14804,CVE-2017-9274 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): build-20171128-8.3.3, osc-0.162.1-7.4.1 released |
I noticed something interesting while commiting home:cboltz/apparmor (using osc-0.151.2-2.1.noarch) # osc commit [... gpg check ...] - package has apparmor-rpmlintrc: (unchanged) - package has baselibs.conf: (unchanged) sh: /usr/sbin/apxs2: Datei oder Verzeichnis nicht gefunden <------ huh? Sending apparmor.spec Deleting parser-optflags.diff Transmitting file data Committed revision 188. The apxs2 call is probably caused by %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR) in apparmor.spec. I doubt this behaviour is intentional, and hope we don't have any spec file with %define bad_luck %(rm -rf /) ;-)