Bugzilla – Bug 1069904
VUL-0: CVE-2017-14804: build: Exploit extractbuild to write to files in the host system
Last modified: 2022-10-13 08:19:04 UTC
received via security@suse.de From: Marcus Hüwe <suse-tux@gmx.de> Subject: [security@suse.de] Exploit extractbuild to write to files in the host system Date: Mon, 27 Nov 2017 02:31:17 +0100 Hi, currently, it is possible to exploit the extractbuild script to write to files in the host system, in case of a vm build. This can be used, for instance, to replace a running bs_worker with arbitrary code. The attached obs-build_extractbuild_exploit.txt file documents the exploit. The following files are attached to this mail (<md5> <filename>): f0958407337f559c95ae0e9e85d03423 0001-Improve-sanity-checks-in-extractbuild.patch 74690090af4b170bccc1d75569dc34d7 my_bs_worker.pl 17ad13d19a7d6a210408e500cda9d48e obs-build_extractbuild_exploit.txt 8a9de7e3e2084fa644ed188f447afbda test.spec 823fed5809f654917062f857d6cee6e4 worker.txt 143732600263228b8e864fae336bb081 write_swap.pl I also CCed security@suse.de. Marcus
Created attachment 750169 [details] obs-build_extractbuild_exploit.txt obs-build_extractbuild_exploit.txt description of exploit
cc reporter too
use CVE-2017-14804
This is actually a problem in the build script. I would like to release it together with a new osc for all maintained products, since we need anyway the support for the container building... Marcus, thanks a lot again! Great work!
SUSE-SU-2017:3253-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1059858,1061500,1069904,665768,938556 CVE References: CVE-2010-4226,CVE-2017-14804,CVE-2017-9274 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): build-20171128-9.3.2, obs-service-source_validator-0.7-9.3.1, osc-0.162.0-15.3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): build-20171128-9.3.2, obs-service-source_validator-0.7-9.3.1, osc-0.162.0-15.3.1
openSUSE-SU-2017:3259-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1059858,1061500,1069904,665768,938556 CVE References: CVE-2010-4226,CVE-2017-14804,CVE-2017-9274 Sources used: openSUSE Leap 42.3 (src): build-20171128-5.1, obs-service-source_validator-0.7-16.1, osc-0.162.0-10.1 openSUSE Leap 42.2 (src): build-20171128-2.6.1, obs-service-source_validator-0.7-13.6.1, osc-0.162.0-7.7.1
released, is now public
SUSE-SU-2018:0065-1: An update that solves three vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 1059858,1069904,796918,827480,891829,938556,967265,967610 CVE References: CVE-2016-4007,CVE-2017-14804,CVE-2017-9274 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): build-20171128-8.3.3, osc-0.162.1-7.4.1
Created attachment 762304 [details] CVE-2017-14804.json mitre upload
SUSE-SU-2019:0387-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1069904,1122895 CVE References: CVE-2017-14804 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): build-20190128-3.3.2 SUSE Linux Enterprise Module for Development Tools 15 (src): build-20190128-3.3.2
openSUSE-SU-2019:0232-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1069904,1122895 CVE References: CVE-2017-14804 Sources used: openSUSE Leap 15.0 (src): build-20190128-lp150.2.3.1
This is an autogenerated message for OBS integration: This bug (1069904) was mentioned in https://build.opensuse.org/request/show/707419 Factory / build