Bug 1069904 - (CVE-2017-14804) VUL-0: CVE-2017-14804: build: Exploit extractbuild to write to files in the host system
(CVE-2017-14804)
VUL-0: CVE-2017-14804: build: Exploit extractbuild to write to files in the h...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE.org
Classification: openSUSE
Component: BuildService
unspecified
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Michael Schröder
Adrian Schröter
CVSSv2:SUSE:CVE-2017-14804:8.5:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-27 10:33 UTC by Marcus Meissner
Modified: 2022-10-13 08:19 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
0001-Improve-sanity-checks-in-extractbuild.patch (1.52 KB, patch)
2017-11-27 10:34 UTC, Marcus Meissner
Details | Diff
worker.txt (30.89 KB, text/plain)
2017-11-27 10:34 UTC, Marcus Meissner
Details
test.spec (1010 bytes, text/plain)
2017-11-27 10:36 UTC, Marcus Meissner
Details
obs-build_extractbuild_exploit.txt (5.61 KB, text/plain)
2017-11-27 10:36 UTC, Marcus Meissner
Details
write_swap.pl (1.31 KB, text/plain)
2017-11-27 10:37 UTC, Marcus Meissner
Details
my_bs_worker.pl (83 bytes, application/x-perl)
2017-11-27 11:21 UTC, Marcus Hüwe
Details
CVE-2017-14804.json (1.88 KB, text/plain)
2018-03-01 12:01 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-11-27 10:33:55 UTC
received via security@suse.de

From: Marcus Hüwe <suse-tux@gmx.de>
Subject: [security@suse.de] Exploit extractbuild to write to files in the host system
Date: Mon, 27 Nov 2017 02:31:17 +0100

Hi,

currently, it is possible to exploit the extractbuild script to write
to files in the host system, in case of a vm build. This can be used,
for instance, to replace a running bs_worker with arbitrary code.
The attached obs-build_extractbuild_exploit.txt file documents the
exploit.

The following files are attached to this mail (<md5> <filename>):

f0958407337f559c95ae0e9e85d03423  0001-Improve-sanity-checks-in-extractbuild.patch
74690090af4b170bccc1d75569dc34d7  my_bs_worker.pl
17ad13d19a7d6a210408e500cda9d48e  obs-build_extractbuild_exploit.txt
8a9de7e3e2084fa644ed188f447afbda  test.spec
823fed5809f654917062f857d6cee6e4  worker.txt
143732600263228b8e864fae336bb081  write_swap.pl

I also CCed security@suse.de.


Marcus
Comment 4 Marcus Meissner 2017-11-27 10:36:59 UTC
Created attachment 750169 [details]
obs-build_extractbuild_exploit.txt

obs-build_extractbuild_exploit.txt  description of exploit
Comment 6 Marcus Meissner 2017-11-27 10:39:01 UTC
cc reporter too
Comment 7 Marcus Meissner 2017-11-27 10:50:07 UTC
use CVE-2017-14804
Comment 10 Adrian Schröter 2017-11-28 13:03:51 UTC
This is actually a problem in the build script. I would like to release it together with a new osc for all maintained products, since we need anyway the support for the container building...

Marcus, thanks a lot again! Great work!
Comment 11 Swamp Workflow Management 2017-12-08 17:19:15 UTC
SUSE-SU-2017:3253-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1059858,1061500,1069904,665768,938556
CVE References: CVE-2010-4226,CVE-2017-14804,CVE-2017-9274
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    build-20171128-9.3.2, obs-service-source_validator-0.7-9.3.1, osc-0.162.0-15.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    build-20171128-9.3.2, obs-service-source_validator-0.7-9.3.1, osc-0.162.0-15.3.1
Comment 12 Swamp Workflow Management 2017-12-09 11:09:04 UTC
openSUSE-SU-2017:3259-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1059858,1061500,1069904,665768,938556
CVE References: CVE-2010-4226,CVE-2017-14804,CVE-2017-9274
Sources used:
openSUSE Leap 42.3 (src):    build-20171128-5.1, obs-service-source_validator-0.7-16.1, osc-0.162.0-10.1
openSUSE Leap 42.2 (src):    build-20171128-2.6.1, obs-service-source_validator-0.7-13.6.1, osc-0.162.0-7.7.1
Comment 13 Marcus Meissner 2017-12-11 07:19:14 UTC
released, is now public
Comment 14 Swamp Workflow Management 2018-01-11 14:07:07 UTC
SUSE-SU-2018:0065-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1059858,1069904,796918,827480,891829,938556,967265,967610
CVE References: CVE-2016-4007,CVE-2017-14804,CVE-2017-9274
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    build-20171128-8.3.3, osc-0.162.1-7.4.1
Comment 15 Marcus Meissner 2018-03-01 12:01:11 UTC
Created attachment 762304 [details]
CVE-2017-14804.json

mitre upload
Comment 17 Swamp Workflow Management 2019-02-14 14:14:53 UTC
SUSE-SU-2019:0387-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1069904,1122895
CVE References: CVE-2017-14804
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    build-20190128-3.3.2
SUSE Linux Enterprise Module for Development Tools 15 (src):    build-20190128-3.3.2
Comment 18 Swamp Workflow Management 2019-02-22 14:22:23 UTC
openSUSE-SU-2019:0232-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1069904,1122895
CVE References: CVE-2017-14804
Sources used:
openSUSE Leap 15.0 (src):    build-20190128-lp150.2.3.1
Comment 19 Swamp Workflow Management 2019-06-04 09:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (1069904) was mentioned in
https://build.opensuse.org/request/show/707419 Factory / build