Bugzilla – Bug 1094819
VUL-0: CVE-2018-7689: obs: InitializeDevelPackage attribute exploit (obs-api)
Last modified: 2018-06-07 10:48:02 UTC
Created attachment 771509 [details] api_InitializeDevelPackage_attribute_exploit.txt Reported from Marcus Hüwe: currently, it is possible that an unprivileged user can modify an arbitrary package by exploiting the InitializeDevelPackage attribute (due to a missing permission check in the api code). For the details, have a look at the attached api_InitializeDevelPackage_attribute_exploit.txt file. The attached 0001-frontend-Add-additional-permission-check-for-a-submi.patch is a potential fix.
Created attachment 771510 [details] proposed patch
Created attachment 771513 [details] proposed patch
sorry, first attached patch belong to another issue. Please ignore it here.
The possible modification is limited to create the branch (_link file). Of course still a problem since a change afterwards in link target is influencing the build result. It would be good if submit request creation fails, if the attribute is set and the request creator has no write access in source. However, this would not solve the security aspect here, since the attribute could be created after the request creation.
(In reply to Adrian Schröter from comment #4) > It would be good if submit request creation fails, if the attribute is set > and the request creator has no write access in source. Removing the skip_source check should achieve this (then we could also move this code into check_permissions!) (note: this is just off the top of my head since I do not have the patch at hand atm (and the attachments to this bug seem to be invisible for me)). > However, this would not solve the security aspect here, since the attribute > could be created after the request creation. The patch checks if the one that tries to accept the request can modify the source package.
use CVE-2018-7689 for this issue.
The patch is now released to OBS 2.9. build.opensuse.org was already patched. I assume we can close the bug now