Bug 1094819 - (CVE-2018-7689) VUL-0: CVE-2018-7689: obs: InitializeDevelPackage attribute exploit (obs-api)
(CVE-2018-7689)
VUL-0: CVE-2018-7689: obs: InitializeDevelPackage attribute exploit (obs-api)
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE.org
Classification: openSUSE
Component: BuildService
unspecified
Other Other
: P3 - Medium : Critical (vote)
: ---
Assigned To: E-mail List
Adrian Schröter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-05-28 07:16 UTC by Adrian Schröter
Modified: 2018-06-07 10:48 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
api_InitializeDevelPackage_attribute_exploit.txt (5.03 KB, text/plain)
2018-05-28 07:16 UTC, Adrian Schröter
Details
proposed patch (2.59 KB, patch)
2018-05-28 07:30 UTC, Adrian Schröter
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adrian Schröter 2018-05-28 07:16:32 UTC
Created attachment 771509 [details]
api_InitializeDevelPackage_attribute_exploit.txt

Reported from Marcus Hüwe:

currently, it is possible that an unprivileged user can modify an
arbitrary package by exploiting the InitializeDevelPackage attribute
(due to a missing permission check in the api code). For the details,
have a look at the attached api_InitializeDevelPackage_attribute_exploit.txt
file. The attached
0001-frontend-Add-additional-permission-check-for-a-submi.patch is a
potential fix.
Comment 1 Adrian Schröter 2018-05-28 07:18:16 UTC
Created attachment 771510 [details]
proposed patch
Comment 2 Adrian Schröter 2018-05-28 07:30:48 UTC
Created attachment 771513 [details]
proposed patch
Comment 3 Adrian Schröter 2018-05-28 07:33:45 UTC
sorry, first attached patch belong to another issue. Please ignore it here.
Comment 4 Adrian Schröter 2018-05-28 07:55:56 UTC
The possible modification is limited to create the branch (_link file). Of course still a problem since a change afterwards in link target is influencing the build result.

It would be good if submit request creation fails, if the attribute is set and the request creator has no write access in source. 
However, this would not solve the security aspect here, since the attribute could be created after the request creation.
Comment 5 Marcus Hüwe 2018-05-28 09:08:56 UTC
(In reply to Adrian Schröter from comment #4)
> It would be good if submit request creation fails, if the attribute is set
> and the request creator has no write access in source. 

Removing the skip_source check should achieve this (then we could also move
this code into check_permissions!) (note: this is just off the top of my head
since I do not have the patch at hand atm (and the attachments to this bug
seem to be invisible for me)).

> However, this would not solve the security aspect here, since the attribute
> could be created after the request creation.

The patch checks if the one that tries to accept the request can modify the
source package.
Comment 6 Marcus Meissner 2018-05-28 14:20:33 UTC
use CVE-2018-7689 for this issue.
Comment 7 Björn Geuken 2018-06-06 12:38:40 UTC
The patch is now released to OBS 2.9. build.opensuse.org was already patched.

I assume we can close the bug now