Bug 1100217 (CVE-2018-12467) - VUL-0: CVE-2018-12467: obs: InitializeDevelPackage attribute exploit (V2)
Summary: VUL-0: CVE-2018-12467: obs: InitializeDevelPackage attribute exploit (V2)
Status: RESOLVED FIXED
Alias: CVE-2018-12467
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Björn Geuken
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-05 11:46 UTC by Marcus Meissner
Modified: 2018-07-26 07:05 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
0001-frontend-Recheck-permissions-in-the-InitializeDevelP.patch (1.45 KB, patch)
2018-07-05 11:47 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-07-05 11:46:40 UTC
via security@

Hi,

it turns out that the fix for bsc#1094819 ("(CVE-2018-7689) VUL-0:
CVE-2018-7689: obs: InitializeDevelPackage attribute exploit (obs-api)")
is insufficient. For the details, have a look at the attached
api_InitializeDevelPackage_attribute_exploit_v2.txt file.

The attached 0001-frontend-Recheck-permissions-in-the-InitializeDevelP.patch
fixes the exploit (aka "fixing my own dogfood"...). The other attached
patch is unrelated to the concrete exploit, but potentially avoids a future
headache.

I also CCed security@suse.de

Sorry for the inconveniance...

Attached files (md5sum filename):

bfce16ec9cc1b2c28f69075dd5c8501e  api_InitializeDevelPackage_attribute_exploit_v2.txt
62733386c22857d144f49d7d35f380f9  0001-frontend-Recheck-permissions-in-the-InitializeDevelP.patch
e4be1e38683af9d77d04644715556f60  0002-frontend-Ignore-a-project-link-in-BsRequestAction.ch.patch


Marcus
Comment 2 Marcus Meissner 2018-07-05 11:47:35 UTC
Created attachment 776198 [details]
0001-frontend-Recheck-permissions-in-the-InitializeDevelP.patch

0001-frontend-Recheck-permissions-in-the-InitializeDevelP.patch
Comment 4 Marcus Meissner 2018-07-05 11:49:21 UTC
I assigned CVE-2018-12467
Comment 5 Johannes Segitz 2018-07-24 10:07:53 UTC
this is now in OBS:Server:2.9:Staging/obs-server, can we make the bug public so our checkers don't freak out?
Comment 6 Björn Geuken 2018-07-24 10:11:11 UTC
I am going to release the packages to OBS:Server:2.9 as soon as they got build and then send a mail to the OBS mailing list.

I guess it makes sense to wait until then.
Comment 7 Björn Geuken 2018-07-25 12:14:13 UTC
Packages, and appliances, got now released.

In case anyone wonders why this took so long... The package builds for SLE12 failed about 5 times due to various flickering tests.
Some additional time was spent on testing the build packages and waiting for the package release t finish.

Sorry for that.