Bugzilla – Bug 1100217
VUL-0: CVE-2018-12467: obs: InitializeDevelPackage attribute exploit (V2)
Last modified: 2018-07-26 07:05:03 UTC
via security@ Hi, it turns out that the fix for bsc#1094819 ("(CVE-2018-7689) VUL-0: CVE-2018-7689: obs: InitializeDevelPackage attribute exploit (obs-api)") is insufficient. For the details, have a look at the attached api_InitializeDevelPackage_attribute_exploit_v2.txt file. The attached 0001-frontend-Recheck-permissions-in-the-InitializeDevelP.patch fixes the exploit (aka "fixing my own dogfood"...). The other attached patch is unrelated to the concrete exploit, but potentially avoids a future headache. I also CCed security@suse.de Sorry for the inconveniance... Attached files (md5sum filename): bfce16ec9cc1b2c28f69075dd5c8501e api_InitializeDevelPackage_attribute_exploit_v2.txt 62733386c22857d144f49d7d35f380f9 0001-frontend-Recheck-permissions-in-the-InitializeDevelP.patch e4be1e38683af9d77d04644715556f60 0002-frontend-Ignore-a-project-link-in-BsRequestAction.ch.patch Marcus
Created attachment 776198 [details] 0001-frontend-Recheck-permissions-in-the-InitializeDevelP.patch 0001-frontend-Recheck-permissions-in-the-InitializeDevelP.patch
I assigned CVE-2018-12467
this is now in OBS:Server:2.9:Staging/obs-server, can we make the bug public so our checkers don't freak out?
I am going to release the packages to OBS:Server:2.9 as soon as they got build and then send a mail to the OBS mailing list. I guess it makes sense to wait until then.
Packages, and appliances, got now released. In case anyone wonders why this took so long... The package builds for SLE12 failed about 5 times due to various flickering tests. Some additional time was spent on testing the build packages and waiting for the package release t finish. Sorry for that.