Bug 1107944 - (CVE-2018-12476) VUL-0: CVE-2018-12476: obs-service-extract_file: outfilename parameter allows to write files outside of package directory
(CVE-2018-12476)
VUL-0: CVE-2018-12476: obs-service-extract_file: outfilename parameter allows...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Frank Schreiner
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-11 07:40 UTC by Matthias Gerstner
Modified: 2022-11-17 15:09 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2018-09-11 07:40:05 UTC
The obs-service-extract_file allows to move extracted files or directories to
more or less arbitrary locations like:

- an absolute path like /tmp, /home/$TARGET_USER, /dev/shm
- a relative path like ../somewhere

This could be used to prepare attacks in combination with other security leaks
or even lead to code execution. When the victims user name is known then e.g.
a file could be extracted to /home/$TARGET_USER/.bashrc. Since files in
tarballs are extracted with executable bits preserved there is little limit to
what can be done. For example an attacker could also write hook scripts into
git repositories cloned into the package directory. Also symlinks can be
extracted and put into the package directory, allowing preparation of attacks
in conjunction with other source services.

Code execution is mostly a client side concern but could hit the server side,
too, when enough effort is put into it.

This package has currently no maintainer in OBS so I'm assigning to you
Adrian. Please assign to someone suitable. Thank you.
Comment 1 Johannes Segitz 2018-09-26 09:28:02 UTC
Please use CVE-2018-12476 for this
Comment 4 Swamp Workflow Management 2019-02-28 01:20:30 UTC
This is an autogenerated message for OBS integration:
This bug (1107944) was mentioned in
https://build.opensuse.org/request/show/679987 Factory / obs-service-tar_scm
Comment 5 Swamp Workflow Management 2019-02-28 11:30:29 UTC
This is an autogenerated message for OBS integration:
This bug (1107944) was mentioned in
https://build.opensuse.org/request/show/680081 15.0+42.3 / obs-service-tar_scm
Comment 7 Swamp Workflow Management 2019-03-04 20:56:16 UTC
SUSE-SU-2019:0540-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1076410,1082696,1105361,1107507,1107944
CVE References: CVE-2018-12473,CVE-2018-12474,CVE-2018-12476
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    obs-service-tar_scm-0.10.5.1551309990.79898c7-3.3.1
Comment 10 Swamp Workflow Management 2019-03-13 23:09:58 UTC
openSUSE-SU-2019:0326-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1076410,1082696,1105361,1107507,1107944
CVE References: CVE-2018-12473,CVE-2018-12474,CVE-2018-12476
Sources used:
openSUSE Leap 15.0 (src):    obs-service-tar_scm-0.10.5.1551309990.79898c7-lp150.2.3.1
Comment 11 Swamp Workflow Management 2019-03-15 11:10:12 UTC
openSUSE-SU-2019:0329-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1076410,1082696,1105361,1107507,1107944
CVE References: CVE-2018-12473,CVE-2018-12474,CVE-2018-12476
Sources used:
openSUSE Backports SLE-15 (src):    obs-service-tar_scm-0.10.5.1551309990.79898c7-bp150.3.3.1
Comment 16 Johannes Segitz 2020-01-27 08:19:23 UTC
thank you for the submits