Bugzilla – Bug 1122675
VUL-0: CVE-2019-3681: osc: stores downloaded (supposed) RPM in network-controlled filesystem paths
Last modified: 2023-03-15 11:15:03 UTC
from bnc#1119444: > > osc/fetch.py/move_package: this builds the destination file name based on the contents of the downloaded file. An attacker with MITM capabilities can manipulate that file name to contains slashes (see osc/util/*query.py), then the package will be stored in an unintended file system location. This way, arbitrary files can be overwritten. At this point, signatures of the package have not been verified. > > You need to bypass SSL and/or deliver from a "trusted" project for that. But > yes, the code can be improved, can you open > a dedicated report for this? Scenario: someone builds a package they trust from e.g. a coffee shop (open Wi-Fi). (Or the ISP gets asked to fiddle with some packets.) If I'm reading the output of 'osc buildinfo' right, OBS and IBS use plain HTTP for downloads, so TLS doesn't come into play. I guess an evil project RPM repository does make exploiting this even easier (no man-in-the-middle required), but at least there's a scary warning when trusting a new project.
This issue will be handled according to our disclosure policy outlined in https://en.opensuse.org/openSUSE:Security_disclosure_policy The information listed here is not public. Please - do not talk to other people about this unless they're involved in fixing the issue - do not make this bug public - do not submit this into OBS (e.g. fix Leap) until this is public In accordance with our policy we will make this issue public latest at Internal CRD: 2020-05-31 or earlier This is the latest possible date and we prefer to make it public earlier if the situation allows it. In that case we'll post a comment here setting the new date. Only a member of the security team is allowed to make this issue public. Please speak to us if you want to take part in the public disclosure. In doubt please talk to us on IRC (#security) or send us a mail (security@suse.de).
The download protocol matters on the mirror, it can be http, yes. But the validation happens via gpg. So I do not see a security issue here.
I haven't looked at this in a year, but from comment #0: > At this point, signatures of the package have not been verified. So, GPG doesn't seem to be a protection at all.
ah, sorry ... one need to scroll in that comment to see it, sorry. Re-assigning it to Marco
(In reply to Malte Kraus from comment #0) > from bnc#1119444: > > > osc/fetch.py/move_package: this builds the destination file name based on the contents of the downloaded file. Good catch! Thanks a lot!
This is an autogenerated message for OBS integration: This bug (1122675) was mentioned in https://build.opensuse.org/request/show/809833 Factory / osc
This is an autogenerated message for OBS integration: This bug (1122675) was mentioned in https://build.opensuse.org/request/show/810270 Factory / osc
SUSE-SU-2020:1528-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1122675 CVE References: CVE-2019-3681 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): osc-0.162.1-15.9.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): osc-0.162.1-15.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:1695-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1122675 CVE References: CVE-2019-3681 Sources used: SUSE Linux Enterprise Module for Development Tools 15-SP1 (src): osc-0.169.1-3.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0852-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1122675 CVE References: CVE-2019-3681 Sources used: openSUSE Leap 15.1 (src): osc-0.169.1-lp151.2.15.1
SUSE-SU-2020:1695-2: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1122675 CVE References: CVE-2019-3681 Sources used: SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): osc-0.169.1-3.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done
SUSE-SU-2022:4351-1: An update that solves two vulnerabilities, contains one feature and has 22 fixes is now available. Category: security (important) Bug References: 1089025,1097996,1122675,1125243,1126055,1126058,1127932,1129757,1129889,1131512,1136584,1137477,1138165,1138977,1140697,1142518,1142662,1144211,1154972,1155953,1156501,1160446,1166537,1173926 CVE References: CVE-2019-3681,CVE-2019-3685 JIRA References: OBS-203 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): osc-0.182.0-15.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1122675) was mentioned in https://build.opensuse.org/request/show/1072082 Tools / osc