Bugzilla – Bug 1122683
AUDIT-FIND: osc: deprecate insecure APIs
Last modified: 2024-06-28 12:45:03 UTC
From bnc#1119444: > > The OSC client has some vulnerable code in it, that it doesn't use itself but provides as a library to plugins. In one case there's even a comment explicitly marking this as insecure, but are not removed due to compatibility concerns. If not breaking backwards compatibility under any circumstances is that important, I recommend adding deprecation warnings (https://docs.python.org/2.6/library/warnings.html#temporarily-suppressing-warnings) to move plugins over to secure APIs. > > Can you create a dedicated request for this? Specifically, the 'unpack_srcrpm' function has such a warning as a comment. Also, 'Ar.saveTo', 'CpioRead.copyin' can be made to store files in arbitrary locations if the archive they parsed contain a filename starting with a "/".
I had a quick look, this still seems unsolved. Marco, can you please have a look?
unpack_srcrpm() was fixed in the following commit: commit dbdc712018b6eb8d8a100ed783b49ae7f7e166bb Author: Marcus Huewe <suse-tux@gmx.de> Date: Thu Sep 28 14:46:40 2017 +0200 Really fix potential shell injections This is a follow-up commit for commit c9c0f8a. Using core.run_external with shell=True is too error-prone. Fixes: #340 ("osc add of directories does not quote the argument") I'm removing the following warning because the command is executed via Popen() which has shell=False, therefore no injection is possible: # XXX: shell injection is possible via the files parameter, but the # current osc code does not use the files parameter. I've fixed 'ar' and 'cpio' code and added safeguards that error out on extracting files with absolute paths. Upstream PR: https://github.com/openSUSE/osc/pull/1571
Fixed upstream, the fix will be part of the next release to Factory.
This is an autogenerated message for OBS integration: This bug (1122683) was mentioned in https://build.opensuse.org/request/show/1183845 Tools / osc