Bugzilla – Bug 1206836
VUL-0: CVE-2023-22643: libzypp-plugin-appdata: potential arbitrary code execution via shell injection due to `os.system` calls
Last modified: 2023-03-01 13:35:15 UTC
In bug 1204314 I reviewed the current Zypper plugins we ship for openSUSE:Factory. libzypp-plugin-appdata is one of them. While this plugin is a very simple and short Python script installed in /usr/lib/zypp/plugins/appdata/InstallAppdata it uses unsafe `os.system()` invocations that go through the shell and thus are subject to shell command injection. We can find the following code in the script: ``` # Install new appdata files - libzypp calls us with 6 parameters per repo: # -R REPO_ALIAS -t REPO_TYPE -p REPO_METADATA_PATH [-R NEXT_REPO....] # We can just blindly pass the parameters through to to helper args=sys.argv[1:] try: while args[0] == "-R": os.system("/usr/lib/AsHelper install %s %s %s %s %s %s" % (args[0], args[1], args[2], args[3], args[4], args[5])) args=args[6:] except IndexError: pass ``` So there are three potential input parameters that could contain shell code: - REPO_ALIAS (free form string) - REPO_TYPE (typically "rpm-md") - REPO_METADATA_PATH (typically "/var/cache/zypp/raw/...") The REPO_ALIAS is the most likely to contain dangerous characters. A reproducer to trigger this looks like this: ``` root# zypper ar -f http://download.opensuse.org/tumbleweed/repo/non-oss/ "; touch /root/evil ; echo " root# zypper ref root# ls -lh /root/evil -rw-r--r-- 1 root root 0 Jan 4 13:25 /root/evil ``` When checking strace then we'll find that the invocation of the plugins through zypper looks like this: "/usr/lib/zypp/plugins/appdata/InstallAppdata", "-R", "; touch /root/evil ; echo ", "-t", "rpm-md", "-p", "/var/cache/zypp/raw/; touch _root_evil ; echo " [...] So the REPO_METADATA_PATH also includes the alias, but it is transformed a bit, like slashes being replaced by underscores, resulting in a `touch _root_evil` that will cause this file also to come into existence in the CWD. It is a bit bad that libzypp doesn't reject certain characters for the repository alias. But the way it is each individual plugin needs to cope with potentially dangerious input here. The repository alias is not typically under attacker control but there could exist circumstances where this is the case, in more complex scenarios than a default SUSE installation. The exploitablility is limited, but if it can be exploited then the impact is arbitrary code execution. Thus a VUL-0 bug is justified here IMO.
Outlined plan for the update (as agreed with Robert): Patch to be added to - SUSE:SLE-15:Update/libzypp-plugin-appdata - SUSE:SLE-15-SP1:Update/libzypp-plugin-appdata - SUSE:SLE-15-SP4:Update/libzypp-plugin-appdata The difference between the versions is so minimal that we agreed to align the three packages Between 15:Update and SP4:Update there are three chunks of diff: * AppStream recommended instead of required (AppStream is only used by the KDE Software Center, not the SLE Shipped GNOME Software) * Hardcode %_prefix/lib instead of %_libexecdurL this is a NOP on SLE, as libexecdir == /usr/lib * systems service hardening added I'm preparing the mbranch in IBS and will submit it
(In reply to Dominique Leuenberger from comment #9) > Patch to be added to > - SUSE:SLE-15:Update/libzypp-plugin-appdata > - SUSE:SLE-15-SP1:Update/libzypp-plugin-appdata > - SUSE:SLE-15-SP4:Update/libzypp-plugin-appdata SLE-15 reached end of life in December and will not get updates anymore.
What is currently in the update repo fails with Wrong Digest The expected checksum of file /var/tmp/AP_0x6MW4IW/noarch/libzypp-plugin-appdata-1.0.1+git.20180426-150400.18.3.1.noarch.rpm is 264889dc59298168d1240f66b69b21fe389936fbcf70516de628b5c8c5f99727, but the current checksum is e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. The file has been changed by accident or by an attacker since the repository creator signed it. Using it is a big risk for the integrity and security of your system. I can see that this is an active bug. John
SUSE-SU-2023:0095-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1206836 CVE References: CVE-2023-22643 JIRA References: Sources used: openSUSE Leap 15.4 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150400.18.3.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150400.18.3.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150400.18.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
:( [ 32s] libzypp-plugin-appdata.noarch: E: zypperplugin-file-digest-mismatch (Badness: 10000) /usr/lib/zypp/plugins/appdata/InstallAppdata expected sha256:659f9bdf79eebdca9f69a4924c0c3b53388ab3469c737759c1ea133eab460969, has:ba77e8dab356d70dfe0f38a63c9cced0b81d47c8af36b41f88fa30597330ff43 [ 32s] A whitelisting related zypper plugin file changed in content. Packaging zypper [ 32s] plugins requires a review and whitelisting by the SUSE security team. If the [ 32s] package is intended for inclusion in any SUSE product please open a bug report [ 32s] to request review of the package by the security team. Please refer to [ 32s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 32s] more information. Can we please get that unblocked for Factory so I can submit this fix there too? Did not anticipate this extra loop
(In reply to dimstar@opensuse.org from comment #18) > Can we please get that unblocked for Factory so I can submit this fix there too? Did not anticipate this extra loop yes this restriction got newly introduced and was the reason why I stumbled over this issue in the place. I whitelisted the vulnerable version since it was already there. I forgot to tell you and prepare a new whitelisting. Sorry about that. I will take care of the adjustment now.
This is an autogenerated message for OBS integration: This bug (1206836) was mentioned in https://build.opensuse.org/request/show/1059322 Factory / rpmlint
This is an autogenerated message for OBS integration: This bug (1206836) was mentioned in https://build.opensuse.org/request/show/1059845 Factory / rpmlint
Hello All, There is a new conflict where customers are experiencing after the patch has been released. /usr/lib/YaST2/bin/online_update Problem: the to be installed patch:SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-95-1.noarch conflicts with 'libzypp-plugin-appdata.noarch < 1.0.1+git.20180426-150400.18.3.1' provided by the installed libzypp-plugin-appdata-1.0.1+git.20180426-150400.16.5.noarch Solution 1: deinstallation of libzypp-plugin-appdata-1.0.1+git.20180426-150400.16.5.noarch Solution 2: do not install patch:SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-95-1.noarch Choose from above solutions by number or cancel [1/2/c/d/?] (c): c Do I need to raise a new bug for this or can be treated here itself? Please update.
can you please check if the SLE Module Desktop Applications is enabled for updates? It contains this package
(e.g. the update needs both Package Hub and Desktop APplicatipons Module enabled for update)
SUSE-SU-2023:0140-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1181400,1206836 CVE References: CVE-2023-22643 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP3 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise Server 15-SP3-LTSS (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise Realtime Extension 15-SP3 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Enterprise Storage 7.1 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Enterprise Storage 7 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Enterprise Storage 6 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE CaaS Platform 4.0 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fixed in upstream code base and patches have been released