Bugzilla – Bug 1224450
obs-service-cargo_vendor: online query for vulnerability reports prevents reproducing resulting source archive
Last modified: 2024-05-20 12:03:51 UTC
obs-service-cargo_vendor (github repo name) and obs-service-cargo (rpm package name) contains a security regression where it newly does an online query for vulnerability reports and on finding one stops with failure, which prevents reproducing its normally resulting source archive. This is a failure of ensuring integrity (OWASP A08:2021) as reproducing and comparing the output is required to verify it. The code location where this is turned into a stopping error is the error handling of this call of the function process_reports: https://github.com/openSUSE/obs-service-cargo_vendor/blob/master/cargo/src/utils/mod.rs#L228 (This source service program and a similarly named one that it replaced is used by many packagers to download sources needed for Rust applications that are then build and shipped in openSUSE and SUSE.) While there is a workaround in specifying each found report ID to be ignored, that is not sufficient, as the goal for source services is to automatically verify them, see https://github.com/openSUSE/obs-service-source_validator/issues/134 . This bug prevents automated and manual easy verification, that sources that are downloaded with this tool are the expected sources instead of possibly maliciously modified ones. This is also a needed step when reviewing proposed changes by others. Thus this also pushes people further to not do this verification, thus basically to include entirely unreviewed code. This security bug was reported in https://github.com/openSUSE/obs-service-cargo_vendor/issues/73 to its Github project, but the response was that they will "not maintain the behaviour as a guarantee or a feature" - https://github.com/openSUSE/obs-service-cargo_vendor/issues/64#issuecomment-1967885836 . This response was made by William Brown AKA blackhats.net.au AKA https://github.com/Firstyear AKA https://build.opensuse.org/users/firstyear and supported by Soc Virnyl S. Estela AKA https://github.com/uncomfyhalomacro AKA https://build.opensuse.org/users/uncomfyhalomacro . Furthermore my understanding is that they refused any affordance of scientific discussion. (Note that William now has a many years long history of such actions.) This is incompatible with current openSUSE and SUSE security policy. But this repository is currently in the openSUSE Github org and this source service program is shipped in openSUSE Tumbleweed. I'm hesitant against CVE assignment for this class of bugs until we generally improved the state a bit more. Normally maintainers can be convinced to accept this improvement of integrity protection. However sadly in this case I needed to give up and accept that it needs to happen. My first guess for a CVSSv3.1 score is: 2.3 AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
@dimstar, as you have higher permissions where this project resides (both openSUSE Github org and OBS), can you help?
See our previous comments: https://github.com/openSUSE/obs-service-cargo_vendor/issues/73#issuecomment-1965536865 > Furthermore my understanding is that they refused any affordance of scientific discussion. (Note that William now has a many years long history of such actions.) There is no security vulnerability here and I believe you are attempting to weaponise the CVSS/CVE system to force me to take actions to support a topic that you are personally invested in. At this point I would rather say that the issue is not my willingness to discuss things, but the apparent and public hostility you have shown me on multiple occasions. I simply do not wish to engage with you because you do not treat me and others in a manner that is acceptable in a community nor a workplace. As a result, if you feel compelled that I need to take action, you are welcome to request this via my management chain instead. I will not respond further to this issue.