Bug 901643 - (CVE-2015-0778) VUL-0: CVE-2015-0778: osc _service file shell injection
(CVE-2015-0778)
VUL-0: CVE-2015-0778: osc _service file shell injection
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Adrian Schröter
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-16 19:45 UTC by Ludwig Nussel
Modified: 2016-04-27 18:52 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
quick patch, I didn't review all cases (2.62 KB, patch)
2014-10-16 19:48 UTC, Ludwig Nussel
Details | Diff
updated patch (3.13 KB, patch)
2015-03-11 13:26 UTC, Ludwig Nussel
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2014-10-16 19:45:25 UTC
add something like this to a _service file and execute osc service run:

<param name="pwn">';xterm;'</param>
Comment 1 Ludwig Nussel 2014-10-16 19:48:46 UTC
Created attachment 610425 [details]
quick patch, I didn't review all cases
Comment 2 Swamp Workflow Management 2014-10-16 22:00:33 UTC
bugbot adjusting priority
Comment 3 Ludwig Nussel 2014-10-17 06:24:37 UTC
ah and name wasn't sanitized either, so you could execute arbitrary commands that way as well (didn't try though)
Comment 4 Ludwig Nussel 2014-10-17 06:35:34 UTC
name doesn't seem to get sanitized on server side either
Comment 5 Ludwig Nussel 2015-03-11 13:26:01 UTC
Created attachment 626334 [details]
updated patch

any plans to fix this or at least verify whether this is exploitable on server side for a start?
Comment 6 Adrian Schröter 2015-03-11 16:44:36 UTC
The server side approach is using a save array implementation here. (even though the parameter checks just got improved a bit).

So this is a client side/osc issue. It affects users who checkout sources from foreign people with a crafted _service file. security team, do you want to assign a CVE number to this?

Otherwise we just release a new osc version these days.
Comment 7 Adrian Schröter 2015-03-12 08:00:27 UTC
okay, it is also a server side issue.

Can you please request a CVE for

 server and client side aribarity command execution in source service handling of OBS.

?
Comment 8 Johannes Segitz 2015-03-12 09:17:10 UTC
Please use CVE-2015-0778 for this issue.
Comment 9 Adrian Schröter 2015-03-12 09:56:18 UTC
osc submissions for SLE 11, 12 and openSUSE 13.1 and 13.2 are out there.

Server side parts will be fixed in 

 2.4.7
 2.5.6
 2.6.1

releases.
Comment 10 Adrian Schröter 2015-03-12 19:03:11 UTC
everything went out, including osc to openSUSE:Tools and factory submission.

Again, thanks a lot to all of you.
Comment 11 Swamp Workflow Management 2015-03-12 20:05:15 UTC
openSUSE-SU-2015:0486-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 901643
CVE References: CVE-2015-0778
Sources used:
openSUSE 13.2 (src):    osc-0.151.0-8.1
openSUSE 13.1 (src):    osc-0.151.0-2.24.1
Comment 12 Swamp Workflow Management 2015-03-12 20:05:35 UTC
SUSE-SU-2015:0487-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 901643
CVE References: CVE-2015-0778
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    osc-0.151.0-8.1
Comment 13 Andreas Stieger 2015-03-13 11:01:26 UTC
public
Comment 14 Swamp Workflow Management 2015-08-07 12:10:29 UTC
SUSE-SU-2015:1361-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 901643,936939
CVE References: CVE-2015-0778
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    osc-0.152.0-6.2
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    osc-0.152.0-6.2