Bug 938556 - (CVE-2017-9274) VUL-0: CVE-2017-9274: osc executes spec code during "osc commit"
(CVE-2017-9274)
VUL-0: CVE-2017-9274: osc executes spec code during "osc commit"
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.2
: P3 - Medium : Normal
: unspecified
Assigned To: Ruediger Oertel
Security Team bot
CVSSv3:SUSE:CVE-2017-9274:7.8:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-17 11:18 UTC by Christian Boltz
Modified: 2020-06-18 23:34 UTC (History)
9 users (show)

See Also:
Found By: Beta-Customer
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
"osc -v -d commit" output (4.13 KB, text/plain)
2015-07-17 14:49 UTC, Christian Boltz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Boltz 2015-07-17 11:18:18 UTC
I noticed something interesting while commiting home:cboltz/apparmor
(using osc-0.151.2-2.1.noarch)

# osc commit
[... gpg check ...]
- package has apparmor-rpmlintrc: (unchanged)
- package has baselibs.conf: (unchanged)
sh: /usr/sbin/apxs2: Datei oder Verzeichnis nicht gefunden    <------ huh?
Sending    apparmor.spec
Deleting    parser-optflags.diff
Transmitting file data
Committed revision 188.

The apxs2 call is probably caused by
    %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
in apparmor.spec.

I doubt this behaviour is intentional, and hope we don't have any spec file with
    %define bad_luck %(rm -rf /)
;-)
Comment 1 Andreas Stieger 2015-07-17 11:32:08 UTC
The attack scenario here is an untrusted packager tricking the victim into making an otherwise unrelated change.

The following commands are known to execute commands specified in the spec file for macros:
* osc commit
* quilt setup

The following packages are known to show this:
* apparmor (commit)
* subversion (quilt setup)
Comment 2 Marcus Hüwe 2015-07-17 11:36:56 UTC
(In reply to Christian Boltz from comment #0)
> I noticed something interesting while commiting home:cboltz/apparmor
> (using osc-0.151.2-2.1.noarch)
> 
> # osc commit
> [... gpg check ...]
> - package has apparmor-rpmlintrc: (unchanged)
> - package has baselibs.conf: (unchanged)
> sh: /usr/sbin/apxs2: Datei oder Verzeichnis nicht gefunden    <------ huh?

This is caused by a local source service run. Can you please run
"osc -d commit ..." in order to see which source service
causes this behavior?
Comment 3 Andreas Stieger 2015-07-17 11:42:50 UTC
setting needinfo reporter
Comment 4 Christian Boltz 2015-07-17 14:49:49 UTC
Created attachment 641269 [details]
"osc -v -d commit" output

Most relevant lines:

[...]
Run source service: /usr/lib/obs/service/source_validator --outdir /tmp/tmpLPEyOi
[... GPG check ...]
- package has apparmor-rpmlintrc: (unchanged)
- package has baselibs.conf: (unchanged)
sh: /usr/sbin/apxs2: Datei oder Verzeichnis nicht gefunden
Sending    apparmor.spec
[...]
Comment 5 Swamp Workflow Management 2015-07-17 21:59:57 UTC
bugbot adjusting priority
Comment 6 Marcus Hüwe 2015-07-20 10:10:15 UTC
The obs-service-source_validator's 20-files-present-and-referenced script
executes the %prep section in order to check if all files are present
(unrelated note: even though executing %prep is successful some sources might
still be missing; maybe we should use something like like "rpmspec -P <spec>"
and check if all "sources" are present).

The problem is that we cannot correctly detect missing sources without
expanding all macros.
Comment 8 Marcus Meissner 2016-08-01 14:34:04 UTC
as we fixed filename based inkjection problems we probably also should think how to solve this.

or declare source_validator unsafe :(
Comment 9 Marcus Hüwe 2016-08-02 00:09:18 UTC
PR 39 (https://github.com/openSUSE/obs-service-source_validator/pull/39) should
fix it. Now, we use Build::Rpm for extracting the sources, patches etc. from the
spec, which doesn't expand %(...) macros. The drawback is that it might break
some packages...
A different approach would be executing the rpmbuild command in a vm/chroot, but
that's probably too much overhead and not worth the effort (IMHO).
Comment 10 Johannes Segitz 2017-08-09 15:04:08 UTC
doesn't seem like a lot of packages broke, so lets close this
Comment 11 Marcus Hüwe 2017-08-09 17:20:19 UTC
(In reply to Johannes Segitz from comment #10)
> doesn't seem like a lot of packages broke, so lets close this

Hmm nothing broke, because nothing was fixed so far:/
I just updated the PR again.
Comment 12 Marcus Hüwe 2017-08-09 18:24:39 UTC
(In reply to Marcus Hüwe from comment #11)
> I just updated the PR again.

Update: the PR was merged (see commit 0cb8321 [1]).

[1] https://github.com/openSUSE/obs-service-source_validator/commit/0cb832185b71e869bb84fc995f483275c5c4158d
Comment 13 Adrian Schröter 2017-08-10 06:55:05 UTC
hm, why is this closed? We still have to release maintenance updates for this...

This is really grave IMHO, since it is easy to attack developer workstations via that...

Rudi, can you take care or shall I ask Marco?
Comment 14 Marco Strigl 2017-08-10 07:52:31 UTC
I am working on it.
Comment 15 Johannes Segitz 2017-08-10 07:59:48 UTC
This is CVE-2017-9274
Comment 16 Bernhard Wiedemann 2017-08-10 10:01:45 UTC
This is an autogenerated message for OBS integration:
This bug (938556) was mentioned in
https://build.opensuse.org/request/show/515847 Factory / obs-service-source_validator
Comment 17 Marcus Hüwe 2017-08-10 10:38:33 UTC
Hrm the 70-baselibs script is also affected... I'm working on it.
Comment 19 Adrian Schröter 2017-08-11 11:57:28 UTC
yep, just submitted a new version ~1 hour ago ignoring this particular problem.
Comment 20 Bernhard Wiedemann 2017-08-11 12:00:29 UTC
This is an autogenerated message for OBS integration:
This bug (938556) was mentioned in
https://build.opensuse.org/request/show/516094 Factory / obs-service-source_validator
Comment 21 Bernhard Wiedemann 2017-08-11 14:06:03 UTC
This is an autogenerated message for OBS integration:
This bug (938556) was mentioned in
https://build.opensuse.org/request/show/516111 Factory / obs-service-source_validator
Comment 22 Marcus Hüwe 2017-08-11 14:52:56 UTC
Hmm reopening again until the 70-baselibs script is fixed as well (I'm almost
done...).
Comment 23 Marcus Hüwe 2017-08-13 23:09:06 UTC
I just created PR 51 [1] to fix the 70-baselibs script (note: this could
potentially also break some packages).

[1] https://github.com/openSUSE/obs-service-source_validator/pull/51
Comment 24 Marcus Hüwe 2017-08-18 12:05:54 UTC
The 70-baselibs script is fixed with commit 7fe8be5 [1].

[1] https://github.com/openSUSE/obs-service-source_validator/commit/7fe8be5
Comment 25 Ruediger Oertel 2017-11-28 17:27:22 UTC
let's close it then
Comment 26 Marcus Hüwe 2017-11-28 17:48:27 UTC
(In reply to Ruediger Oertel from comment #25)
> let's close it then

Hmm iiuc, we haven't released maintenance updates for this (according to
comment 13 maintenance updates are needed).
Comment 27 Adrian Schröter 2017-11-29 08:15:09 UTC
I will include the update in the current running build & osc maintenance update.
Comment 28 Swamp Workflow Management 2017-12-08 17:19:33 UTC
SUSE-SU-2017:3253-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1059858,1061500,1069904,665768,938556
CVE References: CVE-2010-4226,CVE-2017-14804,CVE-2017-9274
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    build-20171128-9.3.2, obs-service-source_validator-0.7-9.3.1, osc-0.162.0-15.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    build-20171128-9.3.2, obs-service-source_validator-0.7-9.3.1, osc-0.162.0-15.3.1
Comment 29 Swamp Workflow Management 2017-12-09 11:09:21 UTC
openSUSE-SU-2017:3259-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1059858,1061500,1069904,665768,938556
CVE References: CVE-2010-4226,CVE-2017-14804,CVE-2017-9274
Sources used:
openSUSE Leap 42.3 (src):    build-20171128-5.1, obs-service-source_validator-0.7-16.1, osc-0.162.0-10.1
openSUSE Leap 42.2 (src):    build-20171128-2.6.1, obs-service-source_validator-0.7-13.6.1, osc-0.162.0-7.7.1
Comment 30 Swamp Workflow Management 2018-01-11 14:07:41 UTC
SUSE-SU-2018:0065-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1059858,1069904,796918,827480,891829,938556,967265,967610
CVE References: CVE-2016-4007,CVE-2017-14804,CVE-2017-9274
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    build-20171128-8.3.3, osc-0.162.1-7.4.1
Comment 31 Marcus Meissner 2018-01-11 15:41:56 UTC
released