Bug 967265 - (CVE-2016-4007) VUL-1: CVE-2016-4007: Several maintained source services are vulnerable to code/paramter injection
(CVE-2016-4007)
VUL-1: CVE-2016-4007: Several maintained source services are vulnerable to co...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-4007:6.6:(AV:L/A...
:
Depends on: 967610
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-18 16:41 UTC by Frank Schreiner
Modified: 2022-01-25 14:35 UTC (History)
8 users (show)

See Also:
Found By: Community User
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Frank Schreiner 2016-02-18 16:41:16 UTC
affected packages:

* obs-service-source_validator
* obs-service-extract_file
* obs-service-download_files
* obs-service-recompress
* obs-service-verify_file
Comment 1 Bernhard Wiedemann 2016-02-18 18:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (967265) was mentioned in
https://build.opensuse.org/request/show/360185 13.2 / obs-service-source_validator+obs-service-recompress+obs-service-verify_file+obs-service-extract_file+obs-service-download_files
https://build.opensuse.org/request/show/360186 42.1 / obs-service-verify_file+obs-service-download_files+obs-service-extract_file+obs-service-source_validator+obs-service-recompress
Comment 2 Swamp Workflow Management 2016-02-18 23:00:13 UTC
bugbot adjusting priority
Comment 4 Andreas Stieger 2016-02-19 10:28:11 UTC
Moving to security incidents for review
Comment 6 Andreas Stieger 2016-02-22 15:06:09 UTC
Frank, please fix the regression bug 967610 and resubmit for SLE 12.
Comment 7 Sebastian Krahmer 2016-02-22 15:09:56 UTC
Please also include this bsc# into the new submit. Its needed for tracking.
Comment 8 Frank Schreiner 2016-02-22 15:14:59 UTC
Thanks for your hints.

commit 

https://github.com/openSUSE/obs-service-source_validator/pull/31/files

is waiting for Rudi`s review. Must bsc# already in git commit message or only in obs submit request ?
Comment 9 Marcus Meissner 2016-02-22 15:16:13 UTC
in the .changes files of the submission for us. i think it is also nice to have in the git commit message
Comment 10 Marcus Meissner 2016-02-22 15:33:36 UTC
https://github.com/M0ses/obs-service-source_validator/commit/d469a76a613d585ede82e2a7857a5ad620364ea8

is the initial commit of the security fixes I think.
Comment 11 Marcus Meissner 2016-02-22 15:35:44 UTC
as far as i see.

if existing source directories have weird filenames (with shell special characters), running source services locally might put local developers at risk.
Comment 12 Marcus Meissner 2016-02-23 12:04:55 UTC
this probably should not be rated critical?
Comment 14 Marcus Hüwe 2016-03-03 13:36:44 UTC
obs-service-format_spec_file seems to be affected as well. Fixed in https://github.com/openSUSE/obs-service-format_spec_file/pull/10
Comment 15 Marcus Meissner 2016-04-12 13:19:40 UTC
QA REPRODUCER:

touch "bar ;id; foo.spec" "foo ; bar; berk.changes"
osc service lr source_validator

before:
/usr/lib/obs/service/source_validators/20-files-present-and-referenced: line 55: test: /suse/meissner/projects/bs/home:msmeissn/libtpms/libtpms: binary operator expected
/usr/lib/obs/service/source_validators/20-files-present-and-referenced: line 55: test: too many arguments
/usr/lib/obs/service/source_validators/30-patches-applied: line 14: test: /suse/meissner/projects/bs/home:msmeissn/libtpms/libtpms: binary operator expected
/usr/lib/obs/service/source_validators/30-patches-applied: line 14: test: too many arguments
/usr/lib/obs/service/source_validators/40-sequence-changes: line 14: test: too many arguments
/usr/lib/obs/service/source_validators/45-stale-changes: line 23: test: too many arguments
/usr/lib/obs/service/source_validators/50-spec-version: line 14: test: /suse/meissner/projects/bs/home:msmeissn/libtpms/libtpms: binary operator expected
/usr/lib/obs/service/source_validators/50-spec-version: line 14: test: too many arguments
/usr/lib/obs/service/source_validators/60-spec-filelist: line 13: test: /suse/meissner/projects/bs/home:msmeissn/libtpms/libtpms: binary operator expected
/usr/lib/obs/service/source_validators/60-spec-filelist: line 13: test: too many arguments


after: 
different errors complaining abiout the files only.
Comment 16 Marcus Meissner 2016-04-13 07:40:16 UTC
for i in $DIR_TO_CHECK/*.spec ; do
        test -f $i || continue

the $i also needs to be quoted (in all places, there are some more)

but in the end the whole script is full of unuqoted parameters :/
Comment 17 Marcus Meissner 2016-04-13 13:14:53 UTC
(update was rejected)
Comment 18 Johannes Segitz 2016-04-26 13:09:08 UTC
ping, please provide updated submits
Comment 19 Frank Schreiner 2016-04-27 09:40:00 UTC
sent mail to ro and meissner to find proper solution for the problems in source_validator
Comment 20 Frank Schreiner 2016-04-29 07:44:34 UTC
New PR:

https://github.com/openSUSE/obs-service-source_validator/pull/36
Comment 21 Frank Schreiner 2016-05-31 11:20:31 UTC
PR merged now

https://github.com/openSUSE/obs-service-source_validator/pull/36
Comment 24 Swamp Workflow Management 2016-06-22 15:08:09 UTC
openSUSE-SU-2016:1659-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 967265,967610
CVE References: CVE-2016-4007
Sources used:
openSUSE 13.2 (src):    obs-service-source_validator-0.6+git20160531.fbfe336-9.1
Comment 25 Swamp Workflow Management 2016-06-22 16:09:12 UTC
openSUSE-SU-2016:1660-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 967265,967610
CVE References: CVE-2016-4007
Sources used:
openSUSE Leap 42.1 (src):    obs-service-source_validator-0.6+git20160531.fbfe336-11.1
Comment 27 Swamp Workflow Management 2016-07-20 16:12:33 UTC
SUSE-SU-2016:1839-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 967265,967610
CVE References: CVE-2016-4007
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    obs-service-source_validator-0.6+git20160531.fbfe336-5.3
Comment 28 Marcus Meissner 2016-07-25 08:02:50 UTC
released
Comment 29 Swamp Workflow Management 2018-01-11 14:07:51 UTC
SUSE-SU-2018:0065-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1059858,1069904,796918,827480,891829,938556,967265,967610
CVE References: CVE-2016-4007,CVE-2017-14804,CVE-2017-9274
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    build-20171128-8.3.3, osc-0.162.1-7.4.1