openSUSE Security Update: Security update for obs-service-tar_scm ______________________________________________________________________________ Announcement ID: openSUSE-SU-2019:0329-1 Rating: important References: #1076410 #1082696 #1105361 #1107507 #1107944 Cross-References: CVE-2018-12473 CVE-2018-12474 CVE-2018-12476 Affected Products: openSUSE Backports SLE-15 ______________________________________________________________________________ An update that solves three vulnerabilities and has two fixes is now available. Description: This update for obs-service-tar_scm fixes the following issues: Security vulnerabilities addressed: - CVE-2018-12473: Fixed a path traversal issue, which allowed users to access files outside of the repository using relative paths (bsc#1105361) - CVE-2018-12474: Fixed an issue whereby crafted service parameters allowed for unexpected behaviour (bsc#1107507) - CVE-2018-12476: Fixed an issue whereby the outfilename parameter allowed to write files outside of package directory (bsc#1107944) Other bug fixes and changes made: - Prefer UTF-8 locale as output format for changes - added KankuFile - fix problems with unicode source files - added python-six to Requires in specfile - better encoding handling - fixes bsc#1082696 and bsc#1076410 - fix unicode in containers - move to python3 - added logging for better debugging changesgenerate - raise exception if no changesauthor given - Stop using @opensuse.org addresses to indicate a missing address - move argparse dep to -common package - allow submodule and ssl options in appimage - sync spec file as used in openSUSE:Tools project - check encoding problems for svn and print proper error msg - added new param '--locale' - separate service file installation in GNUmakefile - added glibc as Recommends in spec file - cleanup for broken svn caches - another fix for unicode problem in obs_scm - Final fix for unicode in filenames - Another attempt to fix unicode filenames in prep_tree_for_archive - Another attempt to fix unicode filenames in prep_tree_for_archive - fix bug with unicode filenames in prep_tree_for_archive - reuse _service*_servicedata/changes files from previous service runs - fix problems with unicode characters in commit messages for changeloggenerate - fix encoding issues if commit message contains utf8 char - revert encoding for old changes file - remove hardcoded utf-8 encodings - Add support for extract globbing - split pylint2 in GNUmakefile - fix check for "--reproducible" - create reproducible obscpio archives - fix regression from 44b3bee - Support also SSH urls for Git - check name/version option in obsinfo for slashes - check url for remote url - check symlinks in subdir parameter - check filename for slashes - disable follow_symlinks in extract feature - switch to obs_scm for this package - run download_files in appimage and snapcraft case - check --extract file path for parent dir - Fix parameter descriptions - changed os.removedirs -> shutil.rmtree - Adding information regarding the *package-metadata* option for the *tar* service The tar service is highly useful in combination with the *obscpio* service. After the fix for the metadata for the latter one, it is important to inform the users of the *tar* service that metadata is kept only if the flag *package-metadata* is enabled. Add the flag to the .service file for mentioning that. - Allow metadata packing for CPIO archives when desired As of now, metadata are always excluded from *obscpio* packages. This is because the *package-metadata* flag is ignored; this change (should) make *obscpio* aware of it. - improve handling of corrupt git cache directories - only do git stash save/pop if we have a non-empty working tree (#228) - don't allow DEBUG_TAR_SCM to change behaviour (#240) - add stub user docs in lieu of something proper (#238) - Remove clone_dir if clone fails - python-unittest2 is only required for the optional make check - move python-unittest2 dep to test suite only part (submission by olh) - Removing redundant pass statement - missing import for logging functions. - [backend] Adding http proxy support - python-unittest2 is only required for the optional make check - make installation of scm's optional - add a lot more detail to README - Git clone with --no-checkout in prepare_working_copy - Refactor and simplify git prepare_working_copy - Only use current dir if it actually looks like git (Fixes #202) - reactivate test_obscpio_extract_d - fix broken test create_archive - fix broken tests for broken-links - changed PREFIX in Gnumakefile to /usr - new cli option --skip-cleanup - fix for broken links - fix reference to snapcraft YAML file - fix docstring typo in TarSCM.scm.tar.fetch_upstream - acknowledge deficiencies in dev docs - wrap long lines in README This update was imported from the SUSE:SLE-15:Update update project. This update was imported from the openSUSE:Leap:15.0:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15: zypper in -t patch openSUSE-2019-329=1 Package List: - openSUSE Backports SLE-15 (noarch): obs-service-appimage-0.10.5.1551309990.79898c7-bp150.3.3.1 obs-service-obs_scm-0.10.5.1551309990.79898c7-bp150.3.3.1 obs-service-obs_scm-common-0.10.5.1551309990.79898c7-bp150.3.3.1 obs-service-snapcraft-0.10.5.1551309990.79898c7-bp150.3.3.1 obs-service-tar-0.10.5.1551309990.79898c7-bp150.3.3.1 obs-service-tar_scm-0.10.5.1551309990.79898c7-bp150.3.3.1 References: https://www.suse.com/security/cve/CVE-2018-12473.html https://www.suse.com/security/cve/CVE-2018-12474.html https://www.suse.com/security/cve/CVE-2018-12476.html https://bugzilla.suse.com/1076410 https://bugzilla.suse.com/1082696 https://bugzilla.suse.com/1105361 https://bugzilla.suse.com/1107507 https://bugzilla.suse.com/1107944 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org