http://bugzilla.suse.com/show_bug.cgi?id=1122683 Bug ID: 1122683 Summary: osc: deprecate insecure APIs Classification: Internal Novell Products Product: openSUSE Build Service Version: master Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: osc Assignee: adrian@suse.com Reporter: malte.kraus@suse.com QA Contact: adrian@suse.com Found By: --- Blocker: ---
From bnc#1119444:
The OSC client has some vulnerable code in it, that it doesn't use itself but provides as a library to plugins. In one case there's even a comment explicitly marking this as insecure, but are not removed due to compatibility concerns. If not breaking backwards compatibility under any circumstances is that important, I recommend adding deprecation warnings (https://docs.python.org/2.6/library/warnings.html#temporarily-suppressing-wa...) to move plugins over to secure APIs.
Can you create a dedicated request for this?
Specifically, the 'unpack_srcrpm' function has such a warning as a comment. Also, 'Ar.saveTo', 'CpioRead.copyin' can be made to store files in arbitrary locations if the archive they parsed contain a filename starting with a "/". -- You are receiving this mail because: You are on the CC list for the bug.