openSUSE Security Update: Security update for obs-service-tar_scm ______________________________________________________________________________
Announcement ID: openSUSE-SU-2019:0329-1 Rating: important References: #1076410 #1082696 #1105361 #1107507 #1107944
Cross-References: CVE-2018-12473 CVE-2018-12474 CVE-2018-12476
Affected Products: openSUSE Backports SLE-15 ______________________________________________________________________________
An update that solves three vulnerabilities and has two fixes is now available.
This update for obs-service-tar_scm fixes the following issues:
Security vulnerabilities addressed:
- CVE-2018-12473: Fixed a path traversal issue, which allowed users to access files outside of the repository using relative paths (bsc#1105361) - CVE-2018-12474: Fixed an issue whereby crafted service parameters allowed for unexpected behaviour (bsc#1107507) - CVE-2018-12476: Fixed an issue whereby the outfilename parameter allowed to write files outside of package directory (bsc#1107944)
Other bug fixes and changes made:
- Prefer UTF-8 locale as output format for changes - added KankuFile - fix problems with unicode source files - added python-six to Requires in specfile - better encoding handling - fixes bsc#1082696 and bsc#1076410 - fix unicode in containers - move to python3 - added logging for better debugging changesgenerate - raise exception if no changesauthor given - Stop using @opensuse.org addresses to indicate a missing address - move argparse dep to -common package - allow submodule and ssl options in appimage - sync spec file as used in openSUSE:Tools project - check encoding problems for svn and print proper error msg - added new param '--locale' - separate service file installation in GNUmakefile - added glibc as Recommends in spec file - cleanup for broken svn caches - another fix for unicode problem in obs_scm - Final fix for unicode in filenames - Another attempt to fix unicode filenames in prep_tree_for_archive - Another attempt to fix unicode filenames in prep_tree_for_archive - fix bug with unicode filenames in prep_tree_for_archive - reuse _service*_servicedata/changes files from previous service runs - fix problems with unicode characters in commit messages for changeloggenerate - fix encoding issues if commit message contains utf8 char - revert encoding for old changes file - remove hardcoded utf-8 encodings - Add support for extract globbing - split pylint2 in GNUmakefile - fix check for "--reproducible" - create reproducible obscpio archives - fix regression from 44b3bee - Support also SSH urls for Git - check name/version option in obsinfo for slashes - check url for remote url - check symlinks in subdir parameter - check filename for slashes - disable follow_symlinks in extract feature - switch to obs_scm for this package - run download_files in appimage and snapcraft case - check --extract file path for parent dir - Fix parameter descriptions - changed os.removedirs -> shutil.rmtree - Adding information regarding the *package-metadata* option for the *tar* service The tar service is highly useful in combination with the *obscpio* service. After the fix for the metadata for the latter one, it is important to inform the users of the *tar* service that metadata is kept only if the flag *package-metadata* is enabled. Add the flag to the .service file for mentioning that. - Allow metadata packing for CPIO archives when desired As of now, metadata are always excluded from *obscpio* packages. This is because the *package-metadata* flag is ignored; this change (should) make *obscpio* aware of it. - improve handling of corrupt git cache directories - only do git stash save/pop if we have a non-empty working tree (#228) - don't allow DEBUG_TAR_SCM to change behaviour (#240) - add stub user docs in lieu of something proper (#238) - Remove clone_dir if clone fails - python-unittest2 is only required for the optional make check - move python-unittest2 dep to test suite only part (submission by olh) - Removing redundant pass statement - missing import for logging functions. - [backend] Adding http proxy support - python-unittest2 is only required for the optional make check - make installation of scm's optional - add a lot more detail to README - Git clone with --no-checkout in prepare_working_copy - Refactor and simplify git prepare_working_copy - Only use current dir if it actually looks like git (Fixes #202) - reactivate test_obscpio_extract_d - fix broken test create_archive - fix broken tests for broken-links - changed PREFIX in Gnumakefile to /usr - new cli option --skip-cleanup - fix for broken links - fix reference to snapcraft YAML file - fix docstring typo in TarSCM.scm.tar.fetch_upstream - acknowledge deficiencies in dev docs - wrap long lines in README
This update was imported from the SUSE:SLE-15:Update update project. This update was imported from the openSUSE:Leap:15.0:Update update project.
To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15:
zypper in -t patch openSUSE-2019-329=1
- openSUSE Backports SLE-15 (noarch):
obs-service-appimage-0.10.5.1551309990.79898c7-bp220.127.116.11 obs-service-obs_scm-0.10.5.1551309990.79898c7-bp18.104.22.168 obs-service-obs_scm-common-0.10.5.1551309990.79898c7-bp22.214.171.124 obs-service-snapcraft-0.10.5.1551309990.79898c7-bp126.96.36.199 obs-service-tar-0.10.5.1551309990.79898c7-bp188.8.131.52 obs-service-tar_scm-0.10.5.1551309990.79898c7-bp184.108.40.206
https://www.suse.com/security/cve/CVE-2018-12473.html https://www.suse.com/security/cve/CVE-2018-12474.html https://www.suse.com/security/cve/CVE-2018-12476.html https://bugzilla.suse.com/1076410 https://bugzilla.suse.com/1082696 https://bugzilla.suse.com/1105361 https://bugzilla.suse.com/1107507 https://bugzilla.suse.com/1107944