openSUSE Security Update : obs-service-tar_scm (openSUSE-2019-326)

critical Nessus Plugin ID 122848

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for obs-service-tar_scm fixes the following issues :

Security vulnerabilities addressed :

- CVE-2018-12473: Fixed a path traversal issue, which allowed users to access files outside of the repository using relative paths (bsc#1105361)

- CVE-2018-12474: Fixed an issue whereby crafted service parameters allowed for unexpected behaviour (bsc#1107507)

- CVE-2018-12476: Fixed an issue whereby the outfilename parameter allowed to write files outside of package directory (bsc#1107944)

Other bug fixes and changes made :

- Prefer UTF-8 locale as output format for changes

- added KankuFile

- fix problems with unicode source files

- added python-six to Requires in specfile

- better encoding handling

- fixes bsc#1082696 and bsc#1076410

- fix unicode in containers

- move to python3

- added logging for better debugging changesgenerate

- raise exception if no changesauthor given

- Stop using @opensuse.org addresses to indicate a missing address

- move argparse dep to -common package

- allow submodule and ssl options in appimage

- sync spec file as used in openSUSE:Tools project

- check encoding problems for svn and print proper error msg

- added new param '--locale'

- separate service file installation in GNUmakefile

- added glibc as Recommends in spec file

- cleanup for broken svn caches

- another fix for unicode problem in obs_scm

- Final fix for unicode in filenames

- Another attempt to fix unicode filenames in prep_tree_for_archive

- Another attempt to fix unicode filenames in prep_tree_for_archive

- fix bug with unicode filenames in prep_tree_for_archive

- reuse _service*_servicedata/changes files from previous service runs

- fix problems with unicode characters in commit messages for changeloggenerate

- fix encoding issues if commit message contains utf8 char

- revert encoding for old changes file

- remove hardcoded utf-8 encodings

- Add support for extract globbing

- split pylint2 in GNUmakefile

- fix check for '--reproducible'

- create reproducible obscpio archives

- fix regression from 44b3bee

- Support also SSH urls for Git

- check name/version option in obsinfo for slashes

- check url for remote url

- check symlinks in subdir parameter

- check filename for slashes

- disable follow_symlinks in extract feature

- switch to obs_scm for this package

- run download_files in appimage and snapcraft case

- check --extract file path for parent dir

- Fix parameter descriptions

- changed os.removedirs -> shutil.rmtree

- Adding information regarding the *package-metadata* option for the *tar* service The tar service is highly useful in combination with the *obscpio* service. After the fix for the metadata for the latter one, it is important to inform the users of the *tar* service that metadata is kept only if the flag *package-metadata* is enabled. Add the flag to the .service file for mentioning that.

- Allow metadata packing for CPIO archives when desired As of now, metadata are always excluded from *obscpio* packages. This is because the *package-metadata* flag is ignored; this change (should) make *obscpio* aware of it.

- improve handling of corrupt git cache directories

- only do git stash save/pop if we have a non-empty working tree (#228)

- don't allow DEBUG_TAR_SCM to change behaviour (#240)

- add stub user docs in lieu of something proper (#238)

- Remove clone_dir if clone fails

- python-unittest2 is only required for the optional make check

- move python-unittest2 dep to test suite only part (submission by olh)

- Removing redundant pass statement

- missing import for logging functions.

- [backend] Adding http proxy support

- python-unittest2 is only required for the optional make check

- make installation of scm's optional

- add a lot more detail to README

- Git clone with --no-checkout in prepare_working_copy

- Refactor and simplify git prepare_working_copy

- Only use current dir if it actually looks like git (Fixes #202)

- reactivate test_obscpio_extract_d

- fix broken test create_archive

- fix broken tests for broken-links

- changed PREFIX in Gnumakefile to /usr

- new cli option --skip-cleanup

- fix for broken links

- fix reference to snapcraft YAML file

- fix docstring typo in TarSCM.scm.tar.fetch_upstream

- acknowledge deficiencies in dev docs

- wrap long lines in README

This update was imported from the SUSE:SLE-15:Update update project.

Solution

Update the affected obs-service-tar_scm packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1076410

https://bugzilla.opensuse.org/show_bug.cgi?id=1082696

https://bugzilla.opensuse.org/show_bug.cgi?id=1105361

https://bugzilla.opensuse.org/show_bug.cgi?id=1107507

https://bugzilla.opensuse.org/show_bug.cgi?id=1107944

Plugin Details

Severity: Critical

ID: 122848

File Name: openSUSE-2019-326.nasl

Version: 1.5

Type: local

Agent: unix

Published: 3/14/2019

Updated: 6/13/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-12474

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:15.0, p-cpe:/a:novell:opensuse:obs-service-appimage, p-cpe:/a:novell:opensuse:obs-service-tar_scm, p-cpe:/a:novell:opensuse:obs-service-obs_scm, p-cpe:/a:novell:opensuse:obs-service-obs_scm-common, p-cpe:/a:novell:opensuse:obs-service-tar, p-cpe:/a:novell:opensuse:obs-service-snapcraft

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/23/2019

Vulnerability Publication Date: 10/2/2018

Reference Information

CVE: CVE-2018-12473, CVE-2018-12474, CVE-2018-12476