SUSE-SU-2019:0540-1: important: Security update for obs-service-tar_scm

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Mar 4 13:55:26 MST 2019


   SUSE Security Update: Security update for obs-service-tar_scm
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:0540-1
Rating:             important
References:         #1076410 #1082696 #1105361 #1107507 #1107944 
                    
Cross-References:   CVE-2018-12473 CVE-2018-12474 CVE-2018-12476
                   
Affected Products:
                    SUSE Linux Enterprise Module for Open Buildservice Development Tools 15
______________________________________________________________________________

   An update that solves three vulnerabilities and has two
   fixes is now available.

Description:

   This update for obs-service-tar_scm fixes the following issues:

   Security vulnerabilities addressed:

   - CVE-2018-12473: Fixed a path traversal issue, which allowed users to
     access files outside of the repository using relative paths (bsc#1105361)
   - CVE-2018-12474: Fixed an issue whereby crafted service parameters
     allowed for unexpected behaviour (bsc#1107507)
   - CVE-2018-12476: Fixed an issue whereby the outfilename parameter allowed
     to write files outside of package directory (bsc#1107944)

   Other bug fixes and changes made:

   - Prefer UTF-8 locale as output format for changes
   - added KankuFile
   - fix problems with unicode source files
   - added python-six to Requires in specfile
   - better encoding handling
   - fixes bsc#1082696 and bsc#1076410
   - fix unicode in containers
   - move to python3
   - added logging for better debugging changesgenerate
   - raise exception if no changesauthor given
   - Stop using @opensuse.org addresses to indicate a missing address
   - move argparse dep to -common package
   - allow submodule and ssl options in appimage
   - sync spec file as used in openSUSE:Tools project
   - check encoding problems for svn and print proper error msg
   - added new param '--locale'
   - separate service file installation in GNUmakefile
   - added glibc as Recommends in spec file
   - cleanup for broken svn caches
   - another fix for unicode problem in obs_scm
   - Final fix for unicode in filenames
   - Another attempt to fix unicode filenames in prep_tree_for_archive
   - Another attempt to fix unicode filenames in prep_tree_for_archive
   - fix bug with unicode filenames in prep_tree_for_archive
   - reuse _service*_servicedata/changes files from previous service runs
   - fix problems with  unicode characters in commit messages for
     changeloggenerate
   - fix encoding issues if commit message contains utf8 char
   - revert encoding for old changes file
   - remove hardcoded utf-8 encodings
   - Add support for extract globbing
   - split pylint2 in GNUmakefile
   - fix check for "--reproducible"
   - create reproducible obscpio archives
   - fix regression from 44b3bee
   - Support also SSH urls for Git
   - check name/version option in obsinfo for slashes
   - check url for remote url
   - check symlinks in subdir parameter
   - check filename for slashes
   - disable follow_symlinks in extract feature
   - switch to obs_scm for this package
   - run download_files in appimage and snapcraft case
   - check --extract file path for parent dir
   - Fix parameter descriptions
   - changed os.removedirs -> shutil.rmtree
   - Adding information regarding the *package-metadata* option for the *tar*
     service The tar service is highly useful in combination with the
     *obscpio* service. After the fix for the metadata for the latter one, it
     is important to inform the users of the *tar* service that metadata is
     kept only if the flag *package-metadata* is enabled. Add the flag to the
     .service file for mentioning that.
   - Allow metadata packing for CPIO archives when desired As of now,
     metadata are always excluded from *obscpio* packages. This is because
     the *package-metadata* flag is ignored; this change (should) make
     *obscpio* aware of it.
   - improve handling of corrupt git cache directories
   - only do git stash save/pop if we have a non-empty working tree (#228)
   - don't allow DEBUG_TAR_SCM to change behaviour (#240)
   - add stub user docs in lieu of something proper (#238)
   - Remove clone_dir if clone fails
   - python-unittest2 is only required for the optional make check
   - move python-unittest2 dep to test suite only part (submission by olh)
   - Removing redundant pass statement
   - missing import for logging functions.
   - [backend] Adding http proxy support
   - python-unittest2 is only required for the optional make check
   - make installation of scm's optional
   - add a lot more detail to README
   - Git clone with --no-checkout in prepare_working_copy
   - Refactor and simplify git prepare_working_copy
   - Only use current dir if it actually looks like git (Fixes #202)
   - reactivate test_obscpio_extract_d
   - fix broken test create_archive
   - fix broken tests for broken-links
   - changed PREFIX in Gnumakefile to /usr
   - new cli option --skip-cleanup
   - fix for broken links
   - fix reference to snapcraft YAML file
   - fix docstring typo in TarSCM.scm.tar.fetch_upstream
   - acknowledge deficiencies in dev docs
   - wrap long lines in README


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:

      zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-540=1



Package List:

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch):

      obs-service-appimage-0.10.5.1551309990.79898c7-3.3.1
      obs-service-obs_scm-0.10.5.1551309990.79898c7-3.3.1
      obs-service-obs_scm-common-0.10.5.1551309990.79898c7-3.3.1
      obs-service-snapcraft-0.10.5.1551309990.79898c7-3.3.1
      obs-service-tar-0.10.5.1551309990.79898c7-3.3.1
      obs-service-tar_scm-0.10.5.1551309990.79898c7-3.3.1


References:

   https://www.suse.com/security/cve/CVE-2018-12473.html
   https://www.suse.com/security/cve/CVE-2018-12474.html
   https://www.suse.com/security/cve/CVE-2018-12476.html
   https://bugzilla.suse.com/1076410
   https://bugzilla.suse.com/1082696
   https://bugzilla.suse.com/1105361
   https://bugzilla.suse.com/1107507
   https://bugzilla.suse.com/1107944



More information about the sle-security-updates mailing list