SUSE-SU-2019:0540-1: important: Security update for obs-service-tar_scm
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Mon Mar 4 13:55:26 MST 2019
SUSE Security Update: Security update for obs-service-tar_scm
______________________________________________________________________________
Announcement ID: SUSE-SU-2019:0540-1
Rating: important
References: #1076410 #1082696 #1105361 #1107507 #1107944
Cross-References: CVE-2018-12473 CVE-2018-12474 CVE-2018-12476
Affected Products:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15
______________________________________________________________________________
An update that solves three vulnerabilities and has two
fixes is now available.
Description:
This update for obs-service-tar_scm fixes the following issues:
Security vulnerabilities addressed:
- CVE-2018-12473: Fixed a path traversal issue, which allowed users to
access files outside of the repository using relative paths (bsc#1105361)
- CVE-2018-12474: Fixed an issue whereby crafted service parameters
allowed for unexpected behaviour (bsc#1107507)
- CVE-2018-12476: Fixed an issue whereby the outfilename parameter allowed
to write files outside of package directory (bsc#1107944)
Other bug fixes and changes made:
- Prefer UTF-8 locale as output format for changes
- added KankuFile
- fix problems with unicode source files
- added python-six to Requires in specfile
- better encoding handling
- fixes bsc#1082696 and bsc#1076410
- fix unicode in containers
- move to python3
- added logging for better debugging changesgenerate
- raise exception if no changesauthor given
- Stop using @opensuse.org addresses to indicate a missing address
- move argparse dep to -common package
- allow submodule and ssl options in appimage
- sync spec file as used in openSUSE:Tools project
- check encoding problems for svn and print proper error msg
- added new param '--locale'
- separate service file installation in GNUmakefile
- added glibc as Recommends in spec file
- cleanup for broken svn caches
- another fix for unicode problem in obs_scm
- Final fix for unicode in filenames
- Another attempt to fix unicode filenames in prep_tree_for_archive
- Another attempt to fix unicode filenames in prep_tree_for_archive
- fix bug with unicode filenames in prep_tree_for_archive
- reuse _service*_servicedata/changes files from previous service runs
- fix problems with unicode characters in commit messages for
changeloggenerate
- fix encoding issues if commit message contains utf8 char
- revert encoding for old changes file
- remove hardcoded utf-8 encodings
- Add support for extract globbing
- split pylint2 in GNUmakefile
- fix check for "--reproducible"
- create reproducible obscpio archives
- fix regression from 44b3bee
- Support also SSH urls for Git
- check name/version option in obsinfo for slashes
- check url for remote url
- check symlinks in subdir parameter
- check filename for slashes
- disable follow_symlinks in extract feature
- switch to obs_scm for this package
- run download_files in appimage and snapcraft case
- check --extract file path for parent dir
- Fix parameter descriptions
- changed os.removedirs -> shutil.rmtree
- Adding information regarding the *package-metadata* option for the *tar*
service The tar service is highly useful in combination with the
*obscpio* service. After the fix for the metadata for the latter one, it
is important to inform the users of the *tar* service that metadata is
kept only if the flag *package-metadata* is enabled. Add the flag to the
.service file for mentioning that.
- Allow metadata packing for CPIO archives when desired As of now,
metadata are always excluded from *obscpio* packages. This is because
the *package-metadata* flag is ignored; this change (should) make
*obscpio* aware of it.
- improve handling of corrupt git cache directories
- only do git stash save/pop if we have a non-empty working tree (#228)
- don't allow DEBUG_TAR_SCM to change behaviour (#240)
- add stub user docs in lieu of something proper (#238)
- Remove clone_dir if clone fails
- python-unittest2 is only required for the optional make check
- move python-unittest2 dep to test suite only part (submission by olh)
- Removing redundant pass statement
- missing import for logging functions.
- [backend] Adding http proxy support
- python-unittest2 is only required for the optional make check
- make installation of scm's optional
- add a lot more detail to README
- Git clone with --no-checkout in prepare_working_copy
- Refactor and simplify git prepare_working_copy
- Only use current dir if it actually looks like git (Fixes #202)
- reactivate test_obscpio_extract_d
- fix broken test create_archive
- fix broken tests for broken-links
- changed PREFIX in Gnumakefile to /usr
- new cli option --skip-cleanup
- fix for broken links
- fix reference to snapcraft YAML file
- fix docstring typo in TarSCM.scm.tar.fetch_upstream
- acknowledge deficiencies in dev docs
- wrap long lines in README
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:
zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-540=1
Package List:
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch):
obs-service-appimage-0.10.5.1551309990.79898c7-3.3.1
obs-service-obs_scm-0.10.5.1551309990.79898c7-3.3.1
obs-service-obs_scm-common-0.10.5.1551309990.79898c7-3.3.1
obs-service-snapcraft-0.10.5.1551309990.79898c7-3.3.1
obs-service-tar-0.10.5.1551309990.79898c7-3.3.1
obs-service-tar_scm-0.10.5.1551309990.79898c7-3.3.1
References:
https://www.suse.com/security/cve/CVE-2018-12473.html
https://www.suse.com/security/cve/CVE-2018-12474.html
https://www.suse.com/security/cve/CVE-2018-12476.html
https://bugzilla.suse.com/1076410
https://bugzilla.suse.com/1082696
https://bugzilla.suse.com/1105361
https://bugzilla.suse.com/1107507
https://bugzilla.suse.com/1107944
More information about the sle-security-updates
mailing list