<div class="container">
<h1>Security update for osc</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2024:2961-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1122683">bsc#1122683</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1212476">bsc#1212476</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1218170">bsc#1218170</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1221340">bsc#1221340</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1225911">bsc#1225911</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-22034.html">CVE-2024-22034</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-22034</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.5</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Development Tools Module 15-SP5</li>
<li class="list-group-item">Development Tools Module 15-SP6</li>
<li class="list-group-item">openSUSE Leap 15.4</li>
<li class="list-group-item">openSUSE Leap 15.5</li>
<li class="list-group-item">openSUSE Leap 15.6</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP6</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability and has four security fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for osc fixes the following issues:</p>
<ul>
<li>1.9.0</li>
<li>Security:<ul>
<li>Fix possibility to overwrite special files in .osc (CVE-2024-22034 bsc#1225911)
Source files are now stored in the 'sources' subdirectory which prevents
name collisons. This requires changing version of '.osc' store to 2.0.</li>
</ul>
</li>
<li>Command-line:<ul>
<li>Introduce build --checks parameter</li>
</ul>
</li>
<li>
<p>Library:</p>
<ul>
<li>OscConfigParser: Remove automatic <strong>name</strong> option</li>
</ul>
</li>
<li>
<p>1.8.3</p>
</li>
<li>Command-line:<ul>
<li>Change 'repairwc' command to always run all repair steps</li>
</ul>
</li>
<li>
<p>Library:</p>
<ul>
<li>Make most of the fields in KeyinfoPubkey and KeyinfoSslcert models optional</li>
<li>Fix colorize() to avoid wrapping empty string into color escape sequences</li>
<li>Provide default values for kwargs.get/pop in get_results() function</li>
</ul>
</li>
<li>
<p>1.8.2</p>
</li>
<li>
<p>Library:</p>
<ul>
<li>Change 'repairwc' command to fix missing .osc/_osclib_version</li>
<li>Make error message in check_store_version() more generic to work for both projects and packages</li>
<li>Fix check_store_version in project store</li>
</ul>
</li>
<li>
<p>1.8.1</p>
</li>
<li>
<p>Command-line:</p>
<ul>
<li>Fix 'linkpac' command crash when used with '--disable-build' or '--disable-publish' option</li>
</ul>
</li>
<li>
<p>1.8.0</p>
</li>
<li>Command-line:<ul>
<li>Improve 'submitrequest' command to inherit description from superseded request</li>
<li>Fix 'mv' command when renaming a file multiple times</li>
<li>Improve 'info' command to support projects</li>
<li>Improve 'getbinaries' command by accepting '-M' / '--multibuild-package' option outside checkouts</li>
<li>Add architecture filtering to 'release' command</li>
<li>Change 'results' command so the normal and multibuild packages have the same output</li>
<li>Change 'results' command to use csv writer instead of formatting csv as string</li>
<li>Add couple mutually exclusive options errors to 'results' command</li>
<li>Set a default value for 'results --format' only for the csv output</li>
<li>Add support for 'results --format' for the default text mode</li>
<li>Update help text for '--format' option in 'results' command</li>
<li>Add 'results --fail-on-error/-F' flag</li>
<li>Redirect venv warnings from stderr to debug output</li>
</ul>
</li>
<li>Configuration:<ul>
<li>Fix config parser to throw an exception on duplicate sections or options</li>
<li>Modify conf.get_config() to print permissions warning to stderr rather than stdout</li>
</ul>
</li>
<li>Library:<ul>
<li>Run check_store_version() in obs_scm.Store and fix related code in Project and Package</li>
<li>Forbid extracting files with absolute path from 'cpio' archives (bsc#1122683)</li>
<li>Forbid extracting files with absolute path from 'ar' archives (bsc#1122683)</li>
<li>Remove no longer valid warning from core.unpack_srcrpm()</li>
<li>Make obs_api.KeyinfoSslcert keyid and fingerprint fields optional</li>
<li>Fix return value in build build.create_build_descr_data()</li>
<li>Fix core.get_package_results() to obey 'multibuild_packages' argument</li>
</ul>
</li>
<li>
<p>Tests:</p>
<ul>
<li>Fix tests so they don't modify fixtures</li>
</ul>
</li>
<li>
<p>1.7.0</p>
</li>
<li>Command-line:<ul>
<li>Add 'person search' command</li>
<li>Add 'person register' command</li>
<li>Add '-M/--multibuild-package' option to '[what]dependson' commands</li>
<li>Update '-U/--user' option in 'maintainer' command to accept also an email address</li>
<li>Fix 'branch' command to allow using '--new-package' option on packages that do not exist</li>
<li>Fix 'buildinfo' command to include obs:cli_debug_packages by default</li>
<li>Fix 'buildinfo' command to send complete local build environment as the 'build' command does</li>
<li>Fix 'maintainer --devel-project' to raise an error if running outside a working copy without any arguments</li>
<li>Fix handling arguments in 'service remoterun prj/pac'</li>
<li>Fix 'rebuild' command so the '--all' option conflicts with the 'package' argument</li>
<li>Fix crash when removing 'scmsync' element from dst package meta in 'linkpac' command</li>
<li>Fix crash when reading dst package meta in 'linkpac' command</li>
<li>Allow <code>osc rpmlint</code> to infer prj/pkg from CWD</li>
<li>Propagate exit code from the run() and do_() commandline methods</li>
<li>Give a hint where a scmsync git is hosted</li>
<li>Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec</li>
<li>Improve 'updatepacmetafromspec' command to expand rpm spec macros by calling rpmspec to query the data</li>
<li>Improve 'build' and 'buildinfo' commands by uploading *.inc files to OBS for parsing BuildRequires (bsc#1221340)</li>
<li>Improve 'service' command by printing names of running services</li>
<li>Improve 'getbinaries' command by ignoring source and debuginfo filters when a binary name is specified</li>
<li>Change 'build' command to pass '--jobs' option to 'build' tool only if 'build_jobs' > 0</li>
<li>Clarify 'list' command's help that that listing binaries doesn't contain md5 checksums</li>
<li>Improve 'log' command: produce proper CSV and XML outputs, add -p/--patch option for the text output</li>
<li>Allow setlinkrev to set a specific vrev</li>
<li>Document '--buildtool-opt=--noclean' example in 'build' command's help</li>
<li>Fix handling the default package argument on the command-line</li>
</ul>
</li>
<li>Configuration:<ul>
<li>Document loading configuration from env variables</li>
</ul>
</li>
<li>Connection:<ul>
<li>Don't retry on error 400</li>
<li>Remove now unused 'retry_on_400' http_request() option from XmlModel</li>
<li>Revert "Don't retry on 400 HTTP status code in core.server_diff()"</li>
<li>Revert "connection: Allow disabling retry on 400 HTTP status code"</li>
</ul>
</li>
<li>Authentication:<ul>
<li>Update SignatureAuthHandler to support specifying ssh key by its fingerprint</li>
<li>Use ssh key from ssh agent that contains comment 'obs=<apiurl-hostname>'</li>
<li>Use strings instead of bytes in SignatureAuthHandler</li>
<li>Cache password from SecretService to avoid spamming user with an accept dialog</li>
<li>Never ask for credentials when displaying help</li>
<li>Remove unused SignatureAuthHandler.get_fingerprint()</li>
</ul>
</li>
<li>Library:<ul>
<li>Add rootless build support for 'qemu' VM type</li>
<li>Support package linking of packages from scmsync projects</li>
<li>Fix do_createrequest() function to return None instead of request id</li>
<li>Replace invalid 'if' with 'elif' in BaseModel.dict()</li>
<li>Fix crash when no prefered packages are defined</li>
<li>Add XmlModel class that encapsulates manipulation with XML</li>
<li>Add obs_api.Person.cmd_register() for registering new users</li>
<li>Fix conf.get_config() to ignore file type bits when comparing oscrc perms</li>
<li>Fix conf.get_config() to correctly handle overrides when env variables are set</li>
<li>Fix output.tty.IS_INTERACTIVE when os.isatty() throws OSError</li>
<li>Improve cmdln.HelpFormatter to obey newline characters</li>
<li>Update list of color codes in 'output.tty' module</li>
<li>Remove core.setDevelProject() in favor of core.set_devel_project()</li>
<li>Move removing control characters to output.sanitize_text()</li>
<li>Improve sanitize_text() to keep selected CSI escape sequences</li>
<li>Add output.pipe_to_pager() that pipes lines to a pager without creating an intermediate temporary file</li>
<li>Fix output.safe_write() in connection with NamedTemporaryFile</li>
<li>Modernize output.run_pager()</li>
<li>Extend output.print_msg() to accept 'error' and 'warning' values of 'to_print' argument</li>
<li>Add XPathQuery class for translating keyword arguments to an xpath query</li>
<li>Add obs_api.Keyinfo class</li>
<li>Add obs_api.Package class</li>
<li>Add Package.get_revision_list() for listing commit log</li>
<li>Add obs_api.PackageSources class for handling OBS SCM sources</li>
<li>Add obs_api.Person class</li>
<li>Add obs_api.Project class</li>
<li>Add obs_api.Request class</li>
<li>Add obs_api.Token class</li>
<li>Allow storing apiurl in the XmlModel instances</li>
<li>Allow retrieving default field value from top-level model</li>
<li>Fix BaseModel to convert dictionaries to objects on retrieving a model list</li>
<li>Fix BaseModel to always deepcopy mutable defaults on first use</li>
<li>Implement do_snapshot() and has_changed() methods to determine changes in BaseModel</li>
<li>Implement total ordering on BaseModel</li>
<li>Add comments with available attributes/elements to edited XML</li>
</ul>
</li>
<li>Refactoring:<ul>
<li>Migrate repo {list,add,remove} commands to obs_api.Project</li>
<li>Migrate core.show_package_disabled_repos() to obs_api.Package</li>
<li>Migrate core.Package.update_package_meta() to obs_api.Package</li>
<li>Migrate core.get_repos_of_project() to obs_api.Project</li>
<li>Migrate core.get_repositories_of_project() to obs_api.Project</li>
<li>Migrate core.show_scmsync() to obs_api.{Package,Project}</li>
<li>Migrate core.set_devel_project() to obs_api.Package</li>
<li>Migrate core.show_devel_project() to obs_api.Package</li>
<li>Migrate Fetcher.run() to obs_api.Keyinfo</li>
<li>Migrate core.create_submit_request() to obs_api.Request</li>
<li>Migrate 'token' command to obs_api.Token</li>
<li>Migrate 'whois/user' command to obs_api.Person</li>
<li>Migrate 'signkey' command to obs_api.Keyinfo</li>
<li>Move print_msg() to the 'osc.output' module</li>
<li>Move run_pager() and get_default_pager() from 'core' to 'output' module</li>
<li>Move core.Package to obs_scm.Package</li>
<li>Move core.Project to obs_scm.Project</li>
<li>Move functions manipulating store from core to obs_scm.store</li>
<li>Move store.Store to obs_scm.Store</li>
<li>Move core.Linkinfo to obs_scm.Linkinfo</li>
<li>Move core.Serviceinfo to obs_scm.Serviceinfo</li>
<li>Move core.File to obs_scm.File</li>
<li>Merge _private.project.ProjectMeta into obs_api.Project</li>
</ul>
</li>
<li>
<p>Spec:</p>
<ul>
<li>Remove dependency on /usr/bin/python3 using %python3_fix_shebang macro (bsc#1212476)</li>
</ul>
</li>
<li>
<p>1.6.2</p>
</li>
<li>Command-line:<ul>
<li>Fix 'branch' command to allow using '--new-package' option on packages that do not exist</li>
<li>Fix 'buildinfo' command to include obs:cli_debug_packages by default</li>
<li>Fix 'buildinfo' command to send complete local build environment as the 'build' command does</li>
<li>Allow <code>osc rpmlint</code> to infer prj/pkg from CWD</li>
<li>Propagate exit code from the run() and do_() commandline methods</li>
<li>Give a hint where a scmsync git is hosted</li>
<li>Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec</li>
</ul>
</li>
<li>Authentication:<ul>
<li>Cache password from SecretService to avoid spamming user with an accept dialog</li>
<li>Never ask for credentials when displaying help</li>
</ul>
</li>
<li>
<p>Library:</p>
<ul>
<li>Support package linking of packages from scmsync projects</li>
<li>Fix do_createrequest() function to return None instead of request id</li>
<li>Replace invalid 'if' with 'elif' in BaseModel.dict()</li>
<li>Fix crash when no prefered packages are defined</li>
</ul>
</li>
<li>
<p>1.6.1</p>
</li>
<li>Command-line:<ul>
<li>Use busybox compatible commands for completion</li>
<li>Change 'wipe' command to use the new get_user_input() function</li>
<li>Fix error 500 in running 'meta attribute <prj>'</li>
</ul>
</li>
<li>Configuration:<ul>
<li>Fix resolving config symlink to the actual config file</li>
<li>Honor XDG_CONFIG_HOME and XDG_CACHE_HOME env vars</li>
<li>Warn about ignoring XDG_CONFIG_HOME and ~/.config/osc/oscrc if ~/.oscrc exists</li>
</ul>
</li>
<li>
<p>Library:</p>
<ul>
<li>Error out when branching a scmsync package</li>
<li>New get_user_input() function for consistent handling of user input</li>
<li>Move xml_indent, xml_quote and xml_unquote to osc.util.xml module</li>
<li>Refactor makeurl(), deprecate query taking string or list arguments, drop osc_urlencode()</li>
<li>Remove all path quoting, rely on makeurl()</li>
<li>Always use dict query in makeurl()</li>
<li>Fix core.slash_split() to strip both leading and trailing slashes</li>
</ul>
</li>
<li>
<p>1.6.0</p>
</li>
<li>Command-line:<ul>
<li>The 'token --trigger' command no longer sets '--operation=runservice' by default.</li>
<li>Change 'token --create' command to require '--operation'</li>
<li>Fix 'linkdiff' command error 400: prj/pac/md5 not in repository</li>
<li>Update 'build' command to support building 'productcompose' build type with updateinfo.xml data</li>
<li>Don't show meter in terminals that are not interactive</li>
<li>Fix traceback when running osc from an arbitrary git repo that fails to map branch to a project (bsc#1218170)</li>
</ul>
</li>
<li>Configuration:<ul>
<li>Implement reading credentials from environmental variables</li>
<li>Allow starting with an empty config if --configfile is either empty or points to /dev/null</li>
<li>Implement 'quiet' conf option</li>
<li>Password can be an empty string (commonly used with ssh auth)</li>
</ul>
</li>
<li>Connection:<ul>
<li>Allow -X HEAD on osc api requests as well</li>
</ul>
</li>
<li>Library:<ul>
<li>Fix credentials managers to consistently return Password</li>
<li>Fix Password.encode() on python < 3.8</li>
<li>Refactor 'meter' module, use config settings to pick the right class</li>
<li>Convert to using f-strings</li>
<li>Use Field.get_callback to handle quiet/verbose and http_debug/http_full_debug options</li>
<li>Implement get_callback that allows modifying returned value to the Field class</li>
<li>Add support for List[BaseModel] type to Field class</li>
<li>Report class name when reporting an error during instantiating BaseModel object</li>
<li>Fix exporting an empty model field in BaseModel.dict()</li>
<li>Fix initializing a sub-model instance from a dictionary</li>
<li>Implement 'Enum' support in models</li>
<li>Fix Field.origin_type for Optional types</li>
<li>Drop unused 'exclude_unset' argument from BaseModel.dict() method</li>
<li>Store cached model defaults in self._defaults, avoid sharing references to mutable defaults</li>
<li>Limit model attributes to predefined fields by forbidding creating new attributes on fly</li>
<li>Store model values in self._values dict instead of private attributes</li>
</ul>
</li>
<li>Spec:<ul>
<li>Recommend openssh-clients for ssh-add that is required during ssh auth</li>
<li>Add 0%{?amzn} macro that wasn't usptreamed</li>
</ul>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.4
<br/>
<code>zypper in -t patch SUSE-2024-2961=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.5
<br/>
<code>zypper in -t patch openSUSE-SLE-15.5-2024-2961=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.6
<br/>
<code>zypper in -t patch openSUSE-SLE-15.6-2024-2961=1</code>
</li>
<li class="list-group-item">
Development Tools Module 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-2961=1</code>
</li>
<li class="list-group-item">
Development Tools Module 15-SP6
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2024-2961=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.4 (noarch)
<ul>
<li>osc-1.9.0-150400.10.6.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.5 (noarch)
<ul>
<li>osc-1.9.0-150400.10.6.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.6 (noarch)
<ul>
<li>osc-1.9.0-150400.10.6.1</li>
</ul>
</li>
<li>
Development Tools Module 15-SP5 (noarch)
<ul>
<li>osc-1.9.0-150400.10.6.1</li>
</ul>
</li>
<li>
Development Tools Module 15-SP6 (noarch)
<ul>
<li>osc-1.9.0-150400.10.6.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-22034.html">https://www.suse.com/security/cve/CVE-2024-22034.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1122683">https://bugzilla.suse.com/show_bug.cgi?id=1122683</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1212476">https://bugzilla.suse.com/show_bug.cgi?id=1212476</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1218170">https://bugzilla.suse.com/show_bug.cgi?id=1218170</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1221340">https://bugzilla.suse.com/show_bug.cgi?id=1221340</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1225911">https://bugzilla.suse.com/show_bug.cgi?id=1225911</a>
</li>
</ul>
</div>