openSUSE-SU-2019:0326-1: important: Security update for obs-service-tar_scm


openSUSE Security Update: Security update for obs-service-tar_scm
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:0326-1
Rating: important
References: #1076410 #1082696 #1105361 #1107507 #1107944

Cross-References: CVE-2018-12473 CVE-2018-12474 CVE-2018-12476

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves three vulnerabilities and has two
fixes is now available.

Description:

This update for obs-service-tar_scm fixes the following issues:

Security vulnerabilities addressed:

– CVE-2018-12473: Fixed a path traversal issue, which allowed users to
access files outside of the repository using relative paths (bsc#1105361)
– CVE-2018-12474: Fixed an issue whereby crafted service parameters
allowed for unexpected behaviour (bsc#1107507)
– CVE-2018-12476: Fixed an issue whereby the outfilename parameter allowed
to write files outside of package directory (bsc#1107944)

Other bug fixes and changes made:

– Prefer UTF-8 locale as output format for changes
– added KankuFile
– fix problems with unicode source files
– added python-six to Requires in specfile
– better encoding handling
– fixes bsc#1082696 and bsc#1076410
– fix unicode in containers
– move to python3
– added logging for better debugging changesgenerate
– raise exception if no changesauthor given
– Stop using @opensuse.org addresses to indicate a missing address
– move argparse dep to -common package
– allow submodule and ssl options in appimage
– sync spec file as used in openSUSE:Tools project
– check encoding problems for svn and print proper error msg
– added new param ‘–locale’
– separate service file installation in GNUmakefile
– added glibc as Recommends in spec file
– cleanup for broken svn caches
– another fix for unicode problem in obs_scm
– Final fix for unicode in filenames
– Another attempt to fix unicode filenames in prep_tree_for_archive
– Another attempt to fix unicode filenames in prep_tree_for_archive
– fix bug with unicode filenames in prep_tree_for_archive
– reuse _service*_servicedata/changes files from previous service runs
– fix problems with unicode characters in commit messages for
changeloggenerate
– fix encoding issues if commit message contains utf8 char
– revert encoding for old changes file
– remove hardcoded utf-8 encodings
– Add support for extract globbing
– split pylint2 in GNUmakefile
– fix check for “–reproducible”
– create reproducible obscpio archives
– fix regression from 44b3bee
– Support also SSH urls for Git
– check name/version option in obsinfo for slashes
– check url for remote url
– check symlinks in subdir parameter
– check filename for slashes
– disable follow_symlinks in extract feature
– switch to obs_scm for this package
– run download_files in appimage and snapcraft case
– check –extract file path for parent dir
– Fix parameter descriptions
– changed os.removedirs -> shutil.rmtree
– Adding information regarding the *package-metadata* option for the *tar*
service The tar service is highly useful in combination with the
*obscpio* service. After the fix for the metadata for the latter one, it
is important to inform the users of the *tar* service that metadata is
kept only if the flag *package-metadata* is enabled. Add the flag to the
.service file for mentioning that.
– Allow metadata packing for CPIO archives when desired As of now,
metadata are always excluded from *obscpio* packages. This is because
the *package-metadata* flag is ignored; this change (should) make
*obscpio* aware of it.
– improve handling of corrupt git cache directories
– only do git stash save/pop if we have a non-empty working tree (#228)
– don’t allow DEBUG_TAR_SCM to change behaviour (#240)
– add stub user docs in lieu of something proper (#238)
– Remove clone_dir if clone fails
– python-unittest2 is only required for the optional make check
– move python-unittest2 dep to test suite only part (submission by olh)
– Removing redundant pass statement
– missing import for logging functions.
– [backend] Adding http proxy support
– python-unittest2 is only required for the optional make check
– make installation of scm’s optional
– add a lot more detail to README
– Git clone with –no-checkout in prepare_working_copy
– Refactor and simplify git prepare_working_copy
– Only use current dir if it actually looks like git (Fixes #202)
– reactivate test_obscpio_extract_d
– fix broken test create_archive
– fix broken tests for broken-links
– changed PREFIX in Gnumakefile to /usr
– new cli option –skip-cleanup
– fix for broken links
– fix reference to snapcraft YAML file
– fix docstring typo in TarSCM.scm.tar.fetch_upstream
– acknowledge deficiencies in dev docs
– wrap long lines in README

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-326=1

Package List:

– openSUSE Leap 15.0 (noarch):

obs-service-appimage-0.10.5.1551309990.79898c7-lp150.2.3.1
obs-service-obs_scm-0.10.5.1551309990.79898c7-lp150.2.3.1
obs-service-obs_scm-common-0.10.5.1551309990.79898c7-lp150.2.3.1
obs-service-snapcraft-0.10.5.1551309990.79898c7-lp150.2.3.1
obs-service-tar-0.10.5.1551309990.79898c7-lp150.2.3.1
obs-service-tar_scm-0.10.5.1551309990.79898c7-lp150.2.3.1

References:

https://www.suse.com/security/cve/CVE-2018-12473.html
https://www.suse.com/security/cve/CVE-2018-12474.html
https://www.suse.com/security/cve/CVE-2018-12476.html
https://bugzilla.suse.com/1076410
https://bugzilla.suse.com/1082696
https://bugzilla.suse.com/1105361
https://bugzilla.suse.com/1107507
https://bugzilla.suse.com/1107944


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org