Debian Bug report logs -
#780410
osc: CVE-2015-0778: osc _service file shell injection flaw
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 13 Mar 2015 15:06:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version osc/0.134.1-1
Fixed in versions osc/0.149.0-2, osc/0.134.1-2+deb7u1
Done: Michal Čihař <nijel@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Michal Čihař <nijel@debian.org>:
Bug#780410; Package src:osc.
(Fri, 13 Mar 2015 15:06:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Michal Čihař <nijel@debian.org>.
(Fri, 13 Mar 2015 15:06:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: osc
Version: 0.134.1-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for osc. Note that I have
choosen severity grave since it allows client side arbitrary command
execution via a crafted service file, but I don't know osc well
enough, so please adjust severity if you disagree.
CVE-2015-0778[0]:
shell command injection via crafted _service files
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-0778
[1] https://bugzilla.novell.com/show_bug.cgi?id=901643
[2] https://bugzilla.novell.com/attachment.cgi?id=626334
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) pending.
Request was from nijel@users.alioth.debian.org
to control@bugs.debian.org.
(Fri, 13 Mar 2015 15:36:11 GMT) (full text, mbox, link).
Reply sent
to Michal Čihař <nijel@debian.org>:
You have taken responsibility.
(Fri, 13 Mar 2015 15:51:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 13 Mar 2015 15:51:14 GMT) (full text, mbox, link).
Message #12 received at 780410-close@bugs.debian.org (full text, mbox, reply):
Source: osc
Source-Version: 0.149.0-2
We believe that the bug you reported is fixed in the latest version of
osc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 780410@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michal Čihař <nijel@debian.org> (supplier of updated osc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 13 Mar 2015 16:32:15 +0100
Source: osc
Binary: osc
Architecture: source all
Version: 0.149.0-2
Distribution: unstable
Urgency: high
Maintainer: Michal Čihař <nijel@debian.org>
Changed-By: Michal Čihař <nijel@debian.org>
Description:
osc - OpenSUSE (buildsystem) commander
Closes: 769547 780410
Changes:
osc (0.149.0-2) unstable; urgency=high
.
* Change default build-cmd to obs-build (Closes: #769547).
* Recommend obs-build.
* Fix shell injection (Closes: #780410, CVE-2015-0778).
Checksums-Sha1:
e008ac44dc53432976457ea5b643d04037ae3b77 1954 osc_0.149.0-2.dsc
150e8cd3dc4960f6e6a9e277059a3d2bd197e60e 6460 osc_0.149.0-2.debian.tar.xz
50193b427c08c8ac603e2caeb7e85484eca6c074 209524 osc_0.149.0-2_all.deb
Checksums-Sha256:
75918f116f78f28205f3aaa35a5d7e449a8f516d4b210923d1a834801dcabff6 1954 osc_0.149.0-2.dsc
eb7436a57add684cc4eacc57c435c3851b35c80bf8556828fe9f4341aaf45998 6460 osc_0.149.0-2.debian.tar.xz
35906aefc7f1aee45202f066775be07346dcd7901231a4fbc024dae69f5c9a32 209524 osc_0.149.0-2_all.deb
Files:
9f55c7a2c5693583eee866e703576b13 1954 devel extra osc_0.149.0-2.dsc
58c86c52bd798b0cb79532da72d9ee0f 6460 devel extra osc_0.149.0-2.debian.tar.xz
6572ef11d3af49df40058d886a69ef26 209524 devel extra osc_0.149.0-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVAwPqAAoJEGo39bHX+xdNtQQP/246pK45qetDzWHSrCKgwniY
Bb2asDXG5pXsFy8usfaROcbknymiIYqu8bkYeqHobDADWq8kv1yOziqLGnAI7jKp
LIcSXMxFx0/fgqy+symoSKw/arIN+XHfzTY//b++RKWkiT7dpGyX7X+wkGQdTc9k
ggk1Slq3XIHQa0p7Sb25gEiljVMB7sTt6XxGULdVRLJswwTRqxe/bS8GYfdedZtE
Fyz+DzgX0bgPiU7x0Fs0LExJeTrjNdMryg/YpG0Q76o9+0bKwHbw1qgFpAYR1V5a
MGi7tdGvK1vsob28h9EbWV2tL1w3FgAjQU4RQANYJoyyNSt8alg/4xtK+DO0hT0i
KhbJ3PqSBjRYCWsF9swozTdroBl8e3GafOhN1H2SmNiLyUZk+jX5cs4GNd4pTeWW
mSh4IufUNDgHskoMV6iR38Sa/JmAOwkqiRwYLYO/rurT8BLDWNHIo2a7xSAiVpjI
8yZUHMjN8k8w5oMMAnS7hWu5YAXMnhLldlTJs+LdIJ4lmk0uRPbofJ9yAOeeIpH0
J+JqPXlHFi7ZOfP9LkthrS1zQLYZr2Zi8WVYq5kO2dtUIsodOM+0nRPV4pIOFx+P
jzJIg2TQkgxvx22BgKa54B6UUdarRkRbt2dtxHhnSNH4Wc5P6Q4coHrCDGsL1mUJ
6fCtjU7Thkx+MxOCJC3R
=eTnn
-----END PGP SIGNATURE-----
Reply sent
to Michal Čihař <nijel@debian.org>:
You have taken responsibility.
(Tue, 17 Mar 2015 22:21:18 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 17 Mar 2015 22:21:18 GMT) (full text, mbox, link).
Message #17 received at 780410-close@bugs.debian.org (full text, mbox, reply):
Source: osc
Source-Version: 0.134.1-2+deb7u1
We believe that the bug you reported is fixed in the latest version of
osc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 780410@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michal Čihař <nijel@debian.org> (supplier of updated osc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 17 Mar 2015 09:19:04 +0100
Source: osc
Binary: osc
Architecture: source all
Version: 0.134.1-2+deb7u1
Distribution: stable
Urgency: high
Maintainer: Michal Čihař <nijel@debian.org>
Changed-By: Michal Čihař <nijel@debian.org>
Description:
osc - OpenSUSE (buildsystem) commander
Closes: 780410
Changes:
osc (0.134.1-2+deb7u1) stable; urgency=high
.
* Fix shell injection (Closes: #780410, CVE-2015-0778).
Checksums-Sha1:
a12360403780bd1c7a95533a91bcc89a0edaf931 1981 osc_0.134.1-2+deb7u1.dsc
1af7a5b96131b0fbe2e928a2eb4fe1d9becfa5b7 5761 osc_0.134.1-2+deb7u1.debian.tar.gz
69266de67a7fbfcbb4f872aaa1bdcfddc1f7b96c 226038 osc_0.134.1-2+deb7u1_all.deb
Checksums-Sha256:
aaa45062a5f3f2daecbdb6f1d3b55a91f6352f38b66a0d5eace5c2108ef370d3 1981 osc_0.134.1-2+deb7u1.dsc
bd9748dfd288f900f880b610cf8ec6269f85d70fd13639c2317f88db355b0e52 5761 osc_0.134.1-2+deb7u1.debian.tar.gz
e45220dd342aca140dca1e55590895abc17510e23745f95fcd0db8e871b85442 226038 osc_0.134.1-2+deb7u1_all.deb
Files:
245ca1c949a159360b98d53f4d82840f 1981 devel extra osc_0.134.1-2+deb7u1.dsc
cddf3dfe7118d7c29fa199a8b502be0e 5761 devel extra osc_0.134.1-2+deb7u1.debian.tar.gz
09c34f3acc66bb1419fa6eb5fc47d145 226038 devel extra osc_0.134.1-2+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVB+jyAAoJEGo39bHX+xdN/BAP/jlneekMTEsDFm3Wgtpev6Hi
zjVmeJs9O2ssyBOnHGMDv8zTVP4go8acAUS6hNdcAbfRA53jBynqkLiOMFDEnlXD
ja5A2w7tu5sB99b0bStlnkOrb8NrE/i31UbIL5H0YCI5+zJ+3+QQ5GDgM9zhTK3R
1uppkjuVdcDaMnXX8QZoQT1A/Y2b1OTy5+vWDoQE+k7MmdzBmfXVKXXE73CHY2Sf
sMY6MuDZmSc7trBWK5+hISmBQwOA3YeCYp9XJbfSeqhnYQ/ryOzZqkVhlkcFEEwv
HnwfpvbOJ/4AeC9Zdf3PdCBRcZb+8BSr5Y/irt3V9/EhOl56JK7Frip1vjyNwqcN
M+XmEanADJSf2uHDUUjzb5HuB7z/8eRc/VYKrocuTl6+Qs2pZHzMbTj83tmVDFzp
WY/c85xyCz2wNsVWQxPyRfy7pBX5kxO1W7R6wVgT5nasgeY9YjzXDDY5hiik7qlV
1KiXf9ZjT6+kQoyvoq51jvCPounQfhtiLLD4yj4OwfBZLPCS5716HOg3uEA5CEzu
ROXZwQw7pUspGLcyHeKcI5GBIaVJdme4gkpycnrURPrNXBkqYAp12ERs5ovlgdp7
L0J/TWk+iVAAwOzG8jjEm3tM5fb22Uj3nR35ELB0vdOAEMSZ5EA9hpk7NZ/xWI7s
8RnwECKhibzDPDMDfcuJ
=enQM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 07:30:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:19:54 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon