open-build-service: CVE-2018-7689

Debian Bug report logs - #903797
open-build-service: CVE-2018-7689

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: open-build-service: CVE-2018-7689

Date: Sun, 15 Jul 2018 00:07:44 +0200

Source: open-build-service
Version: 2.7.4-2
Severity: grave
Tags: security upstream
Forwarded: https://bugzilla.suse.com/show_bug.cgi?id=1094819

Hi,

The following vulnerability was published for open-build-service.

CVE-2018-7689[0]:
| Lack of permission checks in the InitializeDevelPackage function in
| openSUSE Open Build Service before 2.9.3 allowed authenticated users
| to modify packages where they do not have write permissions.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7689
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7689
[1] https://bugzilla.suse.com/show_bug.cgi?id=1094819

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 903797@bugs.debian.org (full text, mbox, reply):

From: Andrew Lee (李健秋) <ajqlee@debian.org>

To: Debian Bug Tracking System <903797@bugs.debian.org>

Subject: Re: open-build-service: CVE-2018-7689

Date: Fri, 19 Oct 2018 17:43:53 +0800

Source: open-build-service
Followup-For: Bug #903797


This seems only for the 2.9.x versions. Our currently version of
open-build-service is 2.7.4.

Thanks,
-Andrew

Message #15 received at 903797@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Andrew Lee <ajqlee@debian.org>, 903797@bugs.debian.org

Subject: Re: Bug#903797: open-build-service: CVE-2018-7689

Date: Sat, 20 Oct 2018 14:00:36 +0200

Hi Andrew,

On Fri, Oct 19, 2018 at 05:43:53PM +0800, Andrew Lee wrote:
> Source: open-build-service
> Followup-For: Bug #903797
> 
> 
> This seems only for the 2.9.x versions. Our currently version of
> open-build-service is 2.7.4.

Can you shed some light on that? Why would the missing permision
checks not be relevant in the 2.7.4 version?

Thanks for your investigation!

Regards,
Salvatore

Message #20 received at 903797@bugs.debian.org (full text, mbox, reply):

From: Andrew Lee (李健秋) <ajqlee@debian.org>

To: Debian Bug Tracking System <903797@bugs.debian.org>

Subject: Re: open-build-service: CVE-2018-7689

Date: Sun, 21 Oct 2018 23:00:57 +0800

Source: open-build-service
Followup-For: Bug #903797

I checked 2.7 branch on upstream git. There was a merge for fixing
"Handle links properly when doing backend build operations". Do not
seems upstream also applied CVE-2018-7689 fix for 2.7.4.
    https://github.com/openSUSE/open-build-service/commits/2.7

I probably the best way to check this is setup an OBS instence and
following the exploit to do a test. And may also useful to test if we
have to backport the patch from 2.9 to 2.7.4.

Best regards,
-Andrew

Message #27 received at 903797-close@bugs.debian.org (full text, mbox, reply):

From: Andrew Lee (李健秋) <ajqlee@debian.org>

To: 903797-close@bugs.debian.org

Subject: Bug#903797: fixed in open-build-service 2.9.4-1

Date: Thu, 07 Feb 2019 09:34:27 +0000

Source: open-build-service
Source-Version: 2.9.4-1

We believe that the bug you reported is fixed in the latest version of
open-build-service, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 903797@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrew Lee (李健秋) <ajqlee@debian.org> (supplier of updated open-build-service package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 07 Feb 2019 16:51:58 +0800
Source: open-build-service
Binary: obs-api obs-productconverter obs-server obs-utils obs-worker
Architecture: source all
Version: 2.9.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Andrew Lee (李健秋) <ajqlee@debian.org>
Description:
 obs-api    - Open Build Service (API)
 obs-productconverter - Open Build Service (product definition utility)
 obs-server - Open Build Service (server component)
 obs-utils  - Open Build Service (utilities)
 obs-worker - Open Build Service (build host component)
Closes: 853161 903796 903797 911797 917427 918402
Changes:
 open-build-service (2.9.4-1) unstable; urgency=medium
 .
   [ Dan Nicholson ]
   * debian/control: Add Vcs-* links.
 .
   [ Andrew Lee (李健秋) ]
   * New upstream release version 2.9.4. Closes: #918402, #903797, #903796.
     Fixes: CVE-2018-12467, CVE-2018-7689, CVE-2018-7688.
   * Refreshed use-ruby2.5.patch.
   * Refresh gemfile-tweaks.patch. Dropped embedded gem.
   * Drop drop-test-and-development-depends.patch.
   * Drop drop-ruby-hoptoad-notifier.patch.
   * Drop rails-4-gem-assets.patch.
   * Refreshed FHS-path.patch.
   * Refreshed and rename to do-not-install-fillups-and-initscripts.patch.
   * Drop Rakefile-fix.patch.
   * Drop fix-privacy-breach-piwik.patch.
   * Refreshed jquery-ui.patch.
   * Refreshed Do-not-ship-database.yml.patch.
   * Drop localgem.patch.
   * Drop CVE-2017-5188.patch.
   * Drop fix-kiwitree-symlink.patch.
   * Drop handle-links-properly.patch.
   * Drop dist-Use-2.7-packages-for-testing.patch.
   * debian/control: build-deps on rails (>= 5.1.1).
   * Drop airbrake, airbrake-ruby and it's related code.
   * Drop peek-dalli and peek-mysql2.
   * Adjust new build-deps.
   * Refresh gemfile-tweaks.patch.
   * Added do-not-run-rake-at-build-time.patch.
   * Added obsdeltastore.service file.
   * Install missing files.
 .
   [ Lucas Kanashiro ]
   * debian/copyright: remove symlink from listed files
   * Drop debian/missing-sources
   * Remove the debian/localgem directory
   * Do not depend or recommend obsolete packages
   * Build depends on python instead of python-dev
   * Improve the obs-api package description
   * Use dh_missing to list missing files
   * Update config files copied to /etc
   * Call dh_install even overriding it
   * Add jquery.js missing source
   * Add patch to not allow one to load external JS in runtime
   * Runtime depends on libjs-html5shiv
   * Do not use recursive chown
   * Fix the script's perl interpreter path
   * Make obs-api runtime depends on adduser
   * Add some basic autopkgtests
   * debian/obs-api.postinst: enable obs apache2 site config
   * Use deb-systemd-invoke instead of invoke-rc.d
   * d/obs-server.postrm: check if group exists before remove it
   * Do not move database.yml.example to /etc
 .
   [ Andrew Lee (李健秋) ]
   * No signd support by default in Debian OBS.
   * Adjust permissions for obs 2.9 rails app.
 .
   [ Lucas Kanashiro ]
   * Add another basic autopkgtest
   * Add my self to Uploaders
   * Add patch fixing CVE-2018-12479. Closes: #911797
   * Do not enable obsworker service when it is installed
   * Do not install empty directory in obs-server package
   * Do not install empty directory in obs-api package
   * Declare compliance with Debian Policy 4.3.0
   * Add Vcs-{Git,Browser} fields
 .
   [ Lucas Kanashiro ]
   * Update debian/changelog
   * debian/changelog: add missing entries
 .
   [ Andrew Lee (李健秋) ]
   * Refine changlog to have Dan Nicholson's change on top
 .
   [ Lucas Kanashiro ]
   * Remove duplicated VCS links
   * d/rake-tasks.sh: do not chown non existent file
   * d/patch/CVE-2018-12479.patch: use APIException
   * d/rake-tasks.sh: run ts:index task using production env
 .
   [ Andrew Lee (李健秋) ]
   * d/rake-tasks.sh: touch the file if it's not exist yet for chown
     command.
   * Refreshed obsapidelayed init script changes from upstream.
   * Fix minor code style mistake in obsapidelayed init script.
   * Clean up mistake in refreshed obsapidelayed init script.
   * debian/control: obs-worker depends on tar. (Closes:#917427)
   * Added systemd obsapidelayed.service file.
   * Added systemd obsworker@.service file. (Closes:#853161)
   * debian/README.Debian: added how to run worker with systemd.
   * Added versioned depends on tar to avoid lintien error.
   * debian/obs-api.postinst: add a fallback hostname to make it installs
     in autopkgtest.
Checksums-Sha1:
 614260b03252ae49525a46c05f97a5d2fe6df243 3890 open-build-service_2.9.4-1.dsc
 f2e1fa26611f322181b91756ea7e4ce677fa6320 5204083 open-build-service_2.9.4.orig.tar.gz
 044713192d7547aee7b64f9bc294e706232d05da 98232 open-build-service_2.9.4-1.debian.tar.xz
 d1eb6ae42cb57a4897d3c900279aee475c0f1cb8 1626648 obs-api_2.9.4-1_all.deb
 5b61ee4e5ce6fcb13a3f9596a3e3486fb4c8f85a 23060 obs-productconverter_2.9.4-1_all.deb
 f633de7fea0d9fce591e5970c7ba83ebefe7e29f 396196 obs-server_2.9.4-1_all.deb
 22cf5fbcdd49c7bf4946b1d7c8279abcb8a4cac2 11148 obs-utils_2.9.4-1_all.deb
 2cd7ded2a5198c0935e0ef6b9aee65caad711a05 14528 obs-worker_2.9.4-1_all.deb
 37438041b4843ee26e1103d4c7f9d7178d83a989 14026 open-build-service_2.9.4-1_amd64.buildinfo
Checksums-Sha256:
 29b3c9667a94316a7663da3b4bac408e9f0f268bc5c061badae7e9ebc36f056f 3890 open-build-service_2.9.4-1.dsc
 e901da089b1d2844e632065e28d674ef0ca63db28eac2b3f6a12f6bcc3e3bca2 5204083 open-build-service_2.9.4.orig.tar.gz
 52af2becfac4fd967be0bf4e6bdf65bd89dca185364a9e9c68af8924e543bc0d 98232 open-build-service_2.9.4-1.debian.tar.xz
 8277ab4aa6a95281c7a0f8ea6a099e06eb10f00f283d86a92cbe4aacfb8f72e1 1626648 obs-api_2.9.4-1_all.deb
 9e85d34441fea4746cc7f43a873d88d3d6d903c7727c5dba45ae8cdeae483741 23060 obs-productconverter_2.9.4-1_all.deb
 7d03837d0126325f4f3615379820ef4146ae5305f8072abb1ebd84bf356d0d14 396196 obs-server_2.9.4-1_all.deb
 9028117b118d064347f3d61b20182bcd3e2e70c8a2708eff5d88bb079c96d2e6 11148 obs-utils_2.9.4-1_all.deb
 203b43256fecf08612b463b494028e343ec693ea80348a01692180b8c99aa985 14528 obs-worker_2.9.4-1_all.deb
 bad3d96ad291a3dd8d220f9853e34b4dbd4f00e79c8d4824cbf7df58f7213f3a 14026 open-build-service_2.9.4-1_amd64.buildinfo
Files:
 376be341458cf2be68d58a549890af08 3890 devel optional open-build-service_2.9.4-1.dsc
 46ff0129d8ea08b8577b4ad3222a7cb3 5204083 devel optional open-build-service_2.9.4.orig.tar.gz
 c4caa622798df4e298a01ced5190ed1a 98232 devel optional open-build-service_2.9.4-1.debian.tar.xz
 e56eb72dc9e0f0b1ac46932f898acaf0 1626648 devel optional obs-api_2.9.4-1_all.deb
 35d2bfd5044e8305b3bc24933986a60b 23060 devel optional obs-productconverter_2.9.4-1_all.deb
 13edd622ce121bdb5a93186a22194e37 396196 devel optional obs-server_2.9.4-1_all.deb
 0083462a406c1612108a0691f4fe7768 11148 devel optional obs-utils_2.9.4-1_all.deb
 f549ccdc5c81df842d39ce72a3f03ca0 14528 devel optional obs-worker_2.9.4-1_all.deb
 fe17d82d4f0da770254dbd8c4f6d15ab 14026 devel optional open-build-service_2.9.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE703UlH90QYpfEyJV58vhUqwX+XMFAlxb98QACgkQ58vhUqwX
+XNyXhAAlVJtAmmSfc5TC/fy2tOY69Kyid7+LzMEQy+Y2KtGp38nUVkx46rnIfRf
A/C3Gs+CxbDZ1ylTqRBcAkcKpS6l4Y2hKeVV8yAmF9JY3tIEw9ZOae4iUfDR02n6
pSfd7I9YcM+j8Rz/h4ROXvaq/mfaVaSpPsGnqAYg0A37y9ANAQAfZoBqk+BvhUXl
qUoUmqQR6dQ5w2f6UPArafSROTeCUq5ws5YVT2s3XKSbnxH9iZXd5j7QdECqt5f3
F0FnWljlHlEEpnBwmOwQdUWeb30KB8no2ZXgtfB+MHt+yve/UC0To0NLeg39thKI
CnhpbVorIGlhE6AssWLV+mGx7ScFGL8jDVVVLUdZT4LKVQ31EvQOBoPvoc0pMF4G
vn8XdxQvSNjZfeZL8zXDUj/RfOVMbGBifPG/464pVlSkRlHX9sJbfSPPWmXd8+DU
UwGMs+sKYgQF6EfaDN3v2mbQcOYLunZtKil5REZsL69cx2kD2SOMpkXEEd9HfsX0
6gRjG68It5vDflv0z5VMz2WGnyAL9klUZpXY9k7vbKjZ4HwOQ+bPymRhTgoYhM/Z
8bJjwBcJJPEPPqC+deJk6PqiS4PoN++uumBk7JgHTA1+8Dw6zqpRqwy6g0/tGT8B
OD7502tJ4OxHolD4FGi9I/6qZZAJUe0y/eV/AswVHhsOCjNYRJw=
=BADk
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.