Debian Bug report logs -
#887306
obs-build: CVE-2017-14804: Exploit extractbuild to write to files in the host system
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, RPM packaging team <pkg-rpm-devel@lists.alioth.debian.org>:
Bug#887306; Package src:obs-build.
(Sun, 14 Jan 2018 19:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, RPM packaging team <pkg-rpm-devel@lists.alioth.debian.org>.
(Sun, 14 Jan 2018 19:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: obs-build
Version: 20170201-1
Severity: grave
Tags: security upstream
Forwarded: https://bugzilla.novell.com/show_bug.cgi?id=1069904
Hi,
the following vulnerability was published for obs-build.
I noticed the SUSE entry while checking for another issue for osc, and
note I'm completely unfamiliar with obs-build, so if you think this
needs an update as well for stable and oldstable, contact team@s.d.o
for double checking. To be on the safe side, chosen severity grave.
CVE-2017-14804[0]:
build: Exploit extractbuild to write to files in the host system
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14804
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14804
[1] https://bugzilla.novell.com/show_bug.cgi?id=1069904
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 12 Feb 2018 17:37:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, RPM packaging team <pkg-rpm-devel@lists.alioth.debian.org>:
Bug#887306; Package src:obs-build.
(Tue, 27 Feb 2018 16:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Héctor Orón Martínez <hector.oron@collabora.co.uk>:
Extra info received and forwarded to list. Copy sent to RPM packaging team <pkg-rpm-devel@lists.alioth.debian.org>.
(Tue, 27 Feb 2018 16:03:06 GMT) (full text, mbox, link).
Message #12 received at 887306@bugs.debian.org (full text, mbox, reply):
Hello Salvatore,
Since you are part of security team, should the fix go in stable via
security queue or stable pu?
Regards
On Sun, 14 Jan 2018 20:44:07 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: obs-build
> Version: 20170201-1
> Severity: grave
> Tags: security upstream
> Forwarded: https://bugzilla.novell.com/show_bug.cgi?id=1069904
>
> Hi,
>
> the following vulnerability was published for obs-build.
>
> I noticed the SUSE entry while checking for another issue for osc, and
> note I'm completely unfamiliar with obs-build, so if you think this
> needs an update as well for stable and oldstable, contact team@s.d.o
> for double checking. To be on the safe side, chosen severity grave.
>
> CVE-2017-14804[0]:
> build: Exploit extractbuild to write to files in the host system
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-14804
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14804
> [1] https://bugzilla.novell.com/show_bug.cgi?id=1069904
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
>
--
Héctor Orón Martínez
Collabora Ltd
The Platinum Building
St John's Innovation Park, Cambridge
CB4 0DS, United Kingdom
Telephone: +44 (0)1223 362967
Fax: +44 (0) 1223 351966
------------------------------------
Visit Collabora on the Web at https://www.collabora.com/
Follow Collabora on Twitter https://twitter.com/collabora
------------------------------------
Information forwarded
to debian-bugs-dist@lists.debian.org, RPM packaging team <pkg-rpm-devel@lists.alioth.debian.org>:
Bug#887306; Package src:obs-build.
(Tue, 27 Feb 2018 19:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to RPM packaging team <pkg-rpm-devel@lists.alioth.debian.org>.
(Tue, 27 Feb 2018 19:39:03 GMT) (full text, mbox, link).
Message #17 received at 887306@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Héctor
On Tue, Feb 27, 2018 at 04:55:11PM +0100, Héctor Orón Martínez wrote:
> Hello Salvatore,
>
> Since you are part of security team, should the fix go in stable via
> security queue or stable pu?
Thanks for pinging!
Please via a point release, we have classified it as 'no-dsa'.
Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Héctor Orón Martínez <zumbi@debian.org>:
You have taken responsibility.
(Mon, 05 Mar 2018 01:24:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 05 Mar 2018 01:24:06 GMT) (full text, mbox, link).
Message #22 received at 887306-close@bugs.debian.org (full text, mbox, reply):
Source: obs-build
Source-Version: 20180302-1
We believe that the bug you reported is fixed in the latest version of
obs-build, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 887306@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Héctor Orón Martínez <zumbi@debian.org> (supplier of updated obs-build package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 05 Mar 2018 01:40:32 +0100
Source: obs-build
Binary: obs-build
Architecture: source all
Version: 20180302-1
Distribution: unstable
Urgency: medium
Maintainer: RPM packaging team <pkg-rpm-devel@lists.alioth.debian.org>
Changed-By: Héctor Orón Martínez <zumbi@debian.org>
Description:
obs-build - scripts for building RPM/debian packages for multiple distributio
Closes: 887173 887306
Changes:
obs-build (20180302-1) unstable; urgency=medium
.
* New upstream release
* debian/patches: refresh and fix current builds
* debian/patches: update
* debian/control: bump standard version, replace priority
* debian/control: add recommends and suggests (Closes: #887173)
- add e2fsprogs as recommends and suggest btrfs and xfs tools.
* Fixes CVE-2017-14804:
- Exploit extractbuild to write to files in the host system
(Closes: #887306)
* debian/control: add python depend per openstack-console script.
* debian/rules: fixup build-vm-openstack execution.
Checksums-Sha1:
1db5d889872b62fc36a8d00790f0c8fc9c9dd7bb 1871 obs-build_20180302-1.dsc
1273e3637580db135e5417c532c7aa019be0f1ba 296953 obs-build_20180302.orig.tar.gz
9527d8bcf54177d887e168769761fb1c760e4c0f 5964 obs-build_20180302-1.debian.tar.xz
ed1d9b85ab3594d527818352367149a9919cd180 166188 obs-build_20180302-1_all.deb
90aed13a8b66f24419dc40509bd71317847c1823 5543 obs-build_20180302-1_amd64.buildinfo
Checksums-Sha256:
9b998725a97e3d52e5078eaf27244ea8565b64ffba0d79970c59331f05959625 1871 obs-build_20180302-1.dsc
00128c7b87f3a6595e3f9eb94e925fe077672cbfa5f5e11626b9da0be4993db2 296953 obs-build_20180302.orig.tar.gz
949ff25816f39da4a746e4b0ae204cb81d6ddf8af8f0761e76c31428c6a2a434 5964 obs-build_20180302-1.debian.tar.xz
0ba0cfb091bba7cb4bcd0418931f1b0903649394bada871ffb8709f2facbe440 166188 obs-build_20180302-1_all.deb
621ccff1b5f7c1e6a6341f2cb755f1c41f77473507dcc2e3e2718f9885352c69 5543 obs-build_20180302-1_amd64.buildinfo
Files:
0d202a46a614cbafb7b2a171c69f9725 1871 devel optional obs-build_20180302-1.dsc
96aff5d20f09209902ff1943061eca8c 296953 devel optional obs-build_20180302.orig.tar.gz
8031d58811650110df4a23aa8d6b273b 5964 devel optional obs-build_20180302-1.debian.tar.xz
598aa807ce2accdbb5fff329bfc4e259 166188 devel optional obs-build_20180302-1_all.deb
7bf08f33adc33ec42c62afd934958d32 5543 devel optional obs-build_20180302-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE6Q8IiVReeMgqnedOryKDqnbirHsFAlqcl60ACgkQryKDqnbi
rHugAhAAj0LXkAvQpNb3shN0wsXDqE2vxpB62HMZm+2EYREJ5e6XXri3H++FHe2p
QvvjZm5kayTb52S5+TFyVN752tWnnNW9L+Z/RISefy6/oCg3B5xzcTfyznMXtlVc
HQkKVO9wHI+1kUXG1vfLA1fDPg/JlmuhqtPiqILRh4G2EUchXZQRB3L7iYZo5QPz
v0uCskw45fE82+XWI5C3DQ7RnztYLV+Pg3IqtpvKb4Lq2KCbdpTcyG85+P92JRE+
8aE1jjdMqGcZ0h4gTT8MV272xSnjsvYH1KP46Q+HpHNOTmHm76J5fBBq5vfyxJ2p
IkaC+oZk7SLVGOTfNcQGmrPN68b50BagnWRenC9rdskshU8ByDWwuBis8o2tDl0L
2IA/ZhiicR5mhiQHdikLtTEtiMkBzRGCXWoqLXxD+FKOZTR0qqyegh5G2mXyNzIT
+ZOqeZJTyA0+xxN85qYTQMMr4IeqHn3RzmcEIWfMQUex7/cpNpWTvaMqjPDCOtN1
uDo8ZDz3L1w+TpT1ccBXKcBH6p4Yzixyzav+FwRTXtsbnggJRjU8FFintoHHpjdH
2cXbKpodx/UIfZwcwqBdEMBxlFyNQc/aLai+Q5Sgg2vDqOM17jy+lagsnV3ZiJu8
R0KuzrPqwRWC3LTmHbCJiQJ1roumiAfyYXZb1D/xzSr+zs0HWIs=
=HA+D
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 02 Apr 2018 07:25:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:53:28 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon