Fixing security issues on OBS toolchain

Announcement ID:	SUSE-SU-2018:0065-1
Rating:	important
References:	bsc#1059858 bsc#1069904 bsc#796918 bsc#827480 bsc#891829 bsc#938556 bsc#967265 bsc#967610
Cross-References:	CVE-2016-4007 CVE-2017-14804 CVE-2017-9274
CVSS scores:	CVE-2016-4007 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-14804 ( SUSE ): 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2017-14804 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2017-9274 ( SUSE ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-9274 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Software Development Kit 11 SP4

An update that solves three vulnerabilities and has five security fixes can now be installed.

Description:

This OBS toolchain update fixes the following issues:

Package 'build':

• CVE-2017-14804: Improve file name check extractbuild (bsc#1069904)
• Fixed Dockerfile repository parsing

Package 'obs-service-source_validator':

• CVE-2017-9274: Don't use rpmbuild to extract sources, patches etc. from a spec (bnc#938556).
• CVE-2016-4007: Several maintained source services are vulnerable to code/paramter injection (bsc#967265)
• Update to version 0.7.
• Use spec_query instead of output_versions using the specfile parser from the build package (boo#1059858)
• obs-service-source_validator: several occurrences of uninitialized value (bsc#967610)
• hack for util-linux specfiles (bnc#891829)
• fix dependency to gnupg2 for Fedora (bnc#827480)
• exit if tmpdir creation fails (bnc#796918)

Package 'osc':

• Update to version 0.162.0.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Software Development Kit 11 SP4
  zypper in -t patch sdksp4-build-13404=1

Package List:

• SUSE Linux Enterprise Software Development Kit 11 SP4 (noarch)
  • build-20171128-8.3.3
• SUSE Linux Enterprise Software Development Kit 11 SP4 (s390x x86_64 i586 ppc64 ia64)
  • osc-0.162.1-7.4.1

References:

• https://www.suse.com/security/cve/CVE-2016-4007.html
• https://www.suse.com/security/cve/CVE-2017-14804.html
• https://www.suse.com/security/cve/CVE-2017-9274.html
• https://bugzilla.suse.com/show_bug.cgi?id=1059858
• https://bugzilla.suse.com/show_bug.cgi?id=1069904
• https://bugzilla.suse.com/show_bug.cgi?id=796918
• https://bugzilla.suse.com/show_bug.cgi?id=827480
• https://bugzilla.suse.com/show_bug.cgi?id=891829
• https://bugzilla.suse.com/show_bug.cgi?id=938556
• https://bugzilla.suse.com/show_bug.cgi?id=967265
• https://bugzilla.suse.com/show_bug.cgi?id=967610