Security update for obs-service-tar_scm

SUSE Security Update: Security update for obs-service-tar_scm
Announcement ID: SUSE-SU-2019:0540-1
Rating: important
References: #1076410 #1082696 #1105361 #1107507 #1107944
Cross-References: CVE-2018-12473 CVE-2018-12474 CVE-2018-12476
Affected Products:
  • SUSE Linux Enterprise Module for Open Buildservice Development Tools 15

An update that solves three vulnerabilities and has two fixes is now available.

Description:

This update for obs-service-tar_scm fixes the following issues:
Security vulnerabilities addressed:

  • CVE-2018-12473: Fixed a path traversal issue, which allowed users to access files outside of the repository using relative paths (bsc#1105361)
  • CVE-2018-12474: Fixed an issue whereby crafted service parameters allowed for unexpected behaviour (bsc#1107507)
  • CVE-2018-12476: Fixed an issue whereby the outfilename parameter allowed to write files outside of package directory (bsc#1107944)

Other bug fixes and changes made:
  • Prefer UTF-8 locale as output format for changes
  • added KankuFile
  • fix problems with unicode source files
  • added python-six to Requires in specfile
  • better encoding handling
  • fixes bsc#1082696 and bsc#1076410
  • fix unicode in containers
  • move to python3
  • added logging for better debugging changesgenerate
  • raise exception if no changesauthor given
  • Stop using @opensuse.org addresses to indicate a missing address
  • move argparse dep to -common package
  • allow submodule and ssl options in appimage
  • sync spec file as used in openSUSE:Tools project
  • check encoding problems for svn and print proper error msg
  • added new param '--locale'
  • separate service file installation in GNUmakefile
  • added glibc as Recommends in spec file
  • cleanup for broken svn caches
  • another fix for unicode problem in obs_scm
  • Final fix for unicode in filenames
  • Another attempt to fix unicode filenames in prep_tree_for_archive
  • Another attempt to fix unicode filenames in prep_tree_for_archive
  • fix bug with unicode filenames in prep_tree_for_archive
  • reuse _service*_servicedata/changes files from previous service runs
  • fix problems with unicode characters in commit messages for changeloggenerate
  • fix encoding issues if commit message contains utf8 char
  • revert encoding for old changes file
  • remove hardcoded utf-8 encodings
  • Add support for extract globbing
  • split pylint2 in GNUmakefile
  • fix check for "--reproducible"
  • create reproducible obscpio archives
  • fix regression from 44b3bee
  • Support also SSH urls for Git
  • check name/version option in obsinfo for slashes
  • check url for remote url
  • check symlinks in subdir parameter
  • check filename for slashes
  • disable follow_symlinks in extract feature
  • switch to obs_scm for this package
  • run download_files in appimage and snapcraft case
  • check --extract file path for parent dir
  • Fix parameter descriptions
  • changed os.removedirs -> shutil.rmtree
  • Adding information regarding the *package-metadata* option for the *tar* service The tar service is highly useful in combination with the *obscpio* service. After the fix for the metadata for the latter one, it is important to inform the users of the *tar* service that metadata is kept only if the flag *package-metadata* is enabled. Add the flag to the .service file for mentioning that.
  • Allow metadata packing for CPIO archives when desired As of now, metadata are always excluded from *obscpio* packages. This is because the *package-metadata* flag is ignored; this change (should) make *obscpio* aware of it.
  • improve handling of corrupt git cache directories
  • only do git stash save/pop if we have a non-empty working tree (#228)
  • don't allow DEBUG_TAR_SCM to change behaviour (#240)
  • add stub user docs in lieu of something proper (#238)
  • Remove clone_dir if clone fails
  • python-unittest2 is only required for the optional make check
  • move python-unittest2 dep to test suite only part (submission by olh)
  • Removing redundant pass statement
  • missing import for logging functions.
  • [backend] Adding http proxy support
  • python-unittest2 is only required for the optional make check
  • make installation of scm's optional
  • add a lot more detail to README
  • Git clone with --no-checkout in prepare_working_copy
  • Refactor and simplify git prepare_working_copy
  • Only use current dir if it actually looks like git (Fixes #202)
  • reactivate test_obscpio_extract_d
  • fix broken test create_archive
  • fix broken tests for broken-links
  • changed PREFIX in Gnumakefile to /usr
  • new cli option --skip-cleanup
  • fix for broken links
  • fix reference to snapcraft YAML file
  • fix docstring typo in TarSCM.scm.tar.fetch_upstream
  • acknowledge deficiencies in dev docs
  • wrap long lines in README

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:
    zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-540=1

Package List:

  • SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch):
    • obs-service-appimage-0.10.5.1551309990.79898c7-3.3.1
    • obs-service-obs_scm-0.10.5.1551309990.79898c7-3.3.1
    • obs-service-obs_scm-common-0.10.5.1551309990.79898c7-3.3.1
    • obs-service-snapcraft-0.10.5.1551309990.79898c7-3.3.1
    • obs-service-tar-0.10.5.1551309990.79898c7-3.3.1
    • obs-service-tar_scm-0.10.5.1551309990.79898c7-3.3.1

References: