openSUSE: 2019:0326-1: important: obs-service-tar_scm

    Date13 Mar 2019
    CategoryopenSUSE
    340
    Posted ByLinuxSecurity Advisories
    An update that solves three vulnerabilities and has two fixes is now available.
       openSUSE Security Update: Security update for obs-service-tar_scm
    ______________________________________________________________________________
    
    Announcement ID:    openSUSE-SU-2019:0326-1
    Rating:             important
    References:         #1076410 #1082696 #1105361 #1107507 #1107944 
                        
    Cross-References:   CVE-2018-12473 CVE-2018-12474 CVE-2018-12476
                       
    Affected Products:
                        openSUSE Leap 15.0
    ______________________________________________________________________________
    
       An update that solves three vulnerabilities and has two
       fixes is now available.
    
    Description:
    
       This update for obs-service-tar_scm fixes the following issues:
    
       Security vulnerabilities addressed:
    
       - CVE-2018-12473: Fixed a path traversal issue, which allowed users to
         access files outside of the repository using relative paths (bsc#1105361)
       - CVE-2018-12474: Fixed an issue whereby crafted service parameters
         allowed for unexpected behaviour (bsc#1107507)
       - CVE-2018-12476: Fixed an issue whereby the outfilename parameter allowed
         to write files outside of package directory (bsc#1107944)
    
       Other bug fixes and changes made:
    
       - Prefer UTF-8 locale as output format for changes
       - added KankuFile
       - fix problems with unicode source files
       - added python-six to Requires in specfile
       - better encoding handling
       - fixes bsc#1082696 and bsc#1076410
       - fix unicode in containers
       - move to python3
       - added logging for better debugging changesgenerate
       - raise exception if no changesauthor given
       - Stop using @opensuse.org addresses to indicate a missing address
       - move argparse dep to -common package
       - allow submodule and ssl options in appimage
       - sync spec file as used in openSUSE:Tools project
       - check encoding problems for svn and print proper error msg
       - added new param '--locale'
       - separate service file installation in GNUmakefile
       - added glibc as Recommends in spec file
       - cleanup for broken svn caches
       - another fix for unicode problem in obs_scm
       - Final fix for unicode in filenames
       - Another attempt to fix unicode filenames in prep_tree_for_archive
       - Another attempt to fix unicode filenames in prep_tree_for_archive
       - fix bug with unicode filenames in prep_tree_for_archive
       - reuse _service*_servicedata/changes files from previous service runs
       - fix problems with  unicode characters in commit messages for
         changeloggenerate
       - fix encoding issues if commit message contains utf8 char
       - revert encoding for old changes file
       - remove hardcoded utf-8 encodings
       - Add support for extract globbing
       - split pylint2 in GNUmakefile
       - fix check for "--reproducible"
       - create reproducible obscpio archives
       - fix regression from 44b3bee
       - Support also SSH urls for Git
       - check name/version option in obsinfo for slashes
       - check url for remote url
       - check symlinks in subdir parameter
       - check filename for slashes
       - disable follow_symlinks in extract feature
       - switch to obs_scm for this package
       - run download_files in appimage and snapcraft case
       - check --extract file path for parent dir
       - Fix parameter descriptions
       - changed os.removedirs -> shutil.rmtree
       - Adding information regarding the *package-metadata* option for the *tar*
         service The tar service is highly useful in combination with the
         *obscpio* service. After the fix for the metadata for the latter one, it
         is important to inform the users of the *tar* service that metadata is
         kept only if the flag *package-metadata* is enabled. Add the flag to the
         .service file for mentioning that.
       - Allow metadata packing for CPIO archives when desired As of now,
         metadata are always excluded from *obscpio* packages. This is because
         the *package-metadata* flag is ignored; this change (should) make
         *obscpio* aware of it.
       - improve handling of corrupt git cache directories
       - only do git stash save/pop if we have a non-empty working tree (#228)
       - don't allow DEBUG_TAR_SCM to change behaviour (#240)
       - add stub user docs in lieu of something proper (#238)
       - Remove clone_dir if clone fails
       - python-unittest2 is only required for the optional make check
       - move python-unittest2 dep to test suite only part (submission by olh)
       - Removing redundant pass statement
       - missing import for logging functions.
       - [backend] Adding http proxy support
       - python-unittest2 is only required for the optional make check
       - make installation of scm's optional
       - add a lot more detail to README
       - Git clone with --no-checkout in prepare_working_copy
       - Refactor and simplify git prepare_working_copy
       - Only use current dir if it actually looks like git (Fixes #202)
       - reactivate test_obscpio_extract_d
       - fix broken test create_archive
       - fix broken tests for broken-links
       - changed PREFIX in Gnumakefile to /usr
       - new cli option --skip-cleanup
       - fix for broken links
       - fix reference to snapcraft YAML file
       - fix docstring typo in TarSCM.scm.tar.fetch_upstream
       - acknowledge deficiencies in dev docs
       - wrap long lines in README
    
       This update was imported from the SUSE:SLE-15:Update update project.
    
    
    Patch Instructions:
    
       To install this openSUSE Security Update use the SUSE recommended installation methods
       like YaST online_update or "zypper patch".
    
       Alternatively you can run the command listed for your product:
    
       - openSUSE Leap 15.0:
    
          zypper in -t patch openSUSE-2019-326=1
    
    
    
    Package List:
    
       - openSUSE Leap 15.0 (noarch):
    
          obs-service-appimage-0.10.5.1551309990.79898c7-lp150.2.3.1
          obs-service-obs_scm-0.10.5.1551309990.79898c7-lp150.2.3.1
          obs-service-obs_scm-common-0.10.5.1551309990.79898c7-lp150.2.3.1
          obs-service-snapcraft-0.10.5.1551309990.79898c7-lp150.2.3.1
          obs-service-tar-0.10.5.1551309990.79898c7-lp150.2.3.1
          obs-service-tar_scm-0.10.5.1551309990.79898c7-lp150.2.3.1
    
    
    References:
    
       https://www.suse.com/security/cve/CVE-2018-12473.html
       https://www.suse.com/security/cve/CVE-2018-12474.html
       https://www.suse.com/security/cve/CVE-2018-12476.html
       https://bugzilla.suse.com/1076410
       https://bugzilla.suse.com/1082696
       https://bugzilla.suse.com/1105361
       https://bugzilla.suse.com/1107507
       https://bugzilla.suse.com/1107944
    
    -- 
    

    LinuxSecurity Poll

    What is your favorite LinuxSecurity.com feature?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    17
    radio
    [{"id":"65","title":"Feature articles","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"66","title":"News","votes":"1","type":"x","order":"2","pct":100,"resources":[]},{"id":"67","title":"HOWTOs","votes":"0","type":"x","order":"3","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.