1879728 – (CVE-2019-3681) CVE-2019-3681 osc: Stores downloaded RPM in network-controlled filesystem paths

Bug 1879728 (CVE-2019-3681) - CVE-2019-3681 osc: Stores downloaded RPM in network-controlled filesystem paths

Summary: CVE-2019-3681 osc: Stores downloaded RPM in network-controlled filesystem paths

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2019-3681
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1879729
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-16 20:31 UTC by Pedro Sampaio
Modified:	2020-09-16 20:41 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-09-16 20:41:10 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2020-09-16 20:31:09 UTC

A External Control of File Name or Path vulnerability in osc of SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Software Development Kit 12-SP5, SUSE Linux Enterprise Software Development Kit 12-SP4; openSUSE Leap 15.1, openSUSE Factory allowed remote attackers that can change downloaded packages to overwrite arbitrary files. This issue affects: SUSE Linux Enterprise Module for Development Tools 15 osc versions prior to 0.169.1-3.20.1. SUSE Linux Enterprise Software Development Kit 12-SP5 osc versions prior to 0.162.1-15.9.1. SUSE Linux Enterprise Software Development Kit 12-SP4 osc versions prior to 0.162.1-15.9.1. openSUSE Leap 15.1 osc versions prior to 0.169.1-lp151.2.15.1. openSUSE Factory osc versions prior to 0.169.0 . 

References:

https://bugzilla.suse.com/show_bug.cgi?id=1122675

Comment 1 Pedro Sampaio 2020-09-16 20:31:37 UTC

Created osc tracking bugs for this issue:

Affects: fedora-all [bug 1879729]

Comment 2 Product Security DevOps Team 2020-09-16 20:41:10 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.