[Pkg-rpm-devel] Bug#887306: obs-build: CVE-2017-14804: Exploit extractbuild to write to files in the host system
Héctor Orón Martínez
hector.oron at collabora.co.uk
Tue Feb 27 15:55:11 UTC 2018
Hello Salvatore,
Since you are part of security team, should the fix go in stable via
security queue or stable pu?
Regards
On Sun, 14 Jan 2018 20:44:07 +0100 Salvatore Bonaccorso
<carnil at debian.org> wrote:
> Source: obs-build
> Version: 20170201-1
> Severity: grave
> Tags: security upstream
> Forwarded: https://bugzilla.novell.com/show_bug.cgi?id=1069904
>
> Hi,
>
> the following vulnerability was published for obs-build.
>
> I noticed the SUSE entry while checking for another issue for osc, and
> note I'm completely unfamiliar with obs-build, so if you think this
> needs an update as well for stable and oldstable, contact team at s.d.o
> for double checking. To be on the safe side, chosen severity grave.
>
> CVE-2017-14804[0]:
> build: Exploit extractbuild to write to files in the host system
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-14804
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14804
> [1] https://bugzilla.novell.com/show_bug.cgi?id=1069904
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
>
--
Héctor Orón Martínez
Collabora Ltd
The Platinum Building
St John's Innovation Park, Cambridge
CB4 0DS, United Kingdom
Telephone: +44 (0)1223 362967
Fax: +44 (0) 1223 351966
------------------------------------
Visit Collabora on the Web at https://www.collabora.com/
Follow Collabora on Twitter https://twitter.com/collabora
------------------------------------
More information about the Pkg-rpm-devel
mailing list