packages/obs-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!36 fix CVE-2020-8020 CVE-2020-8021

Browse Source 
From: @markeryang
Reviewed-by: @small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-03-16 17:25:32 +08:00 committed by Gitee
commit afc291e198
3 changed files with 66 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
0002-CVE-2020-8020.patch Normal file
View File

@ -0,0 +1,28 @@
From 4d3a644b8a68e625d34a0a1490b539d3bb648001 Mon Sep 17 00:00:00 2001
From: Victor Pereira <vpereira@suse.de>
Date: Wed, 13 May 2020 08:02:52 +0200
Subject: [PATCH] Use Redcarpet Safe render to base OBS markdown render
Conflict:delete src/api/spec/helpers/webui/markdown_helper_spec.rb change
Reference:https://github.com/openSUSE/open-build-service/commit/7cc32c8e2ff7290698e101d9a80a9dc29a5500fb
Signed-off-by: Victor Pereira <vpereira@suse.de>
---
src/api/lib/obsapi/markdown_renderer.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/api/lib/obsapi/markdown_renderer.rb b/src/api/lib/obsapi/markdown_renderer.rb
index bc75e7b..cff936f 100644
--- a/src/api/lib/obsapi/markdown_renderer.rb
+++ b/src/api/lib/obsapi/markdown_renderer.rb
@@ -1,7 +1,7 @@
require 'uri'
module OBSApi
- class MarkdownRenderer < Redcarpet::Render::HTML
+ class MarkdownRenderer < Redcarpet::Render::Safe
include Rails.application.routes.url_helpers
def self.default_url_options
--
2.23.0

31
0003-CVE-2020-8021.patch Normal file
View File

@ -0,0 +1,31 @@
From 7323c904f86ba9e04065c23422d06c03647589fb Mon Sep 17 00:00:00 2001
From: Marcus Huewe <suse-tux@gmx.de>
Date: Wed, 13 May 2020 22:08:16 +0200
Subject: [PATCH] bs_srcserver: Forbid the creation of a _link in
mergeservicerun
A _link file is not allowed because it can result in a potential
privilege escalation.
Conflict:NA
Reference:https://github.com/openSUSE/open-build-service/commit/7323c904f86ba9e04065c23422d06c03647589fb
Signed-off-by:Marcus Huewe <suse-tux@gmx.de>
---
src/backend/bs_srcserver | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/backend/bs_srcserver b/src/backend/bs_srcserver
index da3f3c3..07e411e 100755
--- a/src/backend/bs_srcserver
+++ b/src/backend/bs_srcserver
@@ -391,6 +391,7 @@ sub mergeservicerun {
delete $files->{'_service'};
for (sort keys %$files) {
next unless /^_service:.*:(.*?)$/s;
+ die("cannot create a link from a service") if $1 eq '_link';
$files->{$1} = $files->{$_};
delete $files->{$_};
BSSrcrep::copyonefile($projid, $packid, $1, $projid, $packid, $_, $files->{$1});
--
2.23.0

9
obs-server.spec
View File

@ -2,14 +2,16 @@
Name: obs-server
Version: 2.10.1
Release: lp151.23.6
Release: lp151.23.7
Summary: The Open Build Service -- Server Component
License: GPL-2.0-only OR GPL-3.0-only
License: GPL-2.0-only or GPL-3.0-only
URL: http://www.openbuildservice.org
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Source0: open-build-service-%version.tar.xz
Patch1: 0001-obs_server-fix-usage-info.patch
Patch2: 0002-CVE-2020-8020.patch
Patch3: 0003-CVE-2020-8021.patch
BuildArch: noarch
@ -476,6 +478,9 @@ usermod -a -G docker obsservicerun
%{_sbindir}/rcobsstoragesetup
%changelog
* Tue Mar 16 2021 yanglongkang <yanglongkang@huawei.com> - 2.10.1-lp151.23.7
- fix CVE-2020-8020 CVE-2020-8021
* Mon Dec 28 2020 xinghe <xinghe1@huawei.com> - 2.10.1-lp151.23.6
- fix obs_admin can't locate BSConfig.pm