Ubuntu
osc package

Improper sanitization of terminal emulator escape sequences when displaying build log and build status

Bug #1197639 reported by Christian Kuersteiner
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
osc (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

A security flaw was found in the way osc displayed build logs and build status for particular build. A rogue repository server could use this flaw to modify window's title, or possibly execute arbitrary commands or overwrite files via a specially-crafted build log or build status output containing an escape sequence for a terminal emulator.

Reference:
https://bugzilla.novell.com/show_bug.cgi?id=749335

Upstream patch:
https://github.com/openSUSE/osc/commit/effe3835ba65745f51dbb579af4ea3556d2ab597.patch

CVE References

Christian Kuersteiner (ckuerste)
information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in osc (Ubuntu):
status: New → Incomplete
Revision history for this message
Christian Kuersteiner (ckuerste) wrote :

Precise debdiff.

Tested install/upgrade on clean system.
Tested with the testsuite from osc (tests/suite.py). Got some errors in TestCommit. Not sure if it might be a configuration thing. I got the same kind of errors for the patched and unpatched version.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Debdiff looks good. ACK.

Uploading now, will be release once it finishes building.

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package osc - 0.132.6-1ubuntu0.1

---------------
osc (0.132.6-1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: Improper sanitization of terminal emulator escape
    sequences when displaying build log and build status (LP: #1197639)
    - debian/patches/CVE-2012-1095.patch: osc/core.py(print_buildlog): strip
      terminal control chars, except new lines from build logs. Based on
      upstream patch.
    - CVE-2012-1095
 -- Christian Kuersteiner <email address hidden> Tue, 16 Jul 2013 11:44:28 +0700

Changed in osc (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.