From c380a5e282b06cecdb16425b2d129cad84dd9554 Mon Sep 17 00:00:00 2001 From: markeryang Date: Tue, 16 Mar 2021 14:45:09 +0800 Subject: [PATCH] fix CVE-2020-8020 CVE-2020-8021 --- 0002-CVE-2020-8020.patch | 28 ++++++++++++++++++++++++++++ 0003-CVE-2020-8021.patch | 31 +++++++++++++++++++++++++++++++ obs-server.spec | 7 ++++++- 3 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 0002-CVE-2020-8020.patch create mode 100644 0003-CVE-2020-8021.patch diff --git a/0002-CVE-2020-8020.patch b/0002-CVE-2020-8020.patch new file mode 100644 index 0000000..60aed7c --- /dev/null +++ b/0002-CVE-2020-8020.patch @@ -0,0 +1,28 @@ +From 4d3a644b8a68e625d34a0a1490b539d3bb648001 Mon Sep 17 00:00:00 2001 +From: Victor Pereira +Date: Wed, 13 May 2020 08:02:52 +0200 +Subject: [PATCH] Use Redcarpet Safe render to base OBS markdown render + +Conflict:delete src/api/spec/helpers/webui/markdown_helper_spec.rb change +Reference:https://github.com/openSUSE/open-build-service/commit/7cc32c8e2ff7290698e101d9a80a9dc29a5500fb + +Signed-off-by: Victor Pereira +--- + src/api/lib/obsapi/markdown_renderer.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/api/lib/obsapi/markdown_renderer.rb b/src/api/lib/obsapi/markdown_renderer.rb +index bc75e7b..cff936f 100644 +--- a/src/api/lib/obsapi/markdown_renderer.rb ++++ b/src/api/lib/obsapi/markdown_renderer.rb +@@ -1,7 +1,7 @@ + require 'uri' + + module OBSApi +- class MarkdownRenderer < Redcarpet::Render::HTML ++ class MarkdownRenderer < Redcarpet::Render::Safe + include Rails.application.routes.url_helpers + + def self.default_url_options +-- +2.23.0 \ No newline at end of file diff --git a/0003-CVE-2020-8021.patch b/0003-CVE-2020-8021.patch new file mode 100644 index 0000000..3a02309 --- /dev/null +++ b/0003-CVE-2020-8021.patch @@ -0,0 +1,31 @@ +From 7323c904f86ba9e04065c23422d06c03647589fb Mon Sep 17 00:00:00 2001 +From: Marcus Huewe +Date: Wed, 13 May 2020 22:08:16 +0200 +Subject: [PATCH] bs_srcserver: Forbid the creation of a _link in + mergeservicerun + +A _link file is not allowed because it can result in a potential +privilege escalation. + +Conflict:NA +Reference:https://github.com/openSUSE/open-build-service/commit/7323c904f86ba9e04065c23422d06c03647589fb + +Signed-off-by:Marcus Huewe +--- + src/backend/bs_srcserver | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/backend/bs_srcserver b/src/backend/bs_srcserver +index da3f3c3..07e411e 100755 +--- a/src/backend/bs_srcserver ++++ b/src/backend/bs_srcserver +@@ -391,6 +391,7 @@ sub mergeservicerun { + delete $files->{'_service'}; + for (sort keys %$files) { + next unless /^_service:.*:(.*?)$/s; ++ die("cannot create a link from a service") if $1 eq '_link'; + $files->{$1} = $files->{$_}; + delete $files->{$_}; + BSSrcrep::copyonefile($projid, $packid, $1, $projid, $packid, $_, $files->{$1}); +-- +2.23.0 \ No newline at end of file diff --git a/obs-server.spec b/obs-server.spec index aaa2322..fcc9a88 100644 --- a/obs-server.spec +++ b/obs-server.spec @@ -6,7 +6,7 @@ Name: obs-server Version: 2.10.7 -Release: 5 +Release: 6 Summary: The Open Build Service -- Server Component License: GPL-2.0-only OR GPL-3.0-only URL: http://www.openbuildservice.org @@ -14,6 +14,8 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build Source0: https://github.com/openSUSE/open-build-service/archive/2.10.7.tar.gz Source1: Gemfile.lock Patch1: 0001-obs_server-fix-usage-info.patch +Patch2: 0002-CVE-2020-8020.patch +Patch3: 0003-CVE-2020-8021.patch BuildArch: noarch @@ -482,6 +484,9 @@ usermod -a -G docker obsservicerun %{_sbindir}/rcobsstoragesetup %changelog +* Tue Mar 16 2021 yanglongkang - 2.10.7-6 +- fix CVE-2020-8020 CVE-2020-8021 + * Mon Dec 28 2020 xinghe - 2.10.7-5 - fix obs_admin can't locate BSConfig.pm -- Gitee