osc executes spec code during "osc commit"

Vulnerability

A shell command injection vulnerability exists in obs-service-source_validator versions prior to 0.7. The tool executes shell commands embedded in RPM SPEC file macros (e.g., %(...)) during local source service runs triggered by commands such as osc commit or quilt setup [1][2]. This allows an attacker who can supply a malicious SPEC file to inject arbitrary shell commands that are executed with the privileges of the packager [2].

Exploitation

An attacker crafts an RPM SPEC file containing a macro with a shell command, such as %define bad_luck %(rm -rf /), and submits it to a repository or otherwise causes the packager to process it. When the packager runs osc commit or quilt setup on the affected package, the obs-service-source_validator service expands the macro, executing the injected command [2]. No authentication is required beyond the ability to provide the SPEC file; user interaction (the packager running the command) is necessary [1].

Impact

Successful exploitation allows the attacker to execute arbitrary shell commands as the packager user. This can lead to complete compromise of confidentiality, integrity, and availability of the packager's system, including potential privilege escalation or lateral movement [1]. The CVSS v3 base score is 7.8 (High) with a local attack vector and low complexity [1].

Mitigation

The vulnerability is fixed in obs-service-source_validator version 0.7 [1]. SUSE released updates via SUSE-SU-2017:3253-1, SUSE-SU-2018:0065-1, and openSUSE-SU-2017:3259-1, which include patched packages for affected SUSE Linux Enterprise and openSUSE distributions [1]. Users should update to the fixed version. As a workaround, avoid processing untrusted SPEC files with osc commit or quilt setup until the update is applied.