Security update for build SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:0387-1 Final 1 1 2019-02-14T10:55:29Z current 2019-02-14T10:55:29Z 2019-02-14T10:55:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for build This update for build version 20190128 fixes the following issues: Security issue fixed: - CVE-2017-14804: Improve file name check extractbuild (bsc#1069904) Non-security issue fixed: - Add initial SLE 15 SP1 config (bsc#1122895) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-387,SUSE-SLE-Module-Development-Tools-15-2019-387,SUSE-SLE-Module-Development-Tools-OBS-15-2019-387 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20190387-1/ Link for SUSE-SU-2019:0387-1 https://lists.suse.com/pipermail/sle-security-updates/2019-February/005116.html E-Mail link for SUSE-SU-2019:0387-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1069904 SUSE Bug 1069904 https://bugzilla.suse.com/1122895 SUSE Bug 1122895 https://www.suse.com/security/cve/CVE-2017-14804/ SUSE CVE CVE-2017-14804 page SUSE Linux Enterprise Module for Development Tools 15 build-20190128-3.3.2 build-initvm-aarch64-20190128-3.3.2 build-initvm-i586-20190128-3.3.2 build-initvm-powerpc64le-20190128-3.3.2 build-initvm-s390x-20190128-3.3.2 build-initvm-x86_64-20190128-3.3.2 build-mkbaselibs-20190128-3.3.2 build-mkdrpms-20190128-3.3.2 build-20190128-3.3.2 as a component of SUSE Linux Enterprise Module for Development Tools 15 build-mkbaselibs-20190128-3.3.2 as a component of SUSE Linux Enterprise Module for Development Tools 15 The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots. CVE-2017-14804 SUSE Linux Enterprise Module for Development Tools 15:build-20190128-3.3.2 SUSE Linux Enterprise Module for Development Tools 15:build-mkbaselibs-20190128-3.3.2 important 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190387-1/ https://www.suse.com/security/cve/CVE-2017-14804.html CVE-2017-14804 https://bugzilla.suse.com/1069904 SUSE Bug 1069904