CVE-2017-9274

A shell command injection in the obs-service-source_validator before 0.7 could be used to execute code as the packager when checking RPM SPEC files with specific macro constructs.

References

Affected packages

Debian:11 / osc

Package

Name: osc
Purl: pkg:deb/debian/osc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.162.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / osc

Package

Name: osc
Purl: pkg:deb/debian/osc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.162.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / osc

Package

Name: osc
Purl: pkg:deb/debian/osc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.162.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/opensuse/obs-service-source_validator

Affected ranges

Type: GIT
Repo: https://github.com/opensuse/obs-service-source_validator
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1e990f00f4a78d58f1c4252f52ce63c48747f08a

Affected versions

0.*

0.8