#28010 (Apr 16, 2026, 9:09:35 AM)

Started 8 hr 34 min ago

Took 1.9 sec on build4-deb12build-ansible

Started by upstream project gerrit-pysim build number 3059
originally caused by:

Triggered by Gerrit: https://gerrit.osmocom.org/c/pysim/+/42625 in silent mode.

This run spent:

17 sec waiting;
1.9 sec build duration;
18 sec total from scheduled to completion.

Revision: 33d00b34a7fd22858ae6614cf7e5164cc1fe9ad6
Repository: $GERRIT_REPO_URL

master

osmo-smdpp.py: fix path Traversal Bypass in SM-DP+ (CWE-22)

Root Cause:
os.path.commonprefix() compares strings character-by-character, NOT by path
components. This is a well-known Python antipattern (Python docs explicitly
warn: "this function may return invalid paths because it works a character
at a time").

Attack Context:
The matchingId parameter is received from a network client via the GSMA
ES9+ authenticateClient API endpoint (POST to
/gsma/rsp2/es9plus/authenticateClient). The SM-DP+ server is a Twisted web
application listening on port 443. An unauthenticated eUICC client sends
the matchingId in the ctxParamsForCommonAuthentication ASN.1 structure.

Fix:
Replace os.path.commonprefix() with proper path component checking:

Change-Id: I7a42b40aa2bbcd5f0ec99f172503354c6eaa9828

pmaier@sysmocom.de at 11:57 AM 4/15/26

#28010 (Apr 16, 2026, 9:09:35 AM)

#28010 (Apr 16, 2026, 9:09:35 AM)