Bug 1029824 (CVE-2017-5188)

Summary: VUL-0: CVE-2017-5188: open-build-service: worker VM escape via relative symbolic links
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Adrian Schröter <adrian.schroeter>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bgeuken, fvogt, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 2 Adrian Schröter 2017-03-21 08:16:29 UTC
It was in past OBS releases, but also in plain build script.

Build script should cover use here for VM builds, but it didn't.

bs_worker shouldn't accept symlinks pointing to external resources.

both is fixed in git (build: master and OBS in master, 2.8, 2.7 and 2.6 branch).

New packages for build package will most likely prepared together with osc stack update. OBS will get an official 2.7 release fixing this and 2.8 final will have it fixed.

CVE id sounds like a good idea here.
Comment 3 Marcus Meissner 2017-03-21 09:58:47 UTC
Use CVE-2017-5188
Comment 5 Marcus Meissner 2018-03-01 13:23:45 UTC
hmm, perhaps more this one:

https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d
Comment 6 Adrian Schröter 2020-07-16 07:02:43 UTC
fixed long time ago