Bugzilla – Bug 1029824
VUL-0: CVE-2017-5188: open-build-service: worker VM escape via relative symbolic links
Last modified: 2020-07-16 07:02:43 UTC
It was in past OBS releases, but also in plain build script. Build script should cover use here for VM builds, but it didn't. bs_worker shouldn't accept symlinks pointing to external resources. both is fixed in git (build: master and OBS in master, 2.8, 2.7 and 2.6 branch). New packages for build package will most likely prepared together with osc stack update. OBS will get an official 2.7 release fixing this and 2.8 final will have it fixed. CVE id sounds like a good idea here.
Use CVE-2017-5188
hmm, perhaps more this one: https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d
fixed long time ago