Bugzilla – Bug 1029824
VUL-0: CVE-2017-5188: open-build-service: worker VM escape via relative symbolic links
Last modified: 2020-07-16 07:02:43 UTC
It was in past OBS releases, but also in plain build script.
Build script should cover use here for VM builds, but it didn't.
bs_worker shouldn't accept symlinks pointing to external resources.
both is fixed in git (build: master and OBS in master, 2.8, 2.7 and 2.6 branch).
New packages for build package will most likely prepared together with osc stack update. OBS will get an official 2.7 release fixing this and 2.8 final will have it fixed.
CVE id sounds like a good idea here.
hmm, perhaps more this one:
fixed long time ago