Bug 1029824 - (CVE-2017-5188) VUL-0: CVE-2017-5188: open-build-service: worker VM escape via relative symbolic links
VUL-0: CVE-2017-5188: open-build-service: worker VM escape via relative symbo...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Adrian Schröter
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2017-03-17 07:48 UTC by Andreas Stieger
Modified: 2020-07-16 07:02 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Adrian Schröter 2017-03-21 08:16:29 UTC
It was in past OBS releases, but also in plain build script.

Build script should cover use here for VM builds, but it didn't.

bs_worker shouldn't accept symlinks pointing to external resources.

both is fixed in git (build: master and OBS in master, 2.8, 2.7 and 2.6 branch).

New packages for build package will most likely prepared together with osc stack update. OBS will get an official 2.7 release fixing this and 2.8 final will have it fixed.

CVE id sounds like a good idea here.
Comment 3 Marcus Meissner 2017-03-21 09:58:47 UTC
Use CVE-2017-5188
Comment 5 Marcus Meissner 2018-03-01 13:23:45 UTC
hmm, perhaps more this one:

Comment 6 Adrian Schröter 2020-07-16 07:02:43 UTC
fixed long time ago