Bug 1029824 - (CVE-2017-5188) VUL-0: CVE-2017-5188: open-build-service: worker VM escape via relative symbolic links
(CVE-2017-5188)
VUL-0: CVE-2017-5188: open-build-service: worker VM escape via relative symbo...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Adrian Schröter
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-17 07:48 UTC by Andreas Stieger
Modified: 2020-07-16 07:02 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Adrian Schröter 2017-03-21 08:16:29 UTC
It was in past OBS releases, but also in plain build script.

Build script should cover use here for VM builds, but it didn't.

bs_worker shouldn't accept symlinks pointing to external resources.

both is fixed in git (build: master and OBS in master, 2.8, 2.7 and 2.6 branch).

New packages for build package will most likely prepared together with osc stack update. OBS will get an official 2.7 release fixing this and 2.8 final will have it fixed.

CVE id sounds like a good idea here.
Comment 3 Marcus Meissner 2017-03-21 09:58:47 UTC
Use CVE-2017-5188
Comment 5 Marcus Meissner 2018-03-01 13:23:45 UTC
hmm, perhaps more this one:

https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d
Comment 6 Adrian Schröter 2020-07-16 07:02:43 UTC
fixed long time ago