Bugzilla – Bug 1171649
VUL-0: CVE-2020-8021: OBS: unauthorized read access to files where sourceaccess is disabled via a crafted _service file
Last modified: 2020-10-01 12:12:00 UTC
through an email Hi, currently, it is possible for an unprivileged user to access (read-only) the files of an OBS package where the sourceaccess/access is disabled in the meta. The exploit is documented in the attached mergeservice_exploit.txt file. I also attached a potential patch (see the 0001-backend-bs_srcserver-Forbid-the-creation-of-a-_link-.patch file). md5sum attached file 7d6787b7d854381da5d672fb29163c14 mergeservice_exploit.txt 9b7d3878d70acef3bf7f2cbfb0565bbc 0001-backend-bs_srcserver-Forbid-the-creation-of-a-_link-.patch
The reporter was actually Marcus Hüwe <suse-tux@gmx.de>
I don't think this is actually news. In the OBS server side review I found different ways to get around this restriction. See bug 1085033 comment 27 section "sourceaccess disabled".
(In reply to Matthias Gerstner from comment #4) > I don't think this is actually news. In the OBS server side review I found > different ways to get around this restriction. See bug 1085033 comment 27 > section "sourceaccess disabled". Ah ok - I'm not authorized to access that bug... Without knowing the details, a most likely "naive" question: if the issue is known, why don't we fix it?
we will fix it and I see actually not a reference to mergeservice in the mentioned bug rereport.
JUst to be clear, this issue had no CVE yet? And is confirmed to be a valid security isssue? Then we would assign a CVE.
Yes, it is valid and has no CVE yet.
Please use CVE-2020-8021.
Making public to allow for publishing of CVE
Hello, Any ETA on this? Is there a fix out? If so, could you point me to the fixing commit? :) Thanks!
(In reply to Utkarsh Gupta from comment #12) > Any ETA on this? Is there a fix out? > If so, could you point me to the fixing commit? :) > It is fixed in commit 7323c904f86ba9e04065c23422d06c03647589fb ("bs_srcserver: Forbid the creation of a _link in mergeservicerun") (see [1]). [1] https://github.com/openSUSE/open-build-service/commit/7323c904f86ba9e04065c23422d06c03647589fb