Bugzilla – Bug 679325
VUL-0: CVE-2011-0469: openSUSE Build Service: remote code execution
Last modified: 2017-08-02 15:58:24 UTC
Adrian, as discussed last week the service-code contains various remote code execution vulnerabilities which allow attackers to execute arbitrary code on build systems with nobody-privileges.
Ludwig suggested to open a bug for the issue in order to keep it tracked.
Add the following service to your project to get access to a machine w/ internet connectivity:
<param name="path">$(uname -a; exit 0)</param>
<param name="file">$(uname -a)</param>
The first script, I found this issue in, is fixed now (sr 64070).
But the other services, especially with network connection, contain a higher risk.
This was only possible when using the "experimental lxc wrapper for additional security ;)". This is fixed now. I will include the fix in next 2.1 release, but I have some serious doubts that anyone else ever used the LXC wrapper (because it is quite tricky to get it working anyway).
Comment 2: The problem was not the particular service, it was buggy, but safe. The problem was the lxc wrapper script (only used on server side so far).
main fix is in:
secondary fix in:
no official announcemnet on openbuildservice.org.