Bug 734003 - VUL-0: OBS information leak via unauthorized source access
VUL-0: OBS information leak via unauthorized source access
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Adrian Schröter
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2011-12-01 09:04 UTC by Ludwig Nussel
Modified: 2012-01-16 09:21 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-12-01 09:04:16 UTC

OBS < 2.1.15 and 2.3 allow attackers to get access to sources of packages if only some packages
in a project have the sourceaccess disabled.

 * construct a package link with a _link file refereing to another project
   but do not add a package target. 
 * call server side package copy to rename the package using the sourceaccess 
   protected package name of the foreign project.
Comment 1 Swamp Workflow Management 2011-12-01 23:00:16 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2011-12-06 11:03:23 UTC
is public, make bug also public.

can you specify some git urls that fix this issue for future reference too, adrian?
Comment 3 Adrian Schröter 2012-01-16 09:21:31 UTC
It got fixed in 2.1.16 with commit 614e7fba23c2007cd486cac624d47f18cc5a5533