Описание
The bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory during build, allowing leakage of private information.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| open-build-service | fixed | 2.7.4-3 | package | |
| open-build-service | no-dsa | stretch | package |
Примечания
Fixed by: https://github.com/openSUSE/open-build-service/commit/00ec3c6f4132422f00d5c15e854755c331ef1661 (2.7.x)
https://github.com/openSUSE/open-build-service/commit/8595d06570ded81d8514c8c5a147b250541bf388 (2.9.x)
A followup https://bugzilla.suse.com/show_bug.cgi?id=1029824 shows
it might be wise to disallow as well other types (devices, sockets,
directories, symlinks, ...) and needs:
https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d
Связанные уязвимости
The bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory during build, allowing leakage of private information.
The bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory during build, allowing leakage of private information.
The bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory during build, allowing leakage of private information.