[DRE-maint] Bug#900133: open-build-service: CVE-2017-5188: worker VM escape via relative symbolic links
Salvatore Bonaccorso
carnil at debian.org
Sat May 26 15:54:03 BST 2018
Source: open-build-service
Version: 2.7.1-10
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for open-build-service.
CVE-2017-5188[0]:
| The bs_worker code in open build service before 20170320 followed
| relative symlinks, allowing reading of files outside of the package
| source directory during build, allowing leakage of private
| information.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5188
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5188
[1] https://github.com/openSUSE/open-build-service/commit/00ec3c6f4132422f00d5c15e854755c331ef1661
[2] https://bugzilla.suse.com/show_bug.cgi?id=1029824
[3] https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list