Debian Bug report logs -
#900133
open-build-service: CVE-2017-5188: worker VM escape via relative symbolic links
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 26 May 2018 14:57:02 UTC
Severity: grave
Tags: security, upstream
Found in version open-build-service/2.7.1-10
Fixed in version open-build-service/2.7.4-3
Done: Andrew Lee (李健秋) <ajqlee@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#900133; Package src:open-build-service.
(Sat, 26 May 2018 14:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sat, 26 May 2018 14:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: open-build-service
Version: 2.7.1-10
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for open-build-service.
CVE-2017-5188[0]:
| The bs_worker code in open build service before 20170320 followed
| relative symlinks, allowing reading of files outside of the package
| source directory during build, allowing leakage of private
| information.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5188
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5188
[1] https://github.com/openSUSE/open-build-service/commit/00ec3c6f4132422f00d5c15e854755c331ef1661
[2] https://bugzilla.suse.com/show_bug.cgi?id=1029824
[3] https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d
Regards,
Salvatore
Reply sent
to Andrew Lee (李健秋) <ajqlee@debian.org>:
You have taken responsibility.
(Tue, 09 Oct 2018 11:51:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 09 Oct 2018 11:51:08 GMT) (full text, mbox, link).
Message #10 received at 900133-close@bugs.debian.org (full text, mbox, reply):
Source: open-build-service
Source-Version: 2.7.4-3
We believe that the bug you reported is fixed in the latest version of
open-build-service, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900133@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrew Lee (李健秋) <ajqlee@debian.org> (supplier of updated open-build-service package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 13 Sep 2018 15:00:41 +0800
Source: open-build-service
Binary: obs-server obs-worker obs-api obs-productconverter obs-utils
Architecture: source
Version: 2.7.4-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Andrew Lee (李健秋) <ajqlee@debian.org>
Description:
obs-api - Open Build Service (api)
obs-productconverter - Open Build Service (product definition utility)
obs-server - Open Build Service (server component)
obs-utils - Open Build Service (utilities)
obs-worker - Open Build Service (build host component)
Closes: 872093 894778 900133
Changes:
open-build-service (2.7.4-3) unstable; urgency=medium
.
[ Héctor Orón Martínez ]
* Embed sanitize 4.0.0 ruby gem to fix breakeage.
- add obs-api runtime depends on ruby-nokogumbo and ruby-crass.
* worker: document enable switch
* worker: use /var/lib/obsworker as OBS_RUN_DIR
.
[ Andrew Lee (李健秋) ]
* debian/gbp.conf: adjust gbp configuration file.
* obs-worker: depends on fdisk | util-linux (<< 2.29.2-3~). (Closes:
#872093)
* CVE-2017-5188.patch: Apply upstream fixes for
CVE-2017-5188.(Closes:#900133)
* fix-kiwitree-symlink.patch: cherry-pick bad code fix from upstream.
* Handle links properly when doing backend build operations.
* Make passenger rubyapp runs as obsapi user.
* Update correct group permission for rb_sysopen.
.
[ Lucas Kanashiro ]
* Remove patches related to ruby2.3.
* Add patch to use ruby provided by the system instead of ruby2.3.
(Closes:#894778)
.
[ Andrew Lee (李健秋) ]
* Drop superseded dh-systemd with debhelper (>= 9.20160709).
* Add missing fix-sphinx.patch into series file.
Checksums-Sha1:
d36da6fae97a5a827d8e446c22c2064a5700894a 3299 open-build-service_2.7.4-3.dsc
f7fe6d0ac00bb437173aa6320973d1e03d3579e6 216576 open-build-service_2.7.4-3.debian.tar.xz
baa89cb6867b2662e4eeb8c6e6247b33158a6150 7720 open-build-service_2.7.4-3_source.buildinfo
Checksums-Sha256:
8e715b37c1a450cd91ee927230460dc831618d6c6f21a7caac626bb4e2162c9c 3299 open-build-service_2.7.4-3.dsc
f9b6e1a395a5f1026835a442c4d1c161dad888425a0c43a262cf13ed5efc2227 216576 open-build-service_2.7.4-3.debian.tar.xz
35cbd85d8ef6b1b0a05db113c85e4f31c2b1211f8609456713fb7c2b553859df 7720 open-build-service_2.7.4-3_source.buildinfo
Files:
8d8794b308f238cf6be0422cee43bc71 3299 devel optional open-build-service_2.7.4-3.dsc
5bcb173824a95588a88f3c44684a5456 216576 devel optional open-build-service_2.7.4-3.debian.tar.xz
6f503fa3fb2983d80443686350acd79f 7720 devel optional open-build-service_2.7.4-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE703UlH90QYpfEyJV58vhUqwX+XMFAlu8kQYACgkQ58vhUqwX
+XN+wA/+IO0WLLWj+2K/HHnjiZHzOCWyE7CRENYLy9YJXMJ1vOkFwfk1/cWls04a
rO5syq6A8+fR6ASaah/s6fAfK2z2G0FE/05ohFXb+WOPoDdVSnU1FY87r2IeIKpB
J/D3c/0V3LrLzX7fRKxKAcq3k3g3IEbkRUN3WnfrIT4RtN7ooiOahwKm6UwwymOE
EENZHLMJFCoQ/JiIhH6sWAx3PWDFkdAAEOwa6hv+ta0D+aelOET5YaC5VfOZBtqW
rtZEhu7Nj+X2KIcIDV099lvbhS3e06/ScuKxJM5yUR2y13R6eV9+u4QDMtbBIony
HVq43tRMcRDoyRg3b8XIUx7X7K8rwIReLtYS1GEZmJJploehCScJJg4YTL2Ugc4K
rJWUJ73/5pVoLYK5Hp1WwNQaB7PVCZYUHE3zOLqQZo0/eG+D4goN+bNAVG2720Rc
CpaCr9my0nv66dKfF0iRcKCs/5RJEXu4BHX6u1Byy7AV2BRo3WDlgn7g7juDUdRW
fqcvoqt3s5y82I6mFYI+WHEYOYZZWeMacBsyo4oFztyzDI9rIMpWQfEt2/aIMZUq
HJUrV0Kn7d3g5nHeQfJ6oUvAuNg//M0SMuIoxUC9D6s3QC5L9eCZ700U9M9vvbti
E8hC6ATKV3yzjhsobjdTNX3tQtyODhPqaNj3zjbag85lEHe5G8o=
=boFZ
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:03:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon