|Description||The bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory during build, allowing leakage of private information.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
The information below is based on the following data on fixed versions.
[stretch] - open-build-service <no-dsa> (Minor issue)
Fixed by: https://github.com/openSUSE/open-build-service/commit/00ec3c6f4132422f00d5c15e854755c331ef1661 (2.7.x)
A followup https://bugzilla.suse.com/show_bug.cgi?id=1029824 shows
it might be wise to disallow as well other types (devices, sockets,
directories, symlinks, ...) and needs: