CVE-2017-5188

NameCVE-2017-5188
DescriptionThe bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory during build, allowing leakage of private information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs900133

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
open-build-service (PTS)stretch (security), stretch (lts), stretch2.7.1-10+deb9u1vulnerable
bookworm2.9.4-9fixed
sid, trixie2.9.4-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
open-build-servicesource(unstable)2.7.4-3low900133

Notes

[stretch] - open-build-service <no-dsa> (Minor issue)
Fixed by: https://github.com/openSUSE/open-build-service/commit/00ec3c6f4132422f00d5c15e854755c331ef1661 (2.7.x)
https://github.com/openSUSE/open-build-service/commit/8595d06570ded81d8514c8c5a147b250541bf388 (2.9.x)
A followup https://bugzilla.suse.com/show_bug.cgi?id=1029824 shows
it might be wise to disallow as well other types (devices, sockets,
directories, symlinks, ...) and needs:
https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d
Search for package or bug name: Reporting problems