packages/obs-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
obs-server/0003-CVE-2020-8021.patch
markeryang f10ade10a5 fix CVE-2020-8020 CVE-2020-8021
2021-03-16 15:43:36 +08:00

31 lines
1.0 KiB
Diff
Raw Blame History

From 7323c904f86ba9e04065c23422d06c03647589fb Mon Sep 17 00:00:00 2001
From: Marcus Huewe <suse-tux@gmx.de>
Date: Wed, 13 May 2020 22:08:16 +0200
Subject: [PATCH] bs_srcserver: Forbid the creation of a _link in
mergeservicerun
A _link file is not allowed because it can result in a potential
privilege escalation.
Conflict:NA
Reference:https://github.com/openSUSE/open-build-service/commit/7323c904f86ba9e04065c23422d06c03647589fb
Signed-off-by:Marcus Huewe <suse-tux@gmx.de>
---
src/backend/bs_srcserver | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/backend/bs_srcserver b/src/backend/bs_srcserver
index da3f3c3..07e411e 100755
--- a/src/backend/bs_srcserver
+++ b/src/backend/bs_srcserver
@@ -391,6 +391,7 @@ sub mergeservicerun {
delete $files->{'_service'};
for (sort keys %$files) {
next unless /^_service:.*:(.*?)$/s;
+ die("cannot create a link from a service") if $1 eq '_link';
$files->{$1} = $files->{$_};
delete $files->{$_};
BSSrcrep::copyonefile($projid, $packid, $1, $projid, $packid, $_, $files->{$1});
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink