open build service source server symlink exploitation via source patch
Description
In open buildservice 2.6 before 2.6.3, 2.5 before 2.5.7 and 2.4 before 2.4.8 the source service patch application could generate non-standard files like symlinks or device nodes, which could allow buildservice users to break of confinement or cause denial of service attacks on the source service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OBS source service patch application allows symlinks or device nodes, enabling confinement break or denial of service.
Vulnerability
The Open Build Service (OBS) versions 2.4 before 2.4.8, 2.5 before 2.5.7, and 2.6 before 2.6.3 allow the source service patch application to generate non-standard files such as symlinks or device nodes. The vulnerability exists within the applylink subroutine in the backend (bs_srcserver) code. Patches applied via _link files could create special file types, leading to the bypass of security checks intended to restrict modifications to the source repository. [1][2]
Exploitation
An attacker with a user account and the ability to create packages (e.g., in a home project) can craft a malicious _link file that references another package and includes a patch. By providing a patch that creates symlinks or device nodes instead of regular files, the attacker can cause the source server to write or read files outside the intended package directory. The exploit requires the attacker to know or guess the MD5 hash of a target file in a package they do not have write access to (for modification) or to exploit a race condition using a guessed process ID to create a symlink in a temporary directory. The attacker can also provoke errors to leak the temporary directory path (which includes the PID) to better estimate the PID range. The "nosharedtrees" configuration must be set to 0 for certain paths to be exploitable. [1]
Impact
Successful exploitation allows an authenticated OBS user to: (a) modify arbitrary files in the source server's source repository, potentially injecting malicious code into packages they do not own, and (b) retrieve files from packages with disabled source access, bypassing access controls. The vulnerability could also cause denial of service by creating device nodes or other non-file artifacts that disrupt the source service. The attacker does not gain direct root access to the server, but the compromise of package integrity can affect all downstream users of affected packages. [1]
Mitigation
The fix was implemented in commit 474a3db19498765f0118ba3dbc0b1cc90b0097fc, which adds sanity checks after patch application in the backend. The patched versions are OBS 2.4.8, 2.5.7, and 2.6.3, released on or around August 2015 [2]. Users must upgrade to these versions or later. No workaround is available. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: < 2.6.3, < 2.5.7, < 2.4.8
- SUSE/open build servicev5Range: 2.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
- github.com/openSUSE/open-build-service/commit/474a3db19498765f0118ba3dbc0b1cc90b0097fcmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.