openbuildservice allowed deleting packages via project links

Vulnerability

In openSUSE openbuildservice (OBS) before version 9.2.4, a vulnerability existed in the check_action_permission! method of BsRequestAction. When handling package delete requests, the code followed project links to verify the user's permissions against the source package. This allowed authenticated users to bypass the intended permission check by targeting a project link, enabling deletion of packages in projects to which they did not have direct delete rights. The affected versions are all OBS releases prior to 9.2.4 [1][2].

Exploitation

An authenticated user needs only an account on the OBS instance. No special network position or additional privileges are required. The attacker creates a request targeting a package in a project, using a project link to a project where they have at least read access. The flawed permission check follows the link and grants delete rights based on the user's permissions on the linked project, rather than on the target project itself [1][2].

Impact

A successful exploitation allows an authenticated attacker to delete packages in projects for which they do not have the required delete permission, provided those projects have project links to a project the attacker can modify. This leads to unauthorized data loss and disruption of service, impacting the availability of the affected packages [1][2].

Mitigation

The vulnerability was fixed in openSUSE openbuildservice version 9.2.4, released on 2018-07-26. The fix, implemented in commit f57b660f49f830006766a8d4abc3b4af6e178063, modifies the check_action_permission! method to ignore project links when checking permissions for package deletion requests, ensuring the target project's permissions are used instead [2]. Users are strongly advised to update to version 9.2.4 or later. No workarounds are documented [1].