path traversal in obs-service-tar_scm

Vulnerability

A path traversal vulnerability exists in obs-service-tar_scm, a component of the Open Build Service (OBS) used to fetch source code from SCM systems and create tar archives. The flaw allows an attacker to craft a malicious tar archive containing directory traversal sequences (e.g., ../) that, when extracted by the service, can access files outside the intended build directory. Affected versions are those prior to commit 70d1aa4cc4d7b940180553a63805c22fc62e2cf0 [1][2].

Exploitation

An attacker with the ability to supply a malicious SCM repository or tar archive to an OBS build worker can trigger the path traversal. The service does not properly sanitize file paths during extraction, allowing the attacker to specify paths that escape the build root. On the server itself, this exploitation is prevented by confining the worker via KVM, but within the build environment the attacker can cause the service to read or write files outside the current build context [1].

Impact

Successful exploitation allows an attacker to access files not intended for the current build, potentially leading to information disclosure or unauthorized file modification within the build worker's filesystem. The impact is limited by the KVM isolation on the OBS server, but build workers may be compromised, affecting the integrity of build outputs [1].

Mitigation

The vulnerability is fixed in commit 70d1aa4cc4d7b940180553a63805c22fc62e2cf0 [2]. Official updates have been released for SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (obs-service-tar_scm-0.10.5.1551309990.79898c7-3.3.1) and openSUSE Leap 15.0 (obs-service-tar_scm-0.10.5.1551309990.79898c7-lp150.2.3.1) [1]. Users should update to these or later versions. The existing KVM-based worker isolation on OBS servers provides a partial workaround by preventing direct server compromise [1].