Crafted service parameters allows to induce unexpected behaviour in obs-service-tar_scm
Description
Improper input validation in obs-service-tar_scm of Open Build Service allows remote attackers to cause access and extract information outside the current build or cause the creation of file in attacker controlled locations. Affected releases are openSUSE Open Build Service: versions prior to 51a17c553b6ae2598820b7a90fd0c11502a49106.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper input validation in obs-service-tar_scm of Open Build Service allows attackers to access files outside the build directory or create files in attacker-controlled locations.
Vulnerability
The vulnerability resides in the obs-service-tar_scm component of the openSUSE Open Build Service (OBS) prior to commit 51a17c553b6ae2598820b7a90fd0c11502a49106. Improper input validation allows attackers to manipulate service parameters, such as filename, extension, and extract, to escape the intended build directory. Versions before this fix are affected. [1]
Exploitation
An attacker can exploit this by crafting a _service file with malicious parameters. For example, setting /tmp/somepkg and txt results in file creation at the attacker-specified absolute path /tmp/somepkg.txt. Additionally, using the extract parameter with a symlink pointing to an arbitrary file (e.g., /etc/passwd) can lead to extraction of that file into the output. The attacker needs the ability to submit or modify service files in an OBS project, typically via the standard project submission process. [1]
Impact
Successful exploitation allows an attacker to read sensitive information from outside the current build source tree (information disclosure) or create files in attacker-controlled locations on the server filesystem. This can lead to unauthorized access to system files or denial of service through file creation in critical directories. [1]
Mitigation
The vulnerability is fixed by updating obs-service-tar_scm to version containing commit 51a17c553b6ae2598820b7a90fd0c11502a49106, available since October 2018. Users should upgrade their OBS installation and ensure the service package is up-to-date. No workarounds are documented for older versions. References suggest that restricting service credentials and validating inputs can reduce risk. [2]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- Range: < 51a17c553b6ae2598820b7a90fd0c11502a49106
- Range: < 51a17c553b6ae2598820b7a90fd0c11502a49106
- osv-coords3 versionspkg:rpm/opensuse/obs-service-tar_scm&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/obs-service-tar_scm&distro=openSUSE%20Tumbleweedpkg:rpm/suse/obs-service-tar_scm&distro=SUSE%20Package%20Hub%2015
< 0.10.5.1551309990.79898c7-lp150.2.3.1+ 2 more
- (no CPE)range: < 0.10.5.1551309990.79898c7-lp150.2.3.1
- (no CPE)range: < 0.10.28.1632141620.a8837d3-1.1
- (no CPE)range: < 0.10.5.1551309990.79898c7-bp150.3.3.1
- openSUSE/Open Build Servicev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
- github.com/openSUSE/obs-service-tar_scm/pull/254mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.