obs-service-extract_file's outfilename parameter allows to write files outside of package directory
Description
Relative Path Traversal vulnerability in obs-service-tar_scm of SUSE Linux Enterprise Server 15; openSUSE Factory allows remote attackers with control over a repository to overwrite files on the machine of the local user if a malicious service is executed. This issue affects: SUSE Linux Enterprise Server 15 obs-service-tar_scm versions prior to 0.9.2.1537788075.fefaa74:. openSUSE Factory obs-service-tar_scm versions prior to 0.9.2.1537788075.fefaa74.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Relative path traversal in obs-service-tar_scm allows remote attackers controlling a repository to overwrite arbitrary files on the victim's system.
Vulnerability
A relative path traversal vulnerability exists in obs-service-tar_scm, a source service for the Open Build Service. The service fails to sanitize the outfilename parameter, allowing extracted files to be written to arbitrary locations outside the package directory via absolute or relative paths like ../somewhere. This affects SUSE Linux Enterprise Server 15 and openSUSE Factory versions prior to 0.9.2.1537788075.fefaa74 [1].
Exploitation
An attacker with control over a repository can craft a malicious tarball that, when processed by the service, writes files to arbitrary paths on the local machine. For instance, a file could be written to /home/$TARGET_USER/.bashrc, or symlinks could be placed to prepare further attacks. The attacker does not need authentication if the victim triggers the malicious service [1].
Impact
Successful exploitation allows arbitrary file write, potentially leading to code execution or privilege escalation. By writing to a user's .bashrc or other startup scripts, the attacker can execute arbitrary commands. The impact is primarily client-side but could extend to the server side with sufficient effort [1].
Mitigation
The vulnerability is fixed in obs-service-tar_scm version 0.10.5.1551309990.79898c7-3.3.1, released as part of SUSE-SU-2019:0540-1 on March 4, 2019 [1]. Users should update to this version or later. No workarounds are documented.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- Range: <0.9.2.1537788075.fefaa74
- osv-coords3 versionspkg:rpm/opensuse/obs-service-tar_scm&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/obs-service-tar_scm&distro=openSUSE%20Tumbleweedpkg:rpm/suse/obs-service-tar_scm&distro=SUSE%20Package%20Hub%2015
< 0.10.5.1551309990.79898c7-lp150.2.3.1+ 2 more
- (no CPE)range: < 0.10.5.1551309990.79898c7-lp150.2.3.1
- (no CPE)range: < 0.10.28.1632141620.a8837d3-1.1
- (no CPE)range: < 0.10.5.1551309990.79898c7-bp150.3.3.1
- openSUSE/Factoryv5Range: obs-service-tar_scm
- Range: obs-service-tar_scm
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.