obs-service-refresh_patches can be tricked into deleting '..' or other unrelated directories

Vulnerability

CVE-2018-12477 is an improper neutralization of CRLF sequences in the obs-service-refresh_patches component of openSUSE Open Build Service. The service failed to properly sanitize file paths extracted from package archives, allowing an attacker to inject path traversal sequences such as ... This vulnerability affects all versions of Open Build Service prior to commit d6244245dda5367767efc989446fe4b5e4609cce [1].

Exploitation

An attacker must be able to provide a crafted package to an Open Build Service instance that uses the obs-service-refresh_patches service. By including specially crafted file names or patch references containing CRLF or path traversal sequences, the attacker can cause the service to delete directories outside of the intended working area. No authentication beyond the ability to submit a package is required, but successful exploitation depends on the service processing the malicious input [1].

Impact

Successful exploitation allows an attacker to delete arbitrary directories on the server where the Open Build Service runs. This can lead to denial of service by removing critical system or application directories, potentially affecting the integrity and availability of the build service and its hosted projects [1].

Mitigation

The vulnerability was fixed in the Open Build Service source repository by commit d6244245dda5367767efc989446fe4b5e4609cce. Users should update to a version that includes this commit or apply the patch manually. The official fix was published on 2018-10-09. No workaround is documented in the available references [1].