obs-service-go_modules: arbitrary directory delete
Description
Improper handling of exceptional conditions in obs-service-go_modules allows attackers to delete arbitrary files/directories via crafted archive and arguments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper handling of exceptional conditions in obs-service-go_modules allows attackers to delete arbitrary files/directories via crafted archive and arguments.
Vulnerability
An improper handling of exceptional conditions vulnerability exists in obs-service-go_modules of openSUSE Factory, affecting versions prior to 0.6.1. The script uses user-controlled command-line arguments outdir and basename without sanitization to construct a path for deletion via shutil.rmtree(). Additionally, if extraction of the provided archive fails (e.g., because it is not a valid archive), the program does not exit and continues to execute the cleanup step, allowing an attacker to trigger deletion of an arbitrary directory by controlling both the archive and the arguments [1].
Exploitation
An attacker who can influence the call to the service (e.g., by submitting a crafted package) can set outdir and basename to point to any directory on the victim's system. By providing a non-archive file that causes libarchive.extract_file() to raise an ArchiveError, the script logs the error but does not exit, then proceeds to delete the directory specified by os.path.join(outdir, basename). No authentication or special privileges beyond the ability to invoke the service are required [1].
Impact
Successful exploitation allows an attacker to delete arbitrary files and directories on the victim's system, potentially leading to denial of service, data loss, or system instability. The attacker gains no code execution or privilege escalation, but the impact can be severe depending on the targeted files [1].
Mitigation
The vulnerability is fixed in obs-service-go_modules version 0.6.1. Users should upgrade to this version or later. No workaround is available for earlier versions [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <0.6.1
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper handling of exceptional conditions in the extraction process allows for arbitrary file and directory deletion."
Attack vector
An attacker can influence the call to the obs-service-go_modules service by providing a specially crafted archive. If the service encounters an error during the extraction process, such as failing to open a file, it may proceed to delete files and directories on the victim's system. The advisory notes that if the script is "badly or maliciously used with (even without) privileges, this can lead to severe issues" [ref_id=1].
Affected code
The vulnerability resides within the obs-service-go_modules service, specifically in the `extract` function. The advisory points to the `outdir` parameter and the subsequent `to_remove = os.path.join(outdir, basename)` call as problematic areas within the extraction logic [ref_id=1].
What the fix does
The recommended fix involves removing the `outdir` parameter from the `extract` function. This change prevents users from specifying an arbitrary extraction directory, thereby eliminating the call to `os.path.join(outdir, basename)` which could lead to unintended deletions. The advisory suggests that extracting archives and creating the vendor within the archive's directory is a safer approach, combined with stopping execution upon decompression failure [ref_id=1].
Preconditions
- inputThe attacker must be able to influence the call to the obs-service-go_modules service.
- inputThe attacker must provide a specially crafted archive that triggers an error during the extraction process.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.