Security researchers from Fenrisk revealed information about vulnerabilities in tools pagure and obs (Open Build Service), allowing attackers to compromise infrastructure for the formation of distributions of Fedora and Opensuse. The researchers demonstrated the possibility of an attack to execute arbitrary code on servers using Pagure and OBS, which could be utilized to make changes in packages in Fedora and Opensuse repositories.
Within the Pagure platform, which is used in Fedora for collaborative code work and metadata packages, 4 vulnerabilities were identified. To exploit these issues, an account in the Pagure service (accessible to anyone, currently with 24,899 users) is needed. Three vulnerabilities allow for reading files in the system, while one enables the execution of code on the server. These vulnerabilities were discovered on January 1, 2024, reported through Bugzilla.redhat.com on April 25, 2024, and remedied in Pagure within 3 hours.
- Vulnerabilities CVE-2024-4981 and CVE-2024-47515 were caused by incorrect handling of symbolic links in file update and archive generation functions. These vulnerabilities allow for reading the contents of local files on the server, potentially accessing sensitive information like the Pagure administrator session file contents to gain elevated privileges. Exploitation of the vulnerability in the _update_file_in_git() function involves creating a repository in Pagure, adding a file symlinked to a desired