CVE-2017-5188.patch

Author: Michael Schroeder <mls@suse.de>
Date:   Mon Mar 20 10:28:41 2017 +0100

    [backend] ignore symlinks in build result

Origin: upstream, https://github.com/openSUSE/open-build-service/commit/00ec3c6f4132422f00d5c15e854755c331ef1661
Bug: https://bugzilla.suse.com/show_bug.cgi?id=1029824
Bug-Debian: https://bugs.debian.org/900133
--- a/src/backend/bs_worker
+++ b/src/backend/bs_worker
@@ -3394,7 +3394,7 @@ if ($ex == 0) {
       undef $kiwitree unless @$kiwitree;
       undef $kiwitree if defined($BSConfig::nokiwitree) && $BSConfig::nokiwitree;
     }
-    @files = grep {-f "$buildroot/.build.packages/$d/$_"} @files;
+    @files = grep {! -l "$buildroot/.build.packages/$d/$_" && -f _} @files;
     push @send, map {"$buildroot/.build.packages/$d/$_"} @files;
   }
   @send = map {{name => (split('/', $_))[-1], filename => $_}} @send;