diff --git a/docs/source/CVE-2017-1002153.rst b/docs/source/CVE-2017-1002153.rst new file mode 100644 index 00000000..f1360e6d --- /dev/null +++ b/docs/source/CVE-2017-1002153.rst @@ -0,0 +1,26 @@ +================ +CVE-2017-1002153 +================ + +Koji 1.13.0 does not properly validate SCM paths. + + +Summary +------- + +Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around blacklisted paths for build submission. + + +Bug fix +------- + +Koji versions 1.14.0 and forward contain the fix. + +This bug was tracked as `issue#563 `_ + +Links +----- + +Fixed versions can be found at our releases page: + + `https://pagure.io/koji/releases `_ diff --git a/docs/source/CVE-2018-1002150-FAQ.rst b/docs/source/CVE-2018-1002150-FAQ.rst new file mode 100644 index 00000000..ba2ff569 --- /dev/null +++ b/docs/source/CVE-2018-1002150-FAQ.rst @@ -0,0 +1,64 @@ +======================== +FAQ for CVE-2018-1002150 +======================== + +Following are answers to some questions regarding CVE-2018-1002150 +for Koji. If you haven’t already, you should read the +:doc:`announcement `. + +If you have questions not covered here or in the announcement, please +ask them on the koji-devel mailing list. + + https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahosted.org/ + +Q: Does this issue affect Koji clients or builders? + + The issue only affects the Koji hub. + +Q: How can I tell if I’ve been attacked? + + We don’t know of any exploits in the wild. However, to be + safe, we will release an intrusion detection document in a few + days. + +Q: Where are the fixed versions? + + | Koji versions before 1.12.0 are unaffected + | For Koji 1.12, 1.12.1 and higher includes the fix + | For Koji 1.13, 1.13.1 and higher includes the fix + | For Koji 1.14, 1.14.1 and higher includes the fix + | For Koji 1.15, 1.15.1 and higher includes the fix + | Koji 1.16.0 and higher will include the fix + + You can find all of these versions on our releases page: + + https://pagure.io/koji/releases + +Q: What about versions before 1.12.0? + + Koji versions before 1.12.0 are unaffected (they don't have the dist-repo + feature). However, it would be wise to update your system to the current + version. + +Q: What can be done with this exploit? + + The attacker can trick Koji into moving files around. These can be + almost any file that the httpd user can write. The attacker could + use this to corrupt Koji’s file store or to reveal any secret files + that the httpd user can read. + +Q: Can the attacker execute arbitrary code? + + Not that we know of. + +Q: Where can I get more help? + + You can ask questions on the koji-devel mailing list + (`koji-devel@fedorahosted.org `_). + + For real time communication, we have the #koji IRC channel on + `Freenode `_. + The best time to ask would be during the Koji devel team + “office hours”, which are held each Tuesday and Thursday from + 10-11am eastern time. + diff --git a/docs/source/CVE-2018-1002150.rst b/docs/source/CVE-2018-1002150.rst new file mode 100644 index 00000000..19006dac --- /dev/null +++ b/docs/source/CVE-2018-1002150.rst @@ -0,0 +1,93 @@ +================ +CVE-2018-1002150 +================ + +Dist repo call missing authorization check allowing filesystem manipulation + + +.. toctree:: + :hidden: + + CVE-2018-1002150-FAQ + +Summary +------- + +This is a critical security bug. + +From versions 1.12.0 to 1.15.0, the Koji hub did not perform proper +access checks for the hub.distRepoMove call. By passing carefully +constructed arguments to the call, an unauthenticated user can trick +Koji into moving content around that it should not. This could result in +corrupting any files that the httpd process can write to, or revealing +any files that the httpd process can read. If the user can authenticate +(at any privilege level), then they can use this mechanism to replace a +file with one that they have uploaded. + +Workaround +---------- + +*We strongly recommend that all Koji admins implement this workaround +immediately.* This workaround will effectively disable dist-repo +functionality. + +Because use of the hub.distRepoMove call requires a valid dist repo that +exists on disk, exploitation can be blocked by ensuring that there are +none. There are many ways this might be done. We recommend the +following: + +1. Move the repos-dist directory to another location (if it exists) +2. Replace it with a plain text file warning of the situation. Do not + skip this step. + +For example:: + + $ cd /mnt/koji + $ mv repos-dist repos-dist.old + $ echo "DO NOT REMOVE. CVE-2018-1002150" > repos-dist + $ ls -l /mnt/koji/repos-dist + -rw-r--r--. 1 root root 32 Mar 19 14:35 /mnt/koji/repos-dist + +When applying this workaround, make sure to take both steps. If you do +not, then the system will recreate the directory if anyone creates +a new dist repo. + + +Bug fix +------- + +*Note: because code fixes can take time to deploy, we strongly recommend +that all admins apply the above workaround first. The workaround can be +easily undone once the fix is in place.* + +We are releasing updates for each affected version of Koji to fix this +bug. The following `releases `_ all +contain the fix: + +- 1.15.1 +- 1.14.1 +- 1.13.1 +- 1.12.1 + +Versions prior to 1.12.0 are not vulnerable because they do not have the +dist-repo feature. Also, the legacy-py24 branch is unaffected since it +is client-only (no hub). + +For users who have customized their Koji code, we recommend rebasing +your work onto the appropriate update release. If this is not feasible, +the patch should be very easy to apply. Please see `issue +#850 `_ for the code details. + +As with all changes to hub code, you must restart httpd for the changes +to take effect. + +Links +----- + +Fixed versions can be found at our releases page: + + https://pagure.io/koji/releases + +Questions and answers about this issue + + :doc:`CVE-2018-1002150-FAQ` diff --git a/docs/source/CVEs.rst b/docs/source/CVEs.rst new file mode 100644 index 00000000..8af389cc --- /dev/null +++ b/docs/source/CVEs.rst @@ -0,0 +1,9 @@ +========= +Koji CVEs +========= + +.. toctree:: + :titlesonly: + + CVE-2018-1002150 + CVE-2017-1002153 diff --git a/docs/source/index.rst b/docs/source/index.rst index 87e28df3..71439cfb 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -28,6 +28,7 @@ Contents misc release_notes migrations + CVEs runs_here server_bootstrap server_howto diff --git a/docs/source/release_notes.rst b/docs/source/release_notes.rst index 56030fc0..8cfbb557 100644 --- a/docs/source/release_notes.rst +++ b/docs/source/release_notes.rst @@ -5,6 +5,7 @@ Release Notes .. toctree:: :maxdepth: 1 + release_notes_1.15.1 release_notes_1.15 release_notes_1.14 release_notes_1.13 diff --git a/docs/source/release_notes_1.15.1.rst b/docs/source/release_notes_1.15.1.rst new file mode 100644 index 00000000..dc803c93 --- /dev/null +++ b/docs/source/release_notes_1.15.1.rst @@ -0,0 +1,34 @@ +Koji 1.15.1 Release Notes +========================= + +Koji 1.15.1 is a bugfix release for Koji 1.15. The most important change +is the fix for :doc:`CVE-2018-1002150`. + +Please see: :doc:`release_notes_1.15` + +Issues fixed in 1.15.1 +---------------------- + +- `Issue 850 `_ -- + CVE-2018-1002150 + +- `Issue 846 `_ -- + error occurs in SCM.get_source since subprocess.check_output is not supported by python 2.6- + +- `Issue 724 `_ -- + buildNotification of wrapperRPM fails because of task["label"] is None + +- `Issue 786 `_ -- + buildSRPMFromSCM tasks fail on koji 1.15 + +- `Issue 803 `_ -- + Email notifications makes build tasks fail with "KeyError: 'users_usertype'" + +- `Issue 742 `_ -- + dict key access fail in koji_cli.commands._build_image + +- `Issue 811 `_ -- + AttributeError: 'dict' object has no attribute 'hub.checked_md5' + +- `Issue 813 `_ -- + cg imports fail with "Unsupported checksum type" diff --git a/docs/source/release_notes_1.15.rst b/docs/source/release_notes_1.15.rst index ba8bf18b..a6164b84 100644 --- a/docs/source/release_notes_1.15.rst +++ b/docs/source/release_notes_1.15.rst @@ -1,6 +1,11 @@ Koji 1.15 Release Notes ======================= +Updates +------- + +- :doc:`Koji 1.15.1 ` is a security update for Koji 1.15 + Migrating from the previous release -----------------------------------