Docs for CVE-2018-1002150

docs/source/CVE-2017-1002153.rst

@@ -0,0 +1,26 @@
+================
+CVE-2017-1002153
+================
+
+Koji 1.13.0 does not properly validate SCM paths.
+
+
+Summary
+-------
+
+Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around blacklisted paths for build submission.
+
+
+Bug fix
+-------
+
+Koji versions 1.14.0 and forward contain the fix.
+
+This bug was tracked as `issue#563 <https://pagure.io/koji/issue/563>`_
+
+Links
+-----
+
+Fixed versions can be found at our releases page:
+
+    `https://pagure.io/koji/releases <https://pagure.io/koji/releases>`_

docs/source/CVE-2018-1002150-FAQ.rst

@@ -0,0 +1,64 @@
+========================
+FAQ for CVE-2018-1002150
+========================
+
+Following are answers to some questions regarding CVE-2018-1002150
+for Koji. If you haven’t already, you should read the
+:doc:`announcement <CVE-2018-1002150>`.
+
+If you have questions not covered here or in the announcement, please
+ask them on the koji-devel mailing list.
+
+    https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahosted.org/
+
+Q: Does this issue affect Koji clients or builders?
+
+    The issue only affects the Koji hub.
+
+Q: How can I tell if I’ve been attacked?
+
+    We don’t know of any exploits in the wild. However, to be
+    safe, we will release an intrusion detection document in a few
+    days.
+
+Q: Where are the fixed versions?
+
+    | Koji versions before 1.12.0 are unaffected
+    | For Koji 1.12, 1.12.1 and higher includes the fix
+    | For Koji 1.13, 1.13.1 and higher includes the fix
+    | For Koji 1.14, 1.14.1 and higher includes the fix
+    | For Koji 1.15, 1.15.1 and higher includes the fix
+    | Koji 1.16.0 and higher will include the fix
+
+    You can find all of these versions on our releases page:
+
+    https://pagure.io/koji/releases
+
+Q: What about versions before 1.12.0?
+
+    Koji versions before 1.12.0 are unaffected (they don't have the dist-repo
+    feature). However, it would be wise to update your system to the current
+    version.
+
+Q: What can be done with this exploit?
+
+    The attacker can trick Koji into moving files around. These can be
+    almost any file that the httpd user can write. The attacker could
+    use this to corrupt Koji’s file store or to reveal any secret files
+    that the httpd user can read.
+
+Q: Can the attacker execute arbitrary code?
+
+    Not that we know of.
+
+Q: Where can I get more help?
+
+    You can ask questions on the koji-devel mailing list
+    (`koji-devel@fedorahosted.org <mailto:koji-devel@fedorahosted.org>`_).
+
+    For real time communication, we have the #koji IRC channel on
+    `Freenode <https://freenode.net/>`_.
+    The best time to ask would be during the Koji devel team
+    “office hours”, which are held each Tuesday and Thursday from
+    10-11am eastern time.
+

docs/source/CVE-2018-1002150.rst

@@ -0,0 +1,93 @@
+================
+CVE-2018-1002150
+================
+
+Dist repo call missing authorization check allowing filesystem manipulation
+
+
+.. toctree::
+    :hidden:
+
+    CVE-2018-1002150-FAQ
+
+Summary
+-------
+
+This is a critical security bug.
+
+From versions 1.12.0 to 1.15.0, the Koji hub did not perform proper
+access checks for the hub.distRepoMove call. By passing carefully
+constructed arguments to the call, an unauthenticated user can trick
+Koji into moving content around that it should not. This could result in
+corrupting any files that the httpd process can write to, or revealing
+any files that the httpd process can read. If the user can authenticate
+(at any privilege level), then they can use this mechanism to replace a
+file with one that they have uploaded.
+
+Workaround
+----------
+
+*We strongly recommend that all Koji admins implement this workaround
+immediately.* This workaround will effectively disable dist-repo
+functionality.
+
+Because use of the hub.distRepoMove call requires a valid dist repo that
+exists on disk, exploitation can be blocked by ensuring that there are
+none. There are many ways this might be done. We recommend the
+following:
+
+1. Move the repos-dist directory to another location (if it exists)
+2. Replace it with a plain text file warning of the situation. Do not
+   skip this step.
+
+For example::
+
+    $ cd /mnt/koji
+    $ mv repos-dist repos-dist.old
+    $ echo "DO NOT REMOVE. CVE-2018-1002150" > repos-dist
+    $ ls -l /mnt/koji/repos-dist
+    -rw-r--r--. 1 root root 32 Mar 19 14:35 /mnt/koji/repos-dist
+
+When applying this workaround, make sure to take both steps. If you do
+not, then the system will recreate the directory if anyone creates
+a new dist repo.
+
+
+Bug fix
+-------
+
+*Note: because code fixes can take time to deploy, we strongly recommend
+that all admins apply the above workaround first. The workaround can be
+easily undone once the fix is in place.*
+
+We are releasing updates for each affected version of Koji to fix this
+bug. The following `releases <https://pagure.io/koji/releases>`_ all
+contain the fix:
+
+-  1.15.1
+-  1.14.1
+-  1.13.1
+-  1.12.1
+
+Versions prior to 1.12.0 are not vulnerable because they do not have the
+dist-repo feature. Also, the legacy-py24 branch is unaffected since it
+is client-only (no hub).
+
+For users who have customized their Koji code, we recommend rebasing
+your work onto the appropriate update release. If this is not feasible,
+the patch should be very easy to apply. Please see `issue
+#850 <https://pagure.io/koji/issue/850>`_ for the code details.
+
+As with all changes to hub code, you must restart httpd for the changes
+to take effect.
+
+Links
+-----
+
+Fixed versions can be found at our releases page:
+
+    https://pagure.io/koji/releases
+
+Questions and answers about this issue
+
+    :doc:`CVE-2018-1002150-FAQ`

docs/source/CVEs.rst

@@ -0,0 +1,9 @@
+=========
+Koji CVEs
+=========
+
+.. toctree::
+    :titlesonly:
+
+    CVE-2018-1002150
+    CVE-2017-1002153

docs/source/index.rst

@@ -28,6 +28,7 @@ Contents
     misc
     release_notes
     migrations
+    CVEs
     runs_here
     server_bootstrap
     server_howto

docs/source/release_notes.rst

@@ -5,6 +5,7 @@ Release Notes
 .. toctree::
     :maxdepth: 1
 
+    release_notes_1.15.1
     release_notes_1.15
     release_notes_1.14
     release_notes_1.13

docs/source/release_notes_1.15.1.rst

@@ -0,0 +1,34 @@
+Koji 1.15.1 Release Notes
+=========================
+
+Koji 1.15.1 is a bugfix release for Koji 1.15. The most important change
+is the fix for :doc:`CVE-2018-1002150`.
+
+Please see: :doc:`release_notes_1.15`
+
+Issues fixed in 1.15.1
+----------------------
+
+- `Issue 850 <https://pagure.io/koji/issue/850>`_ --
+  CVE-2018-1002150
+
+- `Issue 846 <https://pagure.io/koji/issue/846>`_ --
+  error occurs in SCM.get_source since subprocess.check_output is not supported by python 2.6-
+
+- `Issue 724 <https://pagure.io/koji/issue/724>`_ --
+  buildNotification of wrapperRPM fails because of task["label"] is None
+
+- `Issue 786 <https://pagure.io/koji/issue/786>`_ --
+  buildSRPMFromSCM tasks fail on koji 1.15
+
+- `Issue 803 <https://pagure.io/koji/issue/803>`_ --
+  Email notifications makes build tasks fail with "KeyError: 'users_usertype'"
+
+- `Issue 742 <https://pagure.io/koji/issue/742>`_ --
+  dict key access fail in koji_cli.commands._build_image
+
+- `Issue 811 <https://pagure.io/koji/issue/811>`_ --
+  AttributeError: 'dict' object has no attribute 'hub.checked_md5'
+
+- `Issue 813 <https://pagure.io/koji/issue/813>`_ --
+  cg imports fail with "Unsupported checksum type"

docs/source/release_notes_1.15.rst

@@ -1,6 +1,11 @@
 Koji 1.15 Release Notes
 =======================
 
+Updates
+-------
+
+- :doc:`Koji 1.15.1 <release_notes_1.15.1>` is a security update for Koji 1.15
+
 Migrating from the previous release
 -----------------------------------