93 lines
2.7 KiB
ReStructuredText
93 lines
2.7 KiB
ReStructuredText
================
|
|
CVE-2018-1002150
|
|
================
|
|
|
|
Dist repo call missing authorization check allowing filesystem manipulation
|
|
|
|
|
|
.. toctree::
|
|
:hidden:
|
|
|
|
CVE-2018-1002150-FAQ
|
|
|
|
Summary
|
|
-------
|
|
|
|
This is a critical security bug.
|
|
|
|
From versions 1.12.0 to 1.15.0, the Koji hub did not perform proper
|
|
access checks for the hub.distRepoMove call. By passing carefully
|
|
constructed arguments to the call, an unauthenticated user can trick
|
|
Koji into moving content around that it should not. This could result in
|
|
corrupting any files that the httpd process can write to, or revealing
|
|
any files that the httpd process can read. If the user can authenticate
|
|
(at any privilege level), then they can use this mechanism to replace a
|
|
file with one that they have uploaded.
|
|
|
|
Workaround
|
|
----------
|
|
|
|
*We strongly recommend that all Koji admins implement this workaround
|
|
immediately.* This workaround will effectively disable dist-repo
|
|
functionality.
|
|
|
|
Because use of the hub.distRepoMove call requires a valid dist repo that
|
|
exists on disk, exploitation can be blocked by ensuring that there are
|
|
none. There are many ways this might be done. We recommend the
|
|
following:
|
|
|
|
1. Move the repos-dist directory to another location (if it exists)
|
|
2. Replace it with a plain text file warning of the situation. Do not
|
|
skip this step.
|
|
|
|
For example::
|
|
|
|
$ cd /mnt/koji
|
|
$ mv repos-dist repos-dist.old
|
|
$ echo "DO NOT REMOVE. CVE-2018-1002150" > repos-dist
|
|
$ ls -l /mnt/koji/repos-dist
|
|
-rw-r--r--. 1 root root 32 Mar 19 14:35 /mnt/koji/repos-dist
|
|
|
|
When applying this workaround, make sure to take both steps. If you do
|
|
not, then the system will recreate the directory if anyone creates
|
|
a new dist repo.
|
|
|
|
|
|
Bug fix
|
|
-------
|
|
|
|
*Note: because code fixes can take time to deploy, we strongly recommend
|
|
that all admins apply the above workaround first. The workaround can be
|
|
easily undone once the fix is in place.*
|
|
|
|
We are releasing updates for each affected version of Koji to fix this
|
|
bug. The following `releases <https://pagure.io/koji/releases>`_ all
|
|
contain the fix:
|
|
|
|
- 1.15.1
|
|
- 1.14.1
|
|
- 1.13.1
|
|
- 1.12.1
|
|
|
|
Versions prior to 1.12.0 are not vulnerable because they do not have the
|
|
dist-repo feature. Also, the legacy-py24 branch is unaffected since it
|
|
is client-only (no hub).
|
|
|
|
For users who have customized their Koji code, we recommend rebasing
|
|
your work onto the appropriate update release. If this is not feasible,
|
|
the patch should be very easy to apply. Please see `issue
|
|
#850 <https://pagure.io/koji/issue/850>`_ for the code details.
|
|
|
|
As with all changes to hub code, you must restart httpd for the changes
|
|
to take effect.
|
|
|
|
Links
|
|
-----
|
|
|
|
Fixed versions can be found at our releases page:
|
|
|
|
https://pagure.io/koji/releases
|
|
|
|
Questions and answers about this issue
|
|
|
|
:doc:`CVE-2018-1002150-FAQ`
|