Currently it's possible to pass koji any CVS string you want, including one to your own cvs server chock full of trojan software. Since koji has no current concept of who is allowed to build for what, and we're relying upon CVS ACLs, it would be "easy" to usurp these and do say a kernel build, pointing to your own CVS server that is setup correctly and has all the right content to do the build, just with your own sources and fun changes.
While we look to fix this in Koji itself, we can immediately prevent this by blocking pserver access to anything other than cvs.fedoraproject.org.
Please block on all koji builders.
This specific change is done but it is insufficient. a malicious user can still put in a specific port for their cvs server and step around it. A better solution is to restrict the builders to outbound access to internal hosts only.
here are the gist of the rules I'd want:
-A OUTPUT -d 127.0.0.0/8 -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -j ACCEPT
-A OUTPUT -d 18.104.22.168/24 -j ACCEPT
-A OUTPUT -d 22.214.171.124/32 -j ACCEPT
-A OUTPUT -d 126.96.36.199/32 -j ACCEPT
-A OUTPUT -m tcp -p tcp -j REJECT
-A OUTPUT -m udp -p udp -j REJECT
to comment on this ticket.