#1274 cve-2018-1002161
Merged 3 years ago by mikem. Opened 3 years ago by mikem.
mikem/koji get_archive_type  into  master

@@ -0,0 +1,66 @@ 

+ ========================

+ FAQ for CVE-2018-1002161

+ ========================

+ 

+ Following are answers to some questions regarding CVE-2018-1002161

+ for Koji. If you haven’t already, you should read the

+ :doc:`announcement <CVE-2018-1002161>`.

+ 

+ If you have questions not covered here or in the announcement, please

+ ask them on the koji-devel mailing list.

+ 

+     https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahosted.org/

+ 

+ Q: Does this issue affect Koji clients or builders?

+ 

+     The issue only affects the Koji hub.

+ 

+ Q: Which versions of Koji are affected?

+ 

+     All previous versions of Koji are affected, except for the legacy-py24

+     branch because it contains no hub code.

+ 

+ Q: Where are the fixed versions?

+ 

+     | For Koji 1.11, 1.11.1 and higher include the fix

+     | For Koji 1.12, 1.12.2 and higher include the fix

+     | For Koji 1.13, 1.13.2 and higher include the fix

+     | For Koji 1.14, 1.14.2 and higher include the fix

+     | For Koji 1.15, 1.15.2 and higher include the fix

+     | For Koji 1.16.2 and higher include the fix

+ 

+     You can find all of these versions on our releases page:

+ 

+     https://pagure.io/koji/releases

+ 

+ Q: What about older versions?

+ 

+     We have only backported the fix to Koji versions released in the past few

+     years. If you are still using a very old version of Koji, we strongly

+     recommend that you shut it down and migrate to a newer version.

+ 

+ Q: What can be done with this exploit?

+ 

+     The attacker can directly manipulate the database as they see fit. This

+     would, among other things, allow them to gain the admin permission within

+     Koji. They could destroy or corrupt the database, add new builds, replace

+     existing builds, or any number of other things.

+ 

+ Q: Can the attacker execute arbitrary code?

+ 

+     On the hub, not that we know of.

+ 

+     However, they could create arbitrary tasks, which would be run by the build

+     hosts.

+ 

+ Q: Where can I get more help?

+ 

+     You can ask questions on the koji-devel mailing list

+     (`koji-devel@fedorahosted.org <mailto:koji-devel@fedorahosted.org>`_).

+ 

+     For real time communication, we have the #koji IRC channel on

+     `Freenode <https://freenode.net/>`_.

+     The best time to ask would be during the Koji devel team

+     “office hours”, which are held each Tuesday and Thursday from

+     10-11am eastern time.

+ 

@@ -0,0 +1,66 @@ 

+ ================

+ CVE-2018-1002161

+ ================

+ 

+ SQL injection in multiple remote calls

+ 

+ .. toctree::

+     :hidden:

+ 

+     CVE-2018-1002161-FAQ

+ 

+ 

+ Summary

+ -------

+ 

+ This is a critical security bug.

+ 

+ Multiple xmlrpc call handlers in Koji’s hub code contain SQL injection bugs. By

+ passing carefully constructed arguments to these calls, an unauthenticated user

+ can issue arbitrary SQL commands to Koji’s database. This gives the attacker

+ broad ability to manipulate or destroy data.

+ 

+ There is no known workaround. All Koji admins are encouraged to update to a

+ fixed version as soon as possible.

+ 

+ 

+ 

+ Bug fix

+ -------

+ 

+ Note: because code fixes can take time to deploy, we recommend

+ that all admins shut down their Koji hub instances until the fix

+ can be applied.

+ 

+ We are releasing updates for several recent versions of Koji to fix this

+ bug. The following `releases <https://pagure.io/koji/releases>`_ all

+ contain the fix:

+ 

+ -  1.16.2

+ -  1.15.2

+ -  1.14.2

+ -  1.13.2

+ -  1.12.2

+ -  1.11.1

+ 

+ Note: the legacy-py24 branch is unaffected since it

+ is client-only (no hub).

+ 

+ For users who have customized their Koji code, we recommend rebasing

+ your work onto the appropriate update release. If this is not feasible,

+ the patch should be very easy to apply. Please see `issue

+ #1183 <https://pagure.io/koji/issue/1183>`_ for the code details.

+ 

+ As with all changes to hub code, you must restart httpd for the changes

+ to take effect.

+ 

+ Links

+ -----

+ 

+ Fixed versions can be found at our releases page:

+ 

+     https://pagure.io/koji/releases

+ 

+ Questions and answers about this issue

+ 

+     :doc:`CVE-2018-1002161-FAQ`

file modified
+1
@@ -5,5 +5,6 @@ 

  .. toctree::

      :titlesonly:

  

+     CVE-2018-1002161

      CVE-2018-1002150

      CVE-2017-1002153

@@ -5,6 +5,8 @@ 

  .. toctree::

      :maxdepth: 1

  

+     release_notes_1.16.2

+     release_notes_1.16.1

      release_notes_1.16

      release_notes_1.15.1

      release_notes_1.15

@@ -0,0 +1,59 @@ 

+ Koji 1.16.1 Release Notes

+ =========================

+ 

+ Koji 1.16.1 is a point release for Koji 1.16. The major changes include:

+ 

+ - Allow target info to be read for different type tasks in channel policy.

+ - Create symlinks for builds imported onto non-default volumes.

+ - Fix RPMdiff issues found in Koji 1.16.0.

+ 

+ Please see: :doc:`release_notes_1.16`

+ 

+ Issues fixed in 1.16.1

+ ----------------------

+ 

+ - `Issue 847 <https://pagure.io/koji/issue/847>`_ --

+   spin-livecd failed with "Could not resolve host"

+ 

+ - `Issue 932 <https://pagure.io/koji/issue/932>`_ --

+   Fix use_host_resolv with new mock version

+ 

+ - `Issue 1010 <https://pagure.io/koji/issue/1010>`_ --

+   koji fails runroot because of `UnicodeDecodeError`

+ 

+ - `Issue 998 <https://pagure.io/koji/issue/998>`_ --

+   cancel build doesn't work for images

+ 

+ - `Issue 994 <https://pagure.io/koji/issue/994>`_ --

+   rpmdiff calculate wrong results

+ 

+ - `Issue 1025 <https://pagure.io/koji/issue/1025>`_ --

+   missing default volume symlink for imported builds affected by volume policy

+ 

+ - `Issue 1007 <https://pagure.io/koji/issue/1007>`_ --

+   decode_args() might result in --package parameter missing in runroot command

+ 

+ - `Issue 150 <https://pagure.io/koji/issue/150>`_ --

+   no target info in channel policy for non-rpm tasks

+ 

+ - `PR: 973 <https://pagure.io/koji/pull-request/973>`_ --

+   Check empty arches before spawning dist-repo

+ 

+ - `Issue 958 <https://pagure.io/koji/issue/958>`_ --

+   Notification for tagBuildBypass is writing message untagged from, expected message tagged into

+ 

+ - `Issue 968 <https://pagure.io/koji/issue/968>`_ --

+   Default enable python3 on RHEL8

+ 

+ - `Issue 916 <https://pagure.io/koji/issue/916>`_ --

+   `clone-tag` doesn't preserve tagging order

+ 

+ - `Issue 949 <https://pagure.io/koji/issue/949>`_ --

+   cli: [rpminfo] KeyError: 'license' for external RPM

+ 

+ - `Issue 876 <https://pagure.io/koji/issue/876>`_ --

+   koji clone-tag raises "UnboundLocalError"

+ 

+ - `Issue 945 <https://pagure.io/koji/issue/945>`_ --

+   Koji build fail due to ambiguous python shebang

+ 

@@ -0,0 +1,18 @@ 

+ Koji 1.16.2 Release Notes

+ =========================

+ 

+ Koji 1.16.2 is a bugfix release for Koji 1.16.

+ The purpose of this release is address  :doc:`CVE-2018-1002161`.

+ 

+ See also:

+ 

+ - :doc:`release_notes_1.16.1`

+ 

+ - :doc:`release_notes_1.16`

+ 

+ 

+ Issues fixed in 1.16.2

+ ----------------------

+ 

+ - `Issue 1183 <https://pagure.io/koji/issue/1183>`_ --

+   CVE-2018-1002161

file modified
+13 -9
@@ -4207,8 +4207,10 @@ 

                      val = typeInfo[key]

                      if not isinstance(val, (list, tuple)):

                          val = [val]

-                     for v in val:

-                         clauses.append(r"""%s ~ E'\\m%s\\M'""" % (key, v))

+                     for i, v in enumerate(val):

+                         pkey = '%s_pattern_%i' % (key, i)

+                         values[pkey] = r'\m%s\M' % v

+                         clauses.append('%s ~ %%(%s)s' % (key, pkey))

      elif type == 'image':

          joins.append('image_archives ON archiveinfo.id = image_archives.archive_id')

          fields.append(['image_archives.arch', 'arch'])
@@ -6222,13 +6224,15 @@ 

          raise koji.GenericError('one of filename, type_name, or type_id must be specified')

  

      parts = filename.split('.')

- 

+     query = QueryProcessor(

+             tables=['archivetypes'],

+             columns=['id', 'name', 'description', 'extensions'],

+             clauses=['extensions ~* %(pattern)s'],

+             )

      for start in range(len(parts)-1, -1, -1):

          ext = '.'.join(parts[start:])

- 

-         select = r"""SELECT id, name, description, extensions FROM archivetypes

-                       WHERE extensions ~* E'(\\s|^)%s(\\s|$)'""" % ext

-         results = _multiRow(select, locals(), ('id', 'name', 'description', 'extensions'))

+         query.values['pattern'] = r'(\s|^)%s(\s|$)' % ext

+         results = query.execute()

  

          if len(results) == 1:

              return results[0]
@@ -10887,8 +10891,8 @@ 

              # matching 'ppc64'

              if not isinstance(arches, (list, tuple)):

                  arches = [arches]

-             archClause = [r"""arches ~ E'\\m%s\\M'""" % arch for arch in arches]

-             clauses.append('(' + ' OR '.join(archClause) + ')')

+             archPattern = r'\m(%s)\M' % '|'.join(arches)

+             clauses.append('arches ~ %(archPattern)s')

          if channelID is not None:

              channelID = get_channel_id(channelID, strict=True)

              joins.append('host_channels ON host.id = host_channels.host_id')

@@ -177,10 +177,14 @@ 

                                           'win_archives ON archiveinfo.id = win_archives.archive_id']),

                                    clauses=sorted([

                                             'win_archives.relpath = %(relpath)s',

-                                            r"platforms ~ E'\\mall\\M'",

-                                            r"flags ~ E'\\mA\\M'",

-                                            r"flags ~ E'\\mB\\M'"]),

-                                   values={'relpath': 'somerelpath'},

+                                            r"platforms ~ %(platforms_pattern_0)s",

+                                            r"flags ~ %(flags_pattern_0)s",

+                                            r"flags ~ %(flags_pattern_1)s"]),

+                                   values={'relpath': 'somerelpath',

+                                           'flags_pattern_0': '\\mA\\M',

+                                           'flags_pattern_1': '\\mB\\M',

+                                           'platforms_pattern_0': '\\mall\\M',

+                                           },

                                    colsByAlias={'relpath': 'win_archives.relpath',

                                                 'platforms': 'win_archives.platforms',

                                                 'flags': 'win_archives.flags',

@@ -71,8 +71,8 @@ 

          query = self.queries[0]

          self.assertEqual(query.tables, ['host_config'])

          self.assertEqual(query.joins, ['host ON host.id = host_config.host_id'])

-         self.assertEqual(query.clauses, [r"""(arches ~ E'\\mx86_64\\M')""",

-                                              'host_config.active IS TRUE'])

+         self.assertEqual(query.clauses, ['arches ~ %(archPattern)s',

+                                         'host_config.active IS TRUE'])

  

      def test_list_hosts_multi_arch(self):

          self.exports.listHosts(arches=['x86_64', 's390'])
@@ -82,7 +82,7 @@ 

          self.assertEqual(query.tables, ['host_config'])

          self.assertEqual(query.joins, ['host ON host.id = host_config.host_id'])

          self.assertEqual(query.clauses, [

-             r"""(arches ~ E'\\mx86_64\\M' OR arches ~ E'\\ms390\\M')""",

+             'arches ~ %(archPattern)s',

              'host_config.active IS TRUE'])

  

      def test_list_hosts_bad_arch(self):