#909 Docs for CVE-2018-1002150
Merged 5 years ago by mikem. Opened 5 years ago by mikem.
mikem/koji distrepo-cve-docs  into  master

@@ -0,0 +1,26 @@ 

+ ================

+ CVE-2017-1002153

+ ================

+ 

+ Koji 1.13.0 does not properly validate SCM paths.

+ 

+ 

+ Summary

+ -------

+ 

+ Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around blacklisted paths for build submission.

+ 

+ 

+ Bug fix

+ -------

+ 

+ Koji versions 1.14.0 and forward contain the fix.

+ 

+ This bug was tracked as `issue#563 <https://pagure.io/koji/issue/563>`_

+ 

+ Links

+ -----

+ 

+ Fixed versions can be found at our releases page:

+ 

+     `https://pagure.io/koji/releases <https://pagure.io/koji/releases>`_

@@ -0,0 +1,64 @@ 

+ ========================

+ FAQ for CVE-2018-1002150

+ ========================

+ 

+ Following are answers to some questions regarding CVE-2018-1002150

+ for Koji. If you haven’t already, you should read the

+ :doc:`announcement <CVE-2018-1002150>`.

+ 

+ If you have questions not covered here or in the announcement, please

+ ask them on the koji-devel mailing list.

+ 

+     https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahosted.org/

+ 

+ Q: Does this issue affect Koji clients or builders?

+ 

+     The issue only affects the Koji hub.

+ 

+ Q: How can I tell if I’ve been attacked?

+ 

+     We don’t know of any exploits in the wild. However, to be

+     safe, we will release an intrusion detection document in a few

+     days.

+ 

+ Q: Where are the fixed versions?

+ 

+     | Koji versions before 1.12.0 are unaffected

+     | For Koji 1.12, 1.12.1 and higher includes the fix

+     | For Koji 1.13, 1.13.1 and higher includes the fix

+     | For Koji 1.14, 1.14.1 and higher includes the fix

+     | For Koji 1.15, 1.15.1 and higher includes the fix

+     | Koji 1.16.0 and higher will include the fix

+ 

+     You can find all of these versions on our releases page:

+ 

+     https://pagure.io/koji/releases

+ 

+ Q: What about versions before 1.12.0?

+ 

+     Koji versions before 1.12.0 are unaffected (they don't have the dist-repo

+     feature). However, it would be wise to update your system to the current

+     version.

+ 

+ Q: What can be done with this exploit?

+ 

+     The attacker can trick Koji into moving files around. These can be

+     almost any file that the httpd user can write. The attacker could

+     use this to corrupt Koji’s file store or to reveal any secret files

+     that the httpd user can read.

+ 

+ Q: Can the attacker execute arbitrary code?

+ 

+     Not that we know of.

+ 

+ Q: Where can I get more help?

+ 

+     You can ask questions on the koji-devel mailing list

+     (`koji-devel@fedorahosted.org <mailto:koji-devel@fedorahosted.org>`_).

+ 

+     For real time communication, we have the #koji IRC channel on

+     `Freenode <https://freenode.net/>`_.

+     The best time to ask would be during the Koji devel team

+     “office hours”, which are held each Tuesday and Thursday from

+     10-11am eastern time.

+ 

@@ -0,0 +1,93 @@ 

+ ================

+ CVE-2018-1002150

+ ================

+ 

+ Dist repo call missing authorization check allowing filesystem manipulation

+ 

+ 

+ .. toctree::

+     :hidden:

+ 

+     CVE-2018-1002150-FAQ

+ 

+ Summary

+ -------

+ 

+ This is a critical security bug.

+ 

+ From versions 1.12.0 to 1.15.0, the Koji hub did not perform proper

+ access checks for the hub.distRepoMove call. By passing carefully

+ constructed arguments to the call, an unauthenticated user can trick

+ Koji into moving content around that it should not. This could result in

+ corrupting any files that the httpd process can write to, or revealing

+ any files that the httpd process can read. If the user can authenticate

+ (at any privilege level), then they can use this mechanism to replace a

+ file with one that they have uploaded.

+ 

+ Workaround

+ ----------

+ 

+ *We strongly recommend that all Koji admins implement this workaround

+ immediately.* This workaround will effectively disable dist-repo

+ functionality.

+ 

+ Because use of the hub.distRepoMove call requires a valid dist repo that

+ exists on disk, exploitation can be blocked by ensuring that there are

+ none. There are many ways this might be done. We recommend the

+ following:

+ 

+ 1. Move the repos-dist directory to another location (if it exists)

+ 2. Replace it with a plain text file warning of the situation. Do not

+    skip this step.

+ 

+ For example::

+ 

+     $ cd /mnt/koji

+     $ mv repos-dist repos-dist.old

+     $ echo "DO NOT REMOVE. CVE-2018-1002150" > repos-dist

+     $ ls -l /mnt/koji/repos-dist

+     -rw-r--r--. 1 root root 32 Mar 19 14:35 /mnt/koji/repos-dist

+ 

+ When applying this workaround, make sure to take both steps. If you do

+ not, then the system will recreate the directory if anyone creates

+ a new dist repo.

+ 

+ 

+ Bug fix

+ -------

+ 

+ *Note: because code fixes can take time to deploy, we strongly recommend

+ that all admins apply the above workaround first. The workaround can be

+ easily undone once the fix is in place.*

+ 

+ We are releasing updates for each affected version of Koji to fix this

+ bug. The following `releases <https://pagure.io/koji/releases>`_ all

+ contain the fix:

+ 

+ -  1.15.1

+ -  1.14.1

+ -  1.13.1

+ -  1.12.1

+ 

+ Versions prior to 1.12.0 are not vulnerable because they do not have the

+ dist-repo feature. Also, the legacy-py24 branch is unaffected since it

+ is client-only (no hub).

+ 

+ For users who have customized their Koji code, we recommend rebasing

+ your work onto the appropriate update release. If this is not feasible,

+ the patch should be very easy to apply. Please see `issue

+ #850 <https://pagure.io/koji/issue/850>`_ for the code details.

+ 

+ As with all changes to hub code, you must restart httpd for the changes

+ to take effect.

+ 

+ Links

+ -----

+ 

+ Fixed versions can be found at our releases page:

+ 

+     https://pagure.io/koji/releases

+ 

+ Questions and answers about this issue

+ 

+     :doc:`CVE-2018-1002150-FAQ`

@@ -0,0 +1,9 @@ 

+ =========

+ Koji CVEs

+ =========

+ 

+ .. toctree::

+     :titlesonly:

+ 

+     CVE-2018-1002150

+     CVE-2017-1002153

file modified
+1
@@ -28,6 +28,7 @@ 

      misc

      release_notes

      migrations

+     CVEs

      runs_here

      server_bootstrap

      server_howto

@@ -5,6 +5,7 @@ 

  .. toctree::

      :maxdepth: 1

  

+     release_notes_1.15.1

      release_notes_1.15

      release_notes_1.14

      release_notes_1.13

@@ -0,0 +1,34 @@ 

+ Koji 1.15.1 Release Notes

+ =========================

+ 

+ Koji 1.15.1 is a bugfix release for Koji 1.15. The most important change

+ is the fix for :doc:`CVE-2018-1002150`.

+ 

+ Please see: :doc:`release_notes_1.15`

+ 

+ Issues fixed in 1.15.1

+ ----------------------

+ 

+ - `Issue 850 <https://pagure.io/koji/issue/850>`_ --

+   CVE-2018-1002150

+ 

+ - `Issue 846 <https://pagure.io/koji/issue/846>`_ --

+   error occurs in SCM.get_source since subprocess.check_output is not supported by python 2.6-

+ 

+ - `Issue 724 <https://pagure.io/koji/issue/724>`_ --

+   buildNotification of wrapperRPM fails because of task["label"] is None

+ 

+ - `Issue 786 <https://pagure.io/koji/issue/786>`_ --

+   buildSRPMFromSCM tasks fail on koji 1.15

+ 

+ - `Issue 803 <https://pagure.io/koji/issue/803>`_ --

+   Email notifications makes build tasks fail with "KeyError: 'users_usertype'"

+ 

+ - `Issue 742 <https://pagure.io/koji/issue/742>`_ --

+   dict key access fail in koji_cli.commands._build_image

+ 

+ - `Issue 811 <https://pagure.io/koji/issue/811>`_ --

+   AttributeError: 'dict' object has no attribute 'hub.checked_md5'

+ 

+ - `Issue 813 <https://pagure.io/koji/issue/813>`_ --

+   cg imports fail with "Unsupported checksum type"

@@ -1,6 +1,11 @@ 

  Koji 1.15 Release Notes

  =======================

  

+ Updates

+ -------

+ 

+ - :doc:`Koji 1.15.1 <release_notes_1.15.1>` is a security update for Koji 1.15

+ 

  Migrating from the previous release

  -----------------------------------