| |
@@ -0,0 +1,93 @@
|
| |
+ ================
|
| |
+ CVE-2018-1002150
|
| |
+ ================
|
| |
+
|
| |
+ Dist repo call missing authorization check allowing filesystem manipulation
|
| |
+
|
| |
+
|
| |
+ .. toctree::
|
| |
+ :hidden:
|
| |
+
|
| |
+ CVE-2018-1002150-FAQ
|
| |
+
|
| |
+ Summary
|
| |
+ -------
|
| |
+
|
| |
+ This is a critical security bug.
|
| |
+
|
| |
+ From versions 1.12.0 to 1.15.0, the Koji hub did not perform proper
|
| |
+ access checks for the hub.distRepoMove call. By passing carefully
|
| |
+ constructed arguments to the call, an unauthenticated user can trick
|
| |
+ Koji into moving content around that it should not. This could result in
|
| |
+ corrupting any files that the httpd process can write to, or revealing
|
| |
+ any files that the httpd process can read. If the user can authenticate
|
| |
+ (at any privilege level), then they can use this mechanism to replace a
|
| |
+ file with one that they have uploaded.
|
| |
+
|
| |
+ Workaround
|
| |
+ ----------
|
| |
+
|
| |
+ *We strongly recommend that all Koji admins implement this workaround
|
| |
+ immediately.* This workaround will effectively disable dist-repo
|
| |
+ functionality.
|
| |
+
|
| |
+ Because use of the hub.distRepoMove call requires a valid dist repo that
|
| |
+ exists on disk, exploitation can be blocked by ensuring that there are
|
| |
+ none. There are many ways this might be done. We recommend the
|
| |
+ following:
|
| |
+
|
| |
+ 1. Move the repos-dist directory to another location (if it exists)
|
| |
+ 2. Replace it with a plain text file warning of the situation. Do not
|
| |
+ skip this step.
|
| |
+
|
| |
+ For example::
|
| |
+
|
| |
+ $ cd /mnt/koji
|
| |
+ $ mv repos-dist repos-dist.old
|
| |
+ $ echo "DO NOT REMOVE. CVE-2018-1002150" > repos-dist
|
| |
+ $ ls -l /mnt/koji/repos-dist
|
| |
+ -rw-r--r--. 1 root root 32 Mar 19 14:35 /mnt/koji/repos-dist
|
| |
+
|
| |
+ When applying this workaround, make sure to take both steps. If you do
|
| |
+ not, then the system will recreate the directory if anyone creates
|
| |
+ a new dist repo.
|
| |
+
|
| |
+
|
| |
+ Bug fix
|
| |
+ -------
|
| |
+
|
| |
+ *Note: because code fixes can take time to deploy, we strongly recommend
|
| |
+ that all admins apply the above workaround first. The workaround can be
|
| |
+ easily undone once the fix is in place.*
|
| |
+
|
| |
+ We are releasing updates for each affected version of Koji to fix this
|
| |
+ bug. The following `releases <https://pagure.io/koji/releases>`_ all
|
| |
+ contain the fix:
|
| |
+
|
| |
+ - 1.15.1
|
| |
+ - 1.14.1
|
| |
+ - 1.13.1
|
| |
+ - 1.12.1
|
| |
+
|
| |
+ Versions prior to 1.12.0 are not vulnerable because they do not have the
|
| |
+ dist-repo feature. Also, the legacy-py24 branch is unaffected since it
|
| |
+ is client-only (no hub).
|
| |
+
|
| |
+ For users who have customized their Koji code, we recommend rebasing
|
| |
+ your work onto the appropriate update release. If this is not feasible,
|
| |
+ the patch should be very easy to apply. Please see `issue
|
| |
+ #850 <https://pagure.io/koji/issue/850>`_ for the code details.
|
| |
+
|
| |
+ As with all changes to hub code, you must restart httpd for the changes
|
| |
+ to take effect.
|
| |
+
|
| |
+ Links
|
| |
+ -----
|
| |
+
|
| |
+ Fixed versions can be found at our releases page:
|
| |
+
|
| |
+ https://pagure.io/koji/releases
|
| |
+
|
| |
+ Questions and answers about this issue
|
| |
+
|
| |
+ :doc:`CVE-2018-1002150-FAQ`
|
| |
I updated the docs on release day, but neglected to actually merge these changes, so here they are.