Date: Wed, 4 Apr 2018 15:57:36 +0200 From: Patrick Uiterwijk <puiterwijk@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2018-1002150: koji: Dist Repo call missing authorization check allowing filesystem manipulation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Description =========== A vulnerability in Koji was found that allows manipulation of the koji filesystem. This allows an attacker to extract secrets from disk that the Hub has access to or to overwrite files on disk that httpd can write to. Affected versions ================= All versions of Koji 1.12 before 1.12.1 are vulnerable. All versions of Koji 1.13 before 1.13.1 are vulnerable. All versions of Koji 1.14 before 1.14.1 are vulnerable. All versions of Koji 1.15 before 1.15.1 are vulnerable. Patched versions ================ Koji versions 1.12.1, 1.13.1, 1.14.1 and 1.15.1 are available on the website, and all include patches to solve this problem. Mitigation ========== A temporary mitigation until the code patch is applied would be to move the repos-dist folder in the koji root directory out of the way and create a file with the same name as the folder that was just moved away. Credits ======= This issue was discovered by Mike McLean of Red Hat. References ========== https://docs.pagure.org/koji/CVE-2018-1002150/ -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJaxNnQAAoJEIZXmA2atR5Q2/MQAJnIw5m4l64npyPmyZMzTbB1 6hn7OBjTa4NUD1xlxkPDPjo1Z1SgnQP3D01mJCU/Ot9b3eBNiznfqDIc++y78xIs Hdb9b3IY7OcHhXwHbqr9Y4XfcvnDIG9p9q94uHnAmCpGURZhWG7QzDJ7vZsy4916 vSepVhxhGtP6pLYG5BLkUan3YmS3Eg0eUVJ25Ijhm7WRlOEHAQI2Ih52LIljExzq 3EhA1j2zeWz58Zw3zOnlX8b03yfN56y8HbCIF9fJtFAf7+5noEHL4gO8IGuvKn1d jw+RZVzezJzHTejapML9ttrRRnP7DGNanah0DJFphm3BxfuleSotCmE0phTe8aIK 7vRGqtrWdPfkjaDe6nXOL1YlMm8Vy0qyw4qbUazY+mB5eFZXTS8W6cJyH6eeM9Kg cnN5cOfkP82CoT7akTLjoO8RZRMme5okTqsetMrJkvqLTaYJ+UjD+ODFmEXczT8o DwbfqWSBysfRQtukdHNsQ49TAAc+xFSjTBcTBYBvXoo46oOZo3NNYYIe8uTWipeH coIVoJwCRvNpsSkwaLsUA3qETtq/+H3pep+dx4td2xpLbFFwo8XP+IMpgEIIMij5 fKzz1NMxAogUanBVnjdP/mVAvf1tnu2rKF/MqLirv11t5IvDymJBPGeyUkJhwT89 +AXA2bXHVAhBiqiD12qO =zv8L -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ