Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 18 Nov 2013 17:25:20 +0100
From: Jacob Vosmaer <jacob@...lab.com>
To: oss-security@...ts.openwall.com
Subject: Re: Requesting four (4) CVE identifiers for GitLab

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Kurt,

Thanks for assigning the identifiers and thanks for the hint. I have
included the updated blog post below.

### Multiple critical vulnerabilities in GitLab
New critical vulnerabilities recently discovered in GitLab enable
unauthenticated API access, remote code execution, local file inclusion and
unauthorized access to private repositories. All users should update GitLab
and gitlab-shell immediately.

_Update (18 November 2013): added CVE numbers._

<!--more-->

### Releases
GitLab 5.4.2 and GitLab CE 6.2.4 are available from
https://gitlab.com/gitlab-org/gitlab-ce and
https://github.com/gitlabhq/gitlabhq; update instructions can be found in
https://github.com/gitlabhq/gitlabhq/blob/master/doc/update/patch_versions.md.
For more information about GitLab EE 6.2.1 see [our blog post on
GitLab.com](
http://www.gitlab.com/2013/11/14/multiple-security-vulnerabilities-in-gitlab/
).

Gitlab-shell 1.7.8 is available from
https://gitlab.com/gitlab-org/gitlab-shell and
https://github.com/gitlabhq/gitlab-shell . To upgrade gitlab-shell it
suffices to run `sudo su git -c 'git fetch && git checkout v1.7.8'` in
/home/git/gitlab-shell .

### Credits
Thanks to joernchen of [Phenoelit](http://www.phenoelit.org/) for reporting
these vulnerabilities to us.

# Unauthenticated API access to GitLab when using MySQL
There is an unauthenticated API access vulnerability in all version of
GitLab. This vulnerability has been assigned CVE identifier CVE-2013-4580.

Versions affected: all

Fixed versions: 5.4.2, Community Edition 6.2.4, Enterprise Edition 6.2.1

### Impact
On GitLab installations which use MySQL as their database backend it is
possible for an attacker to assume the identity of any existing GitLab user
in certain API calls. This attack can be performed by unauthenticated users.

This vulnerability has been fixed in GitLab 5.4.2, GitLab Community Edition
6.2.4 and GitLab Enterprise Edition 6.2.1.

### Workarounds
If you are unable to upgrade you should apply the following patch and
restart GitLab.

<pre>
- --- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -6,19 +6,23 @@ module API
     SUDO_PARAM = :sudo

     def current_user
- -      @current_user ||=
User.find_by_authentication_token(params[PRIVATE_TOKEN_PARAM] ||
env[PRIVATE_TOKEN_HEADER])
+      private_token = (params[PRIVATE_TOKEN_PARAM] ||
env[PRIVATE_TOKEN_HEADER]).to_s
+      @current_user ||= User.find_by_authentication_token(private_token)
       identifier = sudo_identifier()
</pre>

# Remote code execution vulnerability via Git SSH access in GitLab
There is a remote code execution vulnerability via Git SSH access in
GitLab. This vulnerability has been assigned CVE identifier CVE-2013-4581.

Versions affected: 5.0 and newer

Not affected: 4.2 and older

Fixed versions: 5.4.2, Community Edition 6.2.4, Enterprise Edition 6.2.1
(running gitlab-shell 1.7.8)

### Impact
In affected versions an attacker can execute arbitrary code on a GitLab
server by pushing carefully crafted changes via Git over SSH. This attack
requires a GitLab user with an associated SSH key.

This vulnerability has been fixed in gitlab-shell 1.7.8, which is known to
work with GitLab 5.4 and newer. All users should update gitlab-shell to
version 1.7.8 immediately.

### Workarounds
If you are unable to upgrade, please apply the following patch in
`/home/git/gitlab-shell`.
<pre>
- --- a/lib/gitlab_config.rb
+++ b/lib/gitlab_config.rb
@@ -48,12 +48,12 @@ class GitlabConfig
     if redis.empty?
       # Default to old method of connecting to redis
       # for users that haven't updated their configuration
- -      "env -i redis-cli"
+      %W(env -i redis-cli)
     else
       if redis.has_key?("socket")
- -        "#{redis['bin']} -s #{redis['socket']}"
+        %W(#{redis['bin']} -s #{redis['socket']})
       else
- -        "#{redis['bin']} -h #{redis['host']} -p #{redis['port']}"
+        %W(#{redis['bin']} -h #{redis['host']} -p #{redis['port']})
       end
     end
   end

- --- a/lib/gitlab_update.rb
+++ b/lib/gitlab_update.rb
@@ -1,5 +1,6 @@
 require_relative 'gitlab_init'
 require_relative 'gitlab_net'
+require 'json'

 class GitlabUpdate
   attr_reader :config
@@ -53,7 +54,8 @@ class GitlabUpdate
   end

   def update_redis
- -    command = "#{config.redis_command} rpush
'#{config.redis_namespace}:queue:post_receive'
'{\"class\":\"PostReceive\",\"args\":[\"#
- -    system(command)
+    queue = "#{config.redis_namespace}:queue:post_receive"
+    msg = JSON.dump({'class' => 'PostReceive', 'args' => [@repo_path,
@oldrev, @newrev, @refname, @key_id]})
+    system(*config.redis_command, 'rpush', queue, msg, err: '/dev/null',
out: '/dev/null')
   end
 end
</pre>

# Local file inclusion vulnerability in GitLab
There is a local file inclusion vulnerability in GitLab. This vulnerability
has been assigned CVE identifier CVE-2013-4582.

Versions affected: 5.0 and newer

Not affected: 4.2 and older

Fixed versions: 5.4.2, Community Edition 6.2.4, Enterprise Edition 6.2.1
(running gitlab-shell 1.7.8)

### Impact
In affected versions an attacker can include the contents of a local file
in the metadata of a Git repository hosted on the server via the GitLab web
interface. This vulnerability can only be exploited by authenticated GitLab
users.

This vulnerability has been fixed in gitlab-shell 1.7.8, which is known to
work with GitLab 5.4 and newer. All users should update gitlab-shell to
version 1.7.8 immediately.

### Workarounds
If you are unable to upgrade you should apply the following patch in
`/home/git/gitlab-shell`.

<pre>
- --- a/lib/gitlab_projects.rb
+++ b/lib/gitlab_projects.rb
@@ -48,7 +48,7 @@ class GitlabProjects
   def create_branch
     branch_name = ARGV.shift
     ref = ARGV.shift || "HEAD"
- -    cmd = %W(git --git-dir=#{full_path} branch #{branch_name} #{ref})
+    cmd = %W(git --git-dir=#{full_path} branch -- #{branch_name} #{ref})
     system(*cmd)
   end

@@ -61,7 +61,7 @@ class GitlabProjects
   def create_tag
     tag_name = ARGV.shift
     ref = ARGV.shift || "HEAD"
- -    cmd = %W(git --git-dir=#{full_path} tag #{tag_name} #{ref})
+    cmd = %W(git --git-dir=#{full_path} tag -- #{tag_name} #{ref})
     system(*cmd)
   end

@@ -94,7 +94,7 @@ class GitlabProjects
   def import_project
     @source = ARGV.shift
     $logger.info "Importing project #{@...ject_name} from <#{@...rce}> to
<#{full_path}>."
- -    cmd = %W(git clone --bare #{@...rce} #{full_path})
+    cmd = %W(git clone --bare -- #{@...rce} #{full_path})
     system(*cmd) && create_hooks(full_path)
   end

@@ -156,7 +156,7 @@ class GitlabProjects
     end

     $logger.info "Forking project from <#{full_path}> to
<#{full_destination_path}>."
- -    cmd = %W(git clone --bare #{full_path} #{full_destination_path})
+    cmd = %W(git clone --bare -- #{full_path} #{full_destination_path})
     system(*cmd) && create_hooks(full_destination_path)
   end

</pre>

# Repository access privilege escalation vulnerability in GitLab
There is a repository access privilege escalation vulnerability in GitLab.
This vulnerability has been assigned CVE identifier CVE-2013-4583.

Versions affected: 5.0 and newer

Not affected: 4.2 and older

Fixed versions: 5.4.2, Community Edition 6.2.4, Enterprise Edition 6.2.1
(running gitlab-shell 1.7.8)

### Impact
In affected versions a GitLab user can escalate their repository access
privileges and clone a repository that they should not have access to via
Git SSH access. This vulnerability can only be exploited by authenticated
GitLab users.

This vulnerability has been fixed in gitlab-shell 1.7.8, which is known to
work with GitLab 5.4 and newer. All users should update gitlab-shell to
version 1.7.8 immediately.

### Workarounds
If you are unable to upgrade you should apply the following patch in
`/home/git/gitlab-shell`.

<pre>
- --- a/lib/gitlab_shell.rb
+++ b/lib/gitlab_shell.rb
@@ -43,7 +43,7 @@ class GitlabShell
   def parse_cmd
     args = Shellwords.shellwords(@origin_cmd)
     @git_cmd = args[0]
- -    @repo_name = args[1]
+    @repo_name = escape_path(args[1])
   end

   def git_cmds
@@ -86,4 +86,12 @@ class GitlabShell
   def log_username
     @config.audit_usernames ? username : "user with key #{@..._id}"
   end
+
+  def escape_path(path)
+    if File.absolute_path(path, repos_path) == File.join(repos_path, path)
+      path
+    else
+      raise "Wrong repository path"
+    end
+  end
 end

</pre>

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQEcBAEBCgAGBQJSij8rAAoJEB2vXw0YK62W1ckIAKW2FUCJt95o9CxlDiLZUo6E
VWQwhnr1Eo00w+1kwh0qCZPiwLR4Trlhru43o6I2pvIFI4WgTYUH3Tdw81znD26q
h8wpfFAZRP58b8iucwjrZUl1eBIGGxjvnj7R1fyDLSn9zS2NjIDEh/18fFezVpbW
4/bc5prwpp2n75KlDjDM6g3ZzDaLOurm2/CkEgfVqeCit7wxqwLA9kXDWNHVGV55
3+nOwCSOLQTYy+Lyy9t75SnDYF0b2Lq2rB92KmME2Df/RY6r83ECzS+DyWMZKPZb
hrqfsL6xBJewVcdRg6oBt84+fKDBJ+qACa3cCLTnH7PcYsBjU9+1WH8uAwDjTpM=
=Lrou
-----END PGP SIGNATURE-----


Best regards,

Jacob Vosmaer
GitLab.com


2013/11/15 Kurt Seifried <kseifried@...hat.com>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/14/2013 09:11 AM, Jacob Vosmaer wrote:
> > We have just released a new security advisory for GitLab at
> > http://blog.gitlab.org/multiple-critical-vulnerabilities-in-gitlab/,
> >
> >
> concerning the following four vulnerabilities:
> >
> > - Unauthenticated API access to GitLab when using MySQL - Remote
> > code execution vulnerability via Git SSH access in GitLab - Local
> > file inclusion vulnerability in GitLab - Repository access
> > privilege escalation vulnerability in GitLab
> >
> > We would like to request four CVE identifiers for these issues.
>
>
> Nice blog write up, one note if you can post a copy with emails it's
> better in case the URL ever dies or something.
>
> CVE-2013-4580 GitLab Unauthenticated API access to GitLab when using MySQL
>
> CVE-2013-4581 GitLab Remote code execution vulnerability via Git SSH
> access in GitLab
>
> CVE-2013-4582 GitLab Local file inclusion vulnerability in GitLab
>
> CVE-2013-4583 GitLab Repository access privilege escalation
> vulnerability in GitLab
>
>
> > Thanks to joernchen of http://www.phenoelit.org/ for reporting
> > these issues to us.
> >
> >
> > Best regards,
> >
> > Jacob Vosmaer GitLab.com
> >
>
> - --
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.15 (GNU/Linux)
>
> iQIcBAEBAgAGBQJShZbTAAoJEBYNRVNeJnmTvPwQALLZnHWNwP6P4E8mtKz2c8J7
> v8+2n1vgTkJsUrxALogci6UnCPPC0z0+Xe8dKSY7Iti7V6aLmGIeRVZzTqDTTKfK
> gtBaOjR/PIAkzHDCkU/XXvXik555knE9SqvYQ3hR3baVZeh+zd1KacibcW03mahJ
> QDJUlT5x0KN6ZobxCUXzGChjsRclD5E3+Kyft2p2ndnqC5B0jS9iwUNVwTE2sGZw
> 3pJTuNmjo73qXGNSeMWfv6QfXBpueU+W40Qiz3yTwLwzmHTU7BXr3joWZ12hEibx
> 6CwJ2NYQmB9GJTlh/jVmrk42hfEcGmdYLWSw4nEQe2JD2CrfGfUTesCaOs9HNmOM
> T8AuzaSBSRpCt4dSBoRQ1NH2k8JiF21cWB1C1TGYrCFjKadzVY62VkJLP0WToF7y
> VOywzSuQQQAm7ZEznNE10XwReQnoZ0l9VgdACSEMmDOdiVwsSFnvPTiFDaM3YGru
> HUYOAXZ56ZXBsRjmC3kp0AWdPpLMOYN1rvfZKWhadNFP6IU8qw3t5JycEPj23Fzm
> l23ggiFmOdgHU6GJ7wCMB1V7Cds4dIYB91QGAdhMy7KB5Ujl2IonqVBqV0nEuHFf
> r67GGx0tvwVJYQJli68coowfZdbPRyP34/cQXcnsDdkYsFuPyEYo7IN5mReqCToh
> rjb7N6oMra/9b4iZ1DQC
> =DKCL
> -----END PGP SIGNATURE-----
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.