CVE-2018-1002150

Dist repo call missing authorization check allowing filesystem manipulation

Summary

This is a critical security bug.

From versions 1.12.0 to 1.15.0, the Koji hub did not perform proper access checks for the hub.distRepoMove call. By passing carefully constructed arguments to the call, an unauthenticated user can trick Koji into moving content around that it should not. This could result in corrupting any files that the httpd process can write to, or revealing any files that the httpd process can read. If the user can authenticate (at any privilege level), then they can use this mechanism to replace a file with one that they have uploaded.

Workaround

We strongly recommend that all Koji admins implement this workaround immediately. This workaround will effectively disable dist-repo functionality.

Because use of the hub.distRepoMove call requires a valid dist repo that exists on disk, exploitation can be blocked by ensuring that there are none. There are many ways this might be done. We recommend the following:

  1. Move the repos-dist directory to another location (if it exists)
  2. Replace it with a plain text file warning of the situation. Do not skip this step.

For example:

$ cd /mnt/koji
$ mv repos-dist repos-dist.old
$ echo "DO NOT REMOVE. CVE-2018-1002150" > repos-dist
$ ls -l /mnt/koji/repos-dist
-rw-r--r--. 1 root root 32 Mar 19 14:35 /mnt/koji/repos-dist

When applying this workaround, make sure to take both steps. If you do not, then the system will recreate the directory if anyone creates a new dist repo.

Bug fix

Note: because code fixes can take time to deploy, we strongly recommend that all admins apply the above workaround first. The workaround can be easily undone once the fix is in place.

We are releasing updates for each affected version of Koji to fix this bug. The following releases all contain the fix:

  • 1.15.1
  • 1.14.1
  • 1.13.1
  • 1.12.1

Versions prior to 1.12.0 are not vulnerable because they do not have the dist-repo feature. Also, the legacy-py24 branch is unaffected since it is client-only (no hub).

For users who have customized their Koji code, we recommend rebasing your work onto the appropriate update release. If this is not feasible, the patch should be very easy to apply. Please see issue #850 for the code details.

As with all changes to hub code, you must restart httpd for the changes to take effect.