FAQ for CVE-2018-1002150

Following are answers to some questions regarding CVE-2018-1002150 for Koji. If you haven’t already, you should read the announcement.

If you have questions not covered here or in the announcement, please ask them on the koji-devel mailing list.

Q: Does this issue affect Koji clients or builders?

The issue only affects the Koji hub.

Q: How can I tell if I’ve been attacked?

We don’t know of any exploits in the wild. However, to be safe, we will release an intrusion detection document in a few days.

Q: Where are the fixed versions?

Koji versions before 1.12.0 are unaffected
For Koji 1.12, 1.12.1 and higher includes the fix
For Koji 1.13, 1.13.1 and higher includes the fix
For Koji 1.14, 1.14.1 and higher includes the fix
For Koji 1.15, 1.15.1 and higher includes the fix
Koji 1.16.0 and higher will include the fix

You can find all of these versions on our releases page:

https://pagure.io/koji/releases

Q: What about versions before 1.12.0?

Koji versions before 1.12.0 are unaffected (they don’t have the dist-repo feature). However, it would be wise to update your system to the current version.

Q: What can be done with this exploit?

The attacker can trick Koji into moving files around. These can be almost any file that the httpd user can write. The attacker could use this to corrupt Koji’s file store or to reveal any secret files that the httpd user can read.

Q: Can the attacker execute arbitrary code?

Not that we know of.

Q: Where can I get more help?

You can ask questions on the koji-devel mailing list (koji-devel@fedorahosted.org).

For real time communication, we have the #koji IRC channel on Freenode. The best time to ask would be during the Koji devel team “office hours”, which are held each Tuesday and Thursday from 10-11am eastern time.