FAQ for CVE-2018-1002161

Following are answers to some questions regarding CVE-2018-1002161 for Koji. If you haven’t already, you should read the announcement.

If you have questions not covered here or in the announcement, please ask them on the koji-devel mailing list.

Q: Does this issue affect Koji clients or builders?

The issue only affects the Koji hub.

Q: Which versions of Koji are affected?

All previous versions of Koji are affected, except for the legacy-py24 branch because it contains no hub code.

Q: Where are the fixed versions?

For Koji 1.11, 1.11.1 and higher include the fix
For Koji 1.12, 1.12.2 and higher include the fix
For Koji 1.13, 1.13.2 and higher include the fix
For Koji 1.14, 1.14.2 and higher include the fix
For Koji 1.15, 1.15.2 and higher include the fix
For Koji 1.16.2 and higher include the fix

You can find all of these versions on our releases page:

https://pagure.io/koji/releases

Q: What about older versions?

We have only backported the fix to Koji versions released in the past few years. If you are still using a very old version of Koji, we strongly recommend that you shut it down and migrate to a newer version.

Q: What can be done with this exploit?

The attacker can directly manipulate the database as they see fit. This would, among other things, allow them to gain the admin permission within Koji. They could destroy or corrupt the database, add new builds, replace existing builds, or any number of other things.

Q: Can the attacker execute arbitrary code?

On the hub, not that we know of.

However, they could create arbitrary tasks, which would be run by the build hosts.

Q: Where can I get more help?

You can ask questions on the koji-devel mailing list (koji-devel@fedorahosted.org).

For real time communication, we have the #koji IRC channel on Freenode. The best time to ask would be during the Koji devel team “office hours”, which are held each Tuesday and Thursday from 10-11am eastern time.