Dist repo call missing authorization check allowing filesystem manipulation

.. toctree::



This is a critical security bug.

From versions 1.12.0 to 1.15.0, the Koji hub did not perform proper
access checks for the hub.distRepoMove call. By passing carefully
constructed arguments to the call, an unauthenticated user can trick
Koji into moving content around that it should not. This could result in
corrupting any files that the httpd process can write to, or revealing
any files that the httpd process can read. If the user can authenticate
(at any privilege level), then they can use this mechanism to replace a
file with one that they have uploaded.


*We strongly recommend that all Koji admins implement this workaround
immediately.* This workaround will effectively disable dist-repo

Because use of the hub.distRepoMove call requires a valid dist repo that
exists on disk, exploitation can be blocked by ensuring that there are
none. There are many ways this might be done. We recommend the

1. Move the repos-dist directory to another location (if it exists)
2. Replace it with a plain text file warning of the situation. Do not
   skip this step.

For example::

    $ cd /mnt/koji
    $ mv repos-dist repos-dist.old
    $ echo "DO NOT REMOVE. CVE-2018-1002150" > repos-dist
    $ ls -l /mnt/koji/repos-dist
    -rw-r--r--. 1 root root 32 Mar 19 14:35 /mnt/koji/repos-dist

When applying this workaround, make sure to take both steps. If you do
not, then the system will recreate the directory if anyone creates
a new dist repo.

Bug fix

*Note: because code fixes can take time to deploy, we strongly recommend
that all admins apply the above workaround first. The workaround can be
easily undone once the fix is in place.*

We are releasing updates for each affected version of Koji to fix this
bug. The following `releases <https://pagure.io/koji/releases>`_ all
contain the fix:

-  1.15.1
-  1.14.1
-  1.13.1
-  1.12.1

Versions prior to 1.12.0 are not vulnerable because they do not have the
dist-repo feature. Also, the legacy-py24 branch is unaffected since it
is client-only (no hub).

For users who have customized their Koji code, we recommend rebasing
your work onto the appropriate update release. If this is not feasible,
the patch should be very easy to apply. Please see `issue
#850 <https://pagure.io/koji/issue/850>`_ for the code details.

As with all changes to hub code, you must restart httpd for the changes
to take effect.


Fixed versions can be found at our releases page:


Questions and answers about this issue