oss-sec mailing list archives
Re: Requesting four (4) CVE identifiers for GitLab
From: Jacob Vosmaer <jacob () gitlab com>
Date: Mon, 18 Nov 2013 17:25:20 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Kurt, Thanks for assigning the identifiers and thanks for the hint. I have included the updated blog post below. ### Multiple critical vulnerabilities in GitLab New critical vulnerabilities recently discovered in GitLab enable unauthenticated API access, remote code execution, local file inclusion and unauthorized access to private repositories. All users should update GitLab and gitlab-shell immediately. _Update (18 November 2013): added CVE numbers._ <!--more--> ### Releases GitLab 5.4.2 and GitLab CE 6.2.4 are available from https://gitlab.com/gitlab-org/gitlab-ce and https://github.com/gitlabhq/gitlabhq; update instructions can be found in https://github.com/gitlabhq/gitlabhq/blob/master/doc/update/patch_versions.md. For more information about GitLab EE 6.2.1 see [our blog post on GitLab.com]( http://www.gitlab.com/2013/11/14/multiple-security-vulnerabilities-in-gitlab/ ). Gitlab-shell 1.7.8 is available from https://gitlab.com/gitlab-org/gitlab-shell and https://github.com/gitlabhq/gitlab-shell . To upgrade gitlab-shell it suffices to run `sudo su git -c 'git fetch && git checkout v1.7.8'` in /home/git/gitlab-shell . ### Credits Thanks to joernchen of [Phenoelit](http://www.phenoelit.org/) for reporting these vulnerabilities to us. # Unauthenticated API access to GitLab when using MySQL There is an unauthenticated API access vulnerability in all version of GitLab. This vulnerability has been assigned CVE identifier CVE-2013-4580. Versions affected: all Fixed versions: 5.4.2, Community Edition 6.2.4, Enterprise Edition 6.2.1 ### Impact On GitLab installations which use MySQL as their database backend it is possible for an attacker to assume the identity of any existing GitLab user in certain API calls. This attack can be performed by unauthenticated users. This vulnerability has been fixed in GitLab 5.4.2, GitLab Community Edition 6.2.4 and GitLab Enterprise Edition 6.2.1. ### Workarounds If you are unable to upgrade you should apply the following patch and restart GitLab. <pre> - --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -6,19 +6,23 @@ module API SUDO_PARAM = :sudo def current_user - - @current_user ||= User.find_by_authentication_token(params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]) + private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s + @current_user ||= User.find_by_authentication_token(private_token) identifier = sudo_identifier() </pre> # Remote code execution vulnerability via Git SSH access in GitLab There is a remote code execution vulnerability via Git SSH access in GitLab. This vulnerability has been assigned CVE identifier CVE-2013-4581. Versions affected: 5.0 and newer Not affected: 4.2 and older Fixed versions: 5.4.2, Community Edition 6.2.4, Enterprise Edition 6.2.1 (running gitlab-shell 1.7.8) ### Impact In affected versions an attacker can execute arbitrary code on a GitLab server by pushing carefully crafted changes via Git over SSH. This attack requires a GitLab user with an associated SSH key. This vulnerability has been fixed in gitlab-shell 1.7.8, which is known to work with GitLab 5.4 and newer. All users should update gitlab-shell to version 1.7.8 immediately. ### Workarounds If you are unable to upgrade, please apply the following patch in `/home/git/gitlab-shell`. <pre> - --- a/lib/gitlab_config.rb +++ b/lib/gitlab_config.rb @@ -48,12 +48,12 @@ class GitlabConfig if redis.empty? # Default to old method of connecting to redis # for users that haven't updated their configuration - - "env -i redis-cli" + %W(env -i redis-cli) else if redis.has_key?("socket") - - "#{redis['bin']} -s #{redis['socket']}" + %W(#{redis['bin']} -s #{redis['socket']}) else - - "#{redis['bin']} -h #{redis['host']} -p #{redis['port']}" + %W(#{redis['bin']} -h #{redis['host']} -p #{redis['port']}) end end end - --- a/lib/gitlab_update.rb +++ b/lib/gitlab_update.rb @@ -1,5 +1,6 @@ require_relative 'gitlab_init' require_relative 'gitlab_net' +require 'json' class GitlabUpdate attr_reader :config @@ -53,7 +54,8 @@ class GitlabUpdate end def update_redis - - command = "#{config.redis_command} rpush '#{config.redis_namespace}:queue:post_receive' '{\"class\":\"PostReceive\",\"args\":[\"# - - system(command) + queue = "#{config.redis_namespace}:queue:post_receive" + msg = JSON.dump({'class' => 'PostReceive', 'args' => [@repo_path, @oldrev, @newrev, @refname, @key_id]}) + system(*config.redis_command, 'rpush', queue, msg, err: '/dev/null', out: '/dev/null') end end </pre> # Local file inclusion vulnerability in GitLab There is a local file inclusion vulnerability in GitLab. This vulnerability has been assigned CVE identifier CVE-2013-4582. Versions affected: 5.0 and newer Not affected: 4.2 and older Fixed versions: 5.4.2, Community Edition 6.2.4, Enterprise Edition 6.2.1 (running gitlab-shell 1.7.8) ### Impact In affected versions an attacker can include the contents of a local file in the metadata of a Git repository hosted on the server via the GitLab web interface. This vulnerability can only be exploited by authenticated GitLab users. This vulnerability has been fixed in gitlab-shell 1.7.8, which is known to work with GitLab 5.4 and newer. All users should update gitlab-shell to version 1.7.8 immediately. ### Workarounds If you are unable to upgrade you should apply the following patch in `/home/git/gitlab-shell`. <pre> - --- a/lib/gitlab_projects.rb +++ b/lib/gitlab_projects.rb @@ -48,7 +48,7 @@ class GitlabProjects def create_branch branch_name = ARGV.shift ref = ARGV.shift || "HEAD" - - cmd = %W(git --git-dir=#{full_path} branch #{branch_name} #{ref}) + cmd = %W(git --git-dir=#{full_path} branch -- #{branch_name} #{ref}) system(*cmd) end @@ -61,7 +61,7 @@ class GitlabProjects def create_tag tag_name = ARGV.shift ref = ARGV.shift || "HEAD" - - cmd = %W(git --git-dir=#{full_path} tag #{tag_name} #{ref}) + cmd = %W(git --git-dir=#{full_path} tag -- #{tag_name} #{ref}) system(*cmd) end @@ -94,7 +94,7 @@ class GitlabProjects def import_project @source = ARGV.shift $logger.info "Importing project #{@project_name} from <#{@source}> to <#{full_path}>." - - cmd = %W(git clone --bare #{@source} #{full_path}) + cmd = %W(git clone --bare -- #{@source} #{full_path}) system(*cmd) && create_hooks(full_path) end @@ -156,7 +156,7 @@ class GitlabProjects end $logger.info "Forking project from <#{full_path}> to <#{full_destination_path}>." - - cmd = %W(git clone --bare #{full_path} #{full_destination_path}) + cmd = %W(git clone --bare -- #{full_path} #{full_destination_path}) system(*cmd) && create_hooks(full_destination_path) end </pre> # Repository access privilege escalation vulnerability in GitLab There is a repository access privilege escalation vulnerability in GitLab. This vulnerability has been assigned CVE identifier CVE-2013-4583. Versions affected: 5.0 and newer Not affected: 4.2 and older Fixed versions: 5.4.2, Community Edition 6.2.4, Enterprise Edition 6.2.1 (running gitlab-shell 1.7.8) ### Impact In affected versions a GitLab user can escalate their repository access privileges and clone a repository that they should not have access to via Git SSH access. This vulnerability can only be exploited by authenticated GitLab users. This vulnerability has been fixed in gitlab-shell 1.7.8, which is known to work with GitLab 5.4 and newer. All users should update gitlab-shell to version 1.7.8 immediately. ### Workarounds If you are unable to upgrade you should apply the following patch in `/home/git/gitlab-shell`. <pre> - --- a/lib/gitlab_shell.rb +++ b/lib/gitlab_shell.rb @@ -43,7 +43,7 @@ class GitlabShell def parse_cmd args = Shellwords.shellwords(@origin_cmd) @git_cmd = args[0] - - @repo_name = args[1] + @repo_name = escape_path(args[1]) end def git_cmds @@ -86,4 +86,12 @@ class GitlabShell def log_username @config.audit_usernames ? username : "user with key #{@key_id}" end + + def escape_path(path) + if File.absolute_path(path, repos_path) == File.join(repos_path, path) + path + else + raise "Wrong repository path" + end + end end </pre> -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJSij8rAAoJEB2vXw0YK62W1ckIAKW2FUCJt95o9CxlDiLZUo6E VWQwhnr1Eo00w+1kwh0qCZPiwLR4Trlhru43o6I2pvIFI4WgTYUH3Tdw81znD26q h8wpfFAZRP58b8iucwjrZUl1eBIGGxjvnj7R1fyDLSn9zS2NjIDEh/18fFezVpbW 4/bc5prwpp2n75KlDjDM6g3ZzDaLOurm2/CkEgfVqeCit7wxqwLA9kXDWNHVGV55 3+nOwCSOLQTYy+Lyy9t75SnDYF0b2Lq2rB92KmME2Df/RY6r83ECzS+DyWMZKPZb hrqfsL6xBJewVcdRg6oBt84+fKDBJ+qACa3cCLTnH7PcYsBjU9+1WH8uAwDjTpM= =Lrou -----END PGP SIGNATURE----- Best regards, Jacob Vosmaer GitLab.com 2013/11/15 Kurt Seifried <kseifried () redhat com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/14/2013 09:11 AM, Jacob Vosmaer wrote:We have just released a new security advisory for GitLab at http://blog.gitlab.org/multiple-critical-vulnerabilities-in-gitlab/,concerning the following four vulnerabilities:- Unauthenticated API access to GitLab when using MySQL - Remote code execution vulnerability via Git SSH access in GitLab - Local file inclusion vulnerability in GitLab - Repository access privilege escalation vulnerability in GitLab We would like to request four CVE identifiers for these issues.Nice blog write up, one note if you can post a copy with emails it's better in case the URL ever dies or something. CVE-2013-4580 GitLab Unauthenticated API access to GitLab when using MySQL CVE-2013-4581 GitLab Remote code execution vulnerability via Git SSH access in GitLab CVE-2013-4582 GitLab Local file inclusion vulnerability in GitLab CVE-2013-4583 GitLab Repository access privilege escalation vulnerability in GitLabThanks to joernchen of http://www.phenoelit.org/ for reporting these issues to us. Best regards, Jacob Vosmaer GitLab.com- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJShZbTAAoJEBYNRVNeJnmTvPwQALLZnHWNwP6P4E8mtKz2c8J7 v8+2n1vgTkJsUrxALogci6UnCPPC0z0+Xe8dKSY7Iti7V6aLmGIeRVZzTqDTTKfK gtBaOjR/PIAkzHDCkU/XXvXik555knE9SqvYQ3hR3baVZeh+zd1KacibcW03mahJ QDJUlT5x0KN6ZobxCUXzGChjsRclD5E3+Kyft2p2ndnqC5B0jS9iwUNVwTE2sGZw 3pJTuNmjo73qXGNSeMWfv6QfXBpueU+W40Qiz3yTwLwzmHTU7BXr3joWZ12hEibx 6CwJ2NYQmB9GJTlh/jVmrk42hfEcGmdYLWSw4nEQe2JD2CrfGfUTesCaOs9HNmOM T8AuzaSBSRpCt4dSBoRQ1NH2k8JiF21cWB1C1TGYrCFjKadzVY62VkJLP0WToF7y VOywzSuQQQAm7ZEznNE10XwReQnoZ0l9VgdACSEMmDOdiVwsSFnvPTiFDaM3YGru HUYOAXZ56ZXBsRjmC3kp0AWdPpLMOYN1rvfZKWhadNFP6IU8qw3t5JycEPj23Fzm l23ggiFmOdgHU6GJ7wCMB1V7Cds4dIYB91QGAdhMy7KB5Ujl2IonqVBqV0nEuHFf r67GGx0tvwVJYQJli68coowfZdbPRyP34/cQXcnsDdkYsFuPyEYo7IN5mReqCToh rjb7N6oMra/9b4iZ1DQC =DKCL -----END PGP SIGNATURE-----
Current thread:
- Requesting four (4) CVE identifiers for GitLab Jacob Vosmaer (Nov 14)
- Re: Requesting four (4) CVE identifiers for GitLab Kurt Seifried (Nov 14)
- Re: Requesting four (4) CVE identifiers for GitLab Jacob Vosmaer (Nov 18)
- Re: Requesting four (4) CVE identifiers for GitLab Kurt Seifried (Nov 14)