oss-sec mailing list archives
CVE-2013-4490 Remote code execution vulnerability in the SSH key upload feature of GitLab
From: Jacob Vosmaer <jacob () gitlab com>
Date: Mon, 4 Nov 2013 20:01:15 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # Remote code execution vulnerability in the SSH key upload feature of GitLab There is a remote code execution vulnerability in the SSH key upload feature of GitLab. This vulnerability has been assigned the CVE identifier CVE-2013-4490. Versions affected: 5.0, 5.1, 5.2, 5.3, 5.4, 6.0, 6.1, 6.2 Not affected: 4.2 and earlier Fixed versions: 5.4.1, 6.2.3 ### Impact The gitlab-shell SSH access endpoint manages the authorized_keys file for the git user. When a user adds a public key using the GitLab web interface a gitlab-shell command is invoked to add the public key to authorized_keys. In affected versions, the public key text entered by the user is exposed to the Bourne shell in a way that can be exploited to achieve code execution as the git user. Only authenticated users can upload an SSH key. All users running an affected release should upgrade gitlab-shell immediately. ### Releases Gitlab-shell 1.7.4, available from https://github.com/gitlabhq/gitlab-shell, fixes the vulnerability and has been tested with GitLab 5.4.1 and GitLab 6.2.3. ### Workarounds If you are using GitLab 5.0 or newer and you cannot upgrade to GitLab 5.4.1 or GitLab 6.2.3 you should apply the following edit to gitlab-shell. - --- a/lib/gitlab_keys.rb +++ b/lib/gitlab_keys.rb @@ -29,8 +29,7 @@ class GitlabKeys def add_key $logger.info "Adding key #{@key_id} => #{@key.inspect}" cmd = "command=\"#{ROOT_PATH}/bin/gitlab-shell #{@key_id}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty #{@key}" - - cmd = "echo \'#{cmd}\' >> #{auth_file}" - - system(cmd) + open(auth_file, 'a') { |file| file.puts(cmd) } end def rm_key ### Credits Thanks to Nigel Kukard of http://www.allworldit.com/ for reporting the vulnerability to us. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJSd+6/AAoJEB2vXw0YK62WNNoIAJr4Mz0d4LjznjXzYjE/So0/ cy3QxXjgNLjF2MiuAzDlnLCCRbUYcSpy50LZmGYSbv5YOF0cUknVge2R9+EJaSkk qJDxTDr02zX13e2YKEv158lgljJWI3+hT3+UjwCpSasPckkcyD48X8o2dT4BYRGc SbZxXMSLUg63np4db2zHjZqvpOr0txNYflduYsAZv5uld/Koy0YIBec2TfBVJWrg ghtooOQ/IIXQRe3Qjl+8uRLGEBlPmmsMv0mC5/t5Wo/3RMg/3MQ4Ez1FAAeutbPw qTZLxh7sXcMvVdkx24KoCSK+//IRa91bNxRiK2pDi6fNGuzxs2a21PEKAwHfJsA= =UL60 -----END PGP SIGNATURE----- Best regards, Jacob Vosmaer GitLab.com
Current thread:
- CVE-2013-4490 Remote code execution vulnerability in the SSH key upload feature of GitLab Jacob Vosmaer (Nov 04)