oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2013-4490 Remote code execution vulnerability in the SSH key upload feature of GitLab

From: Jacob Vosmaer <jacob () gitlab com>
Date: Mon, 4 Nov 2013 20:01:15 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# Remote code execution vulnerability in the SSH key upload feature of
GitLab

There is a remote code execution vulnerability in the SSH key upload
feature of GitLab. This vulnerability has been assigned the CVE identifier
CVE-2013-4490.

Versions affected: 5.0, 5.1, 5.2, 5.3, 5.4, 6.0, 6.1, 6.2

Not affected: 4.2 and earlier

Fixed versions: 5.4.1, 6.2.3

### Impact
The gitlab-shell SSH access endpoint manages the authorized_keys file for
the git user. When a user adds a public key using the GitLab web interface
a gitlab-shell command is invoked to add the public key to authorized_keys.
In affected versions, the public key text entered by the user is exposed to
the Bourne shell in a way that can be exploited to achieve code execution
as the git user. Only authenticated users can upload an SSH key.

All users running an affected release should upgrade gitlab-shell
immediately.

### Releases
Gitlab-shell 1.7.4, available from https://github.com/gitlabhq/gitlab-shell,
fixes the vulnerability and has been tested with GitLab 5.4.1 and GitLab
6.2.3.

### Workarounds
If you are using GitLab 5.0 or newer and you cannot upgrade to GitLab 5.4.1
or GitLab 6.2.3 you should apply the following edit to gitlab-shell.

- --- a/lib/gitlab_keys.rb
+++ b/lib/gitlab_keys.rb
@@ -29,8 +29,7 @@ class GitlabKeys
   def add_key
     $logger.info "Adding key #{@key_id} => #{@key.inspect}"
     cmd = "command=\"#{ROOT_PATH}/bin/gitlab-shell
#{@key_id}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
#{@key}"
- -    cmd = "echo \'#{cmd}\' >> #{auth_file}"
- -    system(cmd)
+    open(auth_file, 'a') { |file| file.puts(cmd) }
   end

   def rm_key

### Credits
Thanks to Nigel Kukard of http://www.allworldit.com/ for reporting the
vulnerability to us.

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQEcBAEBCgAGBQJSd+6/AAoJEB2vXw0YK62WNNoIAJr4Mz0d4LjznjXzYjE/So0/
cy3QxXjgNLjF2MiuAzDlnLCCRbUYcSpy50LZmGYSbv5YOF0cUknVge2R9+EJaSkk
qJDxTDr02zX13e2YKEv158lgljJWI3+hT3+UjwCpSasPckkcyD48X8o2dT4BYRGc
SbZxXMSLUg63np4db2zHjZqvpOr0txNYflduYsAZv5uld/Koy0YIBec2TfBVJWrg
ghtooOQ/IIXQRe3Qjl+8uRLGEBlPmmsMv0mC5/t5Wo/3RMg/3MQ4Ez1FAAeutbPw
qTZLxh7sXcMvVdkx24KoCSK+//IRa91bNxRiK2pDi6fNGuzxs2a21PEKAwHfJsA=
=UL60
-----END PGP SIGNATURE-----

Best regards,

Jacob Vosmaer
GitLab.com
Previous By Date Next
Previous By Thread Next

Current thread: