|
Message-ID: <CAB8Fin_eXgePbW5OdH1iWxyiwm60y13sD2ooWKCCceeEWixSKA@mail.gmail.com> Date: Mon, 4 Nov 2013 20:01:15 +0100 From: Jacob Vosmaer <jacob@...lab.com> To: oss-security@...ts.openwall.com Subject: CVE-2013-4490 Remote code execution vulnerability in the SSH key upload feature of GitLab -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # Remote code execution vulnerability in the SSH key upload feature of GitLab There is a remote code execution vulnerability in the SSH key upload feature of GitLab. This vulnerability has been assigned the CVE identifier CVE-2013-4490. Versions affected: 5.0, 5.1, 5.2, 5.3, 5.4, 6.0, 6.1, 6.2 Not affected: 4.2 and earlier Fixed versions: 5.4.1, 6.2.3 ### Impact The gitlab-shell SSH access endpoint manages the authorized_keys file for the git user. When a user adds a public key using the GitLab web interface a gitlab-shell command is invoked to add the public key to authorized_keys. In affected versions, the public key text entered by the user is exposed to the Bourne shell in a way that can be exploited to achieve code execution as the git user. Only authenticated users can upload an SSH key. All users running an affected release should upgrade gitlab-shell immediately. ### Releases Gitlab-shell 1.7.4, available from https://github.com/gitlabhq/gitlab-shell, fixes the vulnerability and has been tested with GitLab 5.4.1 and GitLab 6.2.3. ### Workarounds If you are using GitLab 5.0 or newer and you cannot upgrade to GitLab 5.4.1 or GitLab 6.2.3 you should apply the following edit to gitlab-shell. - --- a/lib/gitlab_keys.rb +++ b/lib/gitlab_keys.rb @@ -29,8 +29,7 @@ class GitlabKeys def add_key $logger.info "Adding key #{@..._id} => #{@....inspect}" cmd = "command=\"#{ROOT_PATH}/bin/gitlab-shell #{@..._id}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty #{@...}" - - cmd = "echo \'#{cmd}\' >> #{auth_file}" - - system(cmd) + open(auth_file, 'a') { |file| file.puts(cmd) } end def rm_key ### Credits Thanks to Nigel Kukard of http://www.allworldit.com/ for reporting the vulnerability to us. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJSd+6/AAoJEB2vXw0YK62WNNoIAJr4Mz0d4LjznjXzYjE/So0/ cy3QxXjgNLjF2MiuAzDlnLCCRbUYcSpy50LZmGYSbv5YOF0cUknVge2R9+EJaSkk qJDxTDr02zX13e2YKEv158lgljJWI3+hT3+UjwCpSasPckkcyD48X8o2dT4BYRGc SbZxXMSLUg63np4db2zHjZqvpOr0txNYflduYsAZv5uld/Koy0YIBec2TfBVJWrg ghtooOQ/IIXQRe3Qjl+8uRLGEBlPmmsMv0mC5/t5Wo/3RMg/3MQ4Ez1FAAeutbPw qTZLxh7sXcMvVdkx24KoCSK+//IRa91bNxRiK2pDi6fNGuzxs2a21PEKAwHfJsA= =UL60 -----END PGP SIGNATURE----- Best regards, Jacob Vosmaer GitLab.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.