# Remote code execution vulnerability in the SSH key upload feature of GitLab There is a remote code execution vulnerability in the SSH key upload feature of GitLab. This vulnerability has been assigned the CVE identifier CVE-2013-4490. Versions affected: 5.0, 5.1, 5.2, 5.3, 5.4, 6.0, 6.1, 6.2 Not affected: 4.2 and earlier Fixed versions: 5.4.1, 6.2.3 ### Impact The gitlab-shell SSH access endpoint manages the authorized_keys file for the git user. When a user adds a public key using the GitLab web interface a gitlab-shell command is invoked to add the public key to authorized_keys. In affected versions, the public key text entered by the user is exposed to the Bourne shell in a way that can be exploited to achieve code execution as the git user. Only authenticated users can upload an SSH key. All users running an affected release should upgrade gitlab-shell immediately. ### Releases Gitlab-shell 1.7.4, available from https://github.com/gitlabhq/gitlab-shell, fixes the vulnerability and has been tested with GitLab 5.4.1 and GitLab 6.2.3. ### Workarounds If you are using GitLab 5.0 or newer and you cannot upgrade to GitLab 5.4.1 or GitLab 6.2.3 you should apply the following edit to gitlab-shell. - --- a/lib/gitlab_keys.rb +++ b/lib/gitlab_keys.rb @@ -29,8 +29,7 @@ class GitlabKeys def add_key $logger.info "Adding key #{@key_id} => #{@key.inspect}" cmd = "command=\"#{ROOT_PATH}/bin/gitlab-shell #{@key_id}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty #{@key}" - - cmd = "echo \'#{cmd}\' >> #{auth_file}" - - system(cmd) + open(auth_file, 'a') { |file| file.puts(cmd) } end def rm_key ### Credits Thanks to Nigel Kukard of http://www.allworldit.com/ for reporting the vulnerability to us.