gitlab-shell Security vulnerability

2013.11.11

Credit: Remy van Elst

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2013-4546

CWE: CWE-Other

Ogólna skala CVSS: 6.5/10

Znaczenie: 6.4/10

Łatwość wykorzystania: 8/10

Wymagany dostęp: Zdalny

Złożoność ataku: Niska

Autoryzacja: Jednorazowa

Wpływ na poufność: Częściowy

Wpływ na integralność: Częściowy

Wpływ na dostępność: Częściowy

### Security vulnerability in gitlab-shell (CVE-2013-4546)

We have learned about a second remote code execution vulnerability in
gitlab-shell. This issue was fixed in gitlab-shell 1.7.4, so users who
updated gitlab-shell after [our recent security
announcement](../gitlab-ce-6-2-and-5-4-security-release/) are not affected.

# Remote code execution vulnerability in the repository import feature of
older versions of GitLab

There is a remote code execution vulnerability in the repository import
feature of older versions of GitLab. This vulnerability has been assigned
the CVE identifier CVE-2013-4546.

Versions affected: 5.0, 5.1, 5.2, 5.3, 5.4, 6.0, 6.1, 6.2

Not affected: 4.2 and earlier

Fixed versions: 5.4.1, Community Edition 6.2.3, Enterprise Edition 6.2.0
(all using gitlab-shell 1.7.4)

### Impact
When creating a new project a GitLab user can specify that a remote
repository should be imported into the new project. In affected versions
the import URL text field can be used to execute code on the GitLab server.
Only authenticated users can create new projects and import repositories.

This vulnerability was fixed in gitlab-shell 1.7.4. All users running
GitLab 5.4 or newer should verify that they are using gitlab-shell 1.7.4 or
newer (`cat /home/git/gitlab-shell/VERSION`) and upgrade gitlab-shell
immediately if necessary.

### Releases
Gitlab-shell 1.7.4 is available from
https://gitlab.com/gitlab-org/gitlab-shell and
https://github.com/gitlabhq/gitlab-shell . To upgrade gitlab-shell it
suffices to run `sudo su git -c 'git fetch && git checkout v1.7.4'` in
/home/git/gitlab-shell .

### Workarounds
If you are unable to upgrade you can disable the repository import
functionality in GitLab by deleting the following code block from
`app/contexts/projects/create_context.rb` and restarting GitLab:

<pre>
# Import project from cloneable resource
if @project.valid? && @project.import_url.present?
  shell = Gitlab::Shell.new
  if shell.import_repository(@project.path_with_namespace,
@project.import_url)
    # We should create satellite for imported repo
    @project.satellite.create unless @project.satellite.exists?
    @project.imported = true
    true
  else
    @project.errors.add(:import_url, 'cannot clone repo')
  end
end
</pre>

### Credits
Thanks to Remy van Elst https://raymii.org/ for reporting the vulnerability
to us.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

gitlab-shell Security vulnerability

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.