# Remote code execution vulnerability in the SSH key upload feature of GitLab
There is a remote code execution vulnerability in the SSH key upload
feature of GitLab. This vulnerability has been assigned the CVE identifier
CVE-2013-4490.
Versions affected: 5.0, 5.1, 5.2, 5.3, 5.4, 6.0, 6.1, 6.2
Not affected: 4.2 and earlier
Fixed versions: 5.4.1, 6.2.3
### Impact
The gitlab-shell SSH access endpoint manages the authorized_keys file for
the git user. When a user adds a public key using the GitLab web interface
a gitlab-shell command is invoked to add the public key to authorized_keys.
In affected versions, the public key text entered by the user is exposed to
the Bourne shell in a way that can be exploited to achieve code execution
as the git user. Only authenticated users can upload an SSH key.
All users running an affected release should upgrade gitlab-shell
immediately.
### Releases
Gitlab-shell 1.7.4, available from https://github.com/gitlabhq/gitlab-shell,
fixes the vulnerability and has been tested with GitLab 5.4.1 and GitLab
6.2.3.
### Workarounds
If you are using GitLab 5.0 or newer and you cannot upgrade to GitLab 5.4.1
or GitLab 6.2.3 you should apply the following edit to gitlab-shell.
- --- a/lib/gitlab_keys.rb
+++ b/lib/gitlab_keys.rb
@@ -29,8 +29,7 @@ class GitlabKeys
def add_key
$logger.info "Adding key #{@key_id} => #{@key.inspect}"
cmd = "command=\"#{ROOT_PATH}/bin/gitlab-shell
#{@key_id}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
#{@key}"
- - cmd = "echo \'#{cmd}\' >> #{auth_file}"
- - system(cmd)
+ open(auth_file, 'a') { |file| file.puts(cmd) }
end
def rm_key
### Credits
Thanks to Nigel Kukard of http://www.allworldit.com/ for reporting the
vulnerability to us.